puts Blog.new(”nonsense”)

Rails Security Audit is an straight-talking introduction to the techniques for keeping your Rails app secure. Over the course of 47 pages, Aaron Bedra tackles the security audit process, common security-related bugs, essential server lockdown tactics, and an approach for assessing the severity of the issues you find.

Rails offers sound solutions for keeping your application safe from the likes of SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and the perils of mass assignment, but are you sure you’re using those solutions? Without a proper understanding of these exploits, it’s unlikely that a developer would safely navigate past those issues entirely. Aaron provides easy-to-follow examples of each exploit, shows the consequences of ignoring them, and introduces the tools and techniques for identifying and avoiding those problems.

Going beyond Rails-specific security, Aaron covers a handful of guidelines for ensuring good server hygiene. As a developer (read: not a system administrator), I personally couldn’t tell you which ports should be open on a server and which ones are an invitation for trouble. Aaron remedies that situation by demonstrating the tools for determining how well your server is currently secured and providing scripts and instructions for getting you to where you need to be.

The book closes out the discussion on server security with additional recommendations for restricting access to your servers, but it stops short of providing any direction for doing so. While a quick round of Googling would likely locate a decent tutorial, I’d rather have seen the information included in the book (even if it just took the form of pointers to recommended tutorials).

Once you’ve identified the security issues in your app, Aaron offers honest, no-nonsense advice regarding the next step: “I guarantee at some point you will audit an application and find something in the form of a security hole. Your job as an auditor is to present the vulnerability, period.” Translation: security audits aren’t about sugar-coating your findings or pulling punches. He then pragmatically explains that anything other than the quick fixes will likely warrant further exploration of the actual risk posed by the issue, and provides a step-by-step walkthrough of a sample risk analysis effort.

If you’re even the least bit uncertain about any of the topics discussed above, you owe it to yourself to check out Aaron’s highly-approachable guide to assessing the state of security in your Rails app.

Full disclosure: Aaron and I work together at Relevance, and his potential for hacking into my laptop inspires great fear in me. Nevertheless, I stand by the comments above even in the face of that adversity.

Rob dared me to fire up my favorite shell and jump into the game. Imagine my disappointment when I was greeted with this bummer of an error message.

Hmm. No dice. OK, on to my second choice.

The result? A few well-known friends and some that likely deserve a bit of elaboration.

• m is an alias for the mate shell command for TextMate
• mman is that handy TextMate man page viewer we talked about recently
• The one that’s bleeped out (i.e., **) is an alias that takes me straight to the source dir for my current client project
• cap1 is, um, a reminder that deprec2 is gonna be a nice upgrade

• Geertjan Wielenga suggests the first (and only) Java closure solution that makes any sense.

• Wait for it. Wait for it. Are you serious?! Damn, that’s cool!

• As always, Alan Hoffler offers some welcome advice “and stuff like that” on using words that add nothing to your message.

• Rails goes Git. Sweet! Who’s next?

• Multi-touch is so 1984.

• “Working for oneself, or at least for a small group, is the natural way for programmers to live.” Well said. And if you disagree with Paul Graham, watch out; you’re being graded.

Andres Almiray interviewed me this week for the Groovy Zone. We cover a breadth of topics, including:

• Just how far Grails has come in the past two years
• Why the GORM DSL likely obviates previous mapping techniques
• Groovy as a gateway drug to more and better developer testing
• Why Grails testing infrastructure improvements deserve top billing in Grails 1.1
• Something called Rails
• New testing-related developments in the Groovy ecosystem

For all that and more, check out the interview at Groovy Zone, a new(ish) and hoppin’ community for Groovy and Grails news.

(Did I mention that we discuss testing?)

Many thanks to Andres and DZone for the interview.

• More evidence that 100% test coverage is just a good place to start.

• And here I thought perhaps it was finally time to drop BASIC from my resume. ^§

• Dave Klein takes on a gnarly Oracle schema using the Grails ORM DSL. If you’re dying to see some XML or annotations in use, then well, you need help, and this tutorial simply ain’t for you.

• Git repo containing the complete Rails source code and it’s entire revision history: 21.9 MB. SVN checkout of the current Rails source code with no history: 23.8 MB. Convinced yet? ^‡

• Safari 3.1 hits the street, now with more cowbell marginally better dev tools. Oh well, it’s still feels like the best fit for day-to-day browsing, but it’s got a long way to go if it’s ever gonna compete with Firebug for some real web developer love.

–

^§Link courtesy of Rob Sanheim.

^‡Link courtesy of Stu Halloway.

Want to know more about just how easy it is to contribute to the many open source projects that you use day in and day out? The Refactotum series is dedicated to showing you how. Coming up at RailsConf in May, Stu, Justin, Rob, and I will be offering up another round of Refactotum open sorcery.

What are people saying about Refactotum? The 2GX crowd was pretty psyched…

Showed how you can contribute to open source even if you don’t have a lot of time.

Cool. Time? What’s that?

Very helpful. I’ll definitely follow up by contributing to open source projects.

Right on.

Explaining how to contribute to open source is something that is not usually covered and needs to be taught and evangelized.

And even when the network didn’t cooperate…

It turned out to be a giant “pair” programming exercise instead of individual programming and this turned out to be MUCH better. Some of the ideas discussed were really intriguing.

Grab your seat now before they’re all gone. Hope to see you there!

In the spirit of Andy Glover’s Weekly Bag and Bill Dupre’s frequent batches of Whatever, herein lies the first installment in a (sure-to-be-sporadic) series of Noteworthy Nonsense.

• iPhone web app authors rejoice! (Yes. You read that right. Web-app authors.) Test your web apps using the official iPhone simulator. (And, oh yeah, you can go native now too…but the lack of RubyCocoa support is a bit of a downer.)

• A plugin that lets you run Struts 1.x code inside a Grails app? Yeah, I cringed too, but this will surely be a welcome migration path for those folks trapped in the land of *.do.

• Are SVN users suffering from the Blub paradox? Linus pulls no punches in offering up his take on this matter.

• Dan Benjamin’s back with the Leopard edition of his definitive “how-to” guide for rolling your own installation of Ruby, Rails, and friends.

• The last time Glen Smith declared a month o’ Grails, he showed the community just how very much is possible with merely an hour a day. Now Glen’s at it again, but this time it’s MockFor(March). If history is any indicator, expect Glen to blaze new trails in the land of Grails unit testing. Glen: It takes GUTs, but I’m rootin’ for you!

• Speaking of good unit tests, Jay Fields announced a new version of the expectations gem, complete with a healthy dose of example code. One expectation per test? Saying “goodbye” to cumbersome test names? Jay’s onto something here.

Believe it or not, there are still at least a few of us crazy hold-outs that still haven’t imbibed the increasingly ubiquitous RSpec Kool-Aid. And for the folks in this crowd that still want BDD-style testing, it’s test-spec and test/spec/rails all the way. So when I recently needed a means for validating that a nontrivial route landed in the right controller/action, I naturally went looking for the test/spec/rails equivalent of #assert_recognizes. When I saw that it was nowhere to be found, I knew I’d found another task for Open Source Fridays (er, the first half hour of an Open Source Friday). And thanks to Matthew Bass’s uncanny responsiveness in applying the patch that Rob Sanheim and I submitted, test/spec/rails now offers some handy new specs for testing your routes.

assert_generates => should.route_to

Where you’d use #assert_generates in traditional Rails + test/unit, test/spec/rails now supports #route_to as a more spec-flavored alternative. For example, to verify that a given set of URL options routes to the expected path…

becomes

assert_recognizes => should.route_from

And where our ancestors once used #assert_recognizes, test/spec/rails now offers #you_bettuh_recognize #route_from. “An example would be nice”, you say? Well, to perform essentially the inverse of the above test…

- - -

The rdoc offers additional examples, and check out the test/spec/rails README for more mappings from old-school test/unit assertions to test/spec/rails equivalents.

It’s been almost a year since I first sat down with Scott Davis for an aboutGroovy.com interview, and the upcoming Groovy/Grails Experience seemed as good a reason as any for us to catch up.

In addition to discussing the various conference sessions in the works, we also spend a few moments exploring some relative merits of Rails and Grails. While we won’t tell you which framework is right for you, I do suggest some key features that each framework could stand to adopt from the other, and we even discuss how some of that cross-pollination is already coming to fruition.

Many thanks to Scott for having me on the podcast.

–

Download the MP3 directly

or

Subscribe to aboutGroovy.com podcasts via RSS

We recently deployed two new Solr-powered apps, and thanks to acts_as_solr, most of the task of integrating Solr with Rails was downright trivial. Deployment, however, came with a few small roadbumps.

Know when to nohup

When using acts_as_solr locally, you start and stop Solr via the provided rake tasks (i.e., rake solr:start and rake solr:stop). However, when you run the solr:start task, you’ll quickly notice that all of the would-be log output is right there in your face, and definitely not in some well-tucked-away log file. During development, we didn’t think too much of it. Just open a new terminal tab, start Solr, and get back to devving.

But then came time for deployment. Try to run the vanilla solr:start task as part of a Capistrano deployment, and you’ll quickly be looking for another option. As you watch your deploy script run, here comes all that same output you’ve been seeing locally … but when Cap completes, Solr calls it quits. We need a way to tell Solr to keep running in the background, even after Cap finishes doing its thing.

 
(Incidentally, you may want to employ this solution for your local Solr instance as well. After all, that’ll be one fewer terminal window cluttering your workspace.)

Dude, where’s my index?

Now that you have a reliable means for starting and stopping Solr, it’s time to decide where you want to store your index files. By default, acts_as_solr defines SOLR_PATH as #{RAILS_ROOT}/vendor/plugins/acts_as_solr/solr, which means that Solr will store your index files in #{RAILS_ROOT}/vendor/plugins/acts_as_solr/solr/#{RAILS_ENV}/solr/data/#{RAILS_ENV}/index. If you keep that setup, what happens when you deploy a new release of your app? You guessed it: your index files get left behind with the old release.

But that’s almost certainly not the behavior you want. The index files represent data, not application code. You don’t move your database every time you deploy a new release, and you shouldn’t move - or even worse, recreate - your Solr indexes with every release either. (Yes. Just as some releases require database changes, so will some releases require reindexing. But, it’s definitely not a need for every release, and it therefore shouldn’t be your normal practice.)

At this point, you have a few choices, but the goal with each choice remains the same: find a home for the Solr indexes to allow them to survive across multiple deployments. First, copy #{RAILS_ROOT}/vendor/plugins/acts_as_solr/solr to a release-independent location in your deployment environment. Then, you just need to tell your application where to find that directory. Ultimately, SOLR_PATH needs to point to that location. If you don’t want to change the default acts_as_solr settings, then you can configure your deployment script to symlink the copied directory into the location where acts_as_solr expects to find it (i.e., #{RAILS_ROOT}/vendor/plugins/acts_as_solr/solr). Otherwise, you can simply change the definition of SOLR_PATH (defined in #{RAILS_ROOT}/vendor/plugins/acts_as_solr/config/environment.rb) to point to your release-independent directory.

Know your role

Now you have a home for our Solr indexes and you have an easy way to start and stop Solr via Capistrano, but where exactly should Solr itself run? We all want highly performant apps, so you may be tempted to consider running Solr on multiple servers. More is always better. Right?

STOP!

Your app communicates with Solr via HTTP, so Solr can live anywhere on your network. It doesn’t need to live on the same box as your app, as your database, etc. And while you technically could run Solr on all your app servers, it’s highly unlikely that you’ll want to do so. Think about the problems associated with managing redundant databases. Do you really want to manage multiple sets of Solr indexes and try to make sure they all have the same data? Unless you’re Google - in which case, this stuff is your bread and butter - of course not.

If you store the indexes in a shared location and have all the Solr servers use the same indexes, does that make things any easier? Well, you no longer have to keep multiple indexes in sync, but you now have a different problem: data corruption. Solr isn’t designed to share indexes among multiple Solr processes, and when two processes try to update the same indexes, you’re in for all kinds of trouble. UPDATE: Solr isn’t designed to have multiple Solr processes updating a shared set of indexes. (As Hoss points out in the comments, Solr is capable of supporting a distributed installation, but all changes are routed to a single master Solr instance, and multiple query slaves receive the updates from the master.)

So let’s steer clear of all that trouble and find an easy way to run Solr on a single server, while having all your app servers talk to that Solr instance. First up, define a distinct role for the server where you want Solr to run.

Next, simply define the tasks needed to start and stop Solr on that server, and you’re good to go. (Also notice that we include a task to symlink in the Solr indexes from the release-independent directory discussed above.)

And with that little bit of setup, you’re ready to rock! (Well, er, as much as one can rock to full-text search.)

–

If you want full-text search in your Rails app, definitely take acts_as_solr for a spin. You’ll be up and running in no time, and chances are your users will love the new dimension that full-text search brings to your application.

Looking ahead

As for us, now that these apps are live and flexing all their Solr might, we’re on to looking for ways to make them better, faster, stronger. Long term, we definitely don’t want to maintain the default behavior of synchronously waiting for acts_as_solr to make the call to Solr (in order to update the indexes) each time we save a Solr-enabled ActiveRecord model object. In our apps, it’s more important that we quickly save the object and provide a prompt response back to the user. If it then takes a few seconds of background processing before that change is reflected in Solr, that’s perfectly acceptable (and much preferred over causing the user to wait for us to update the Solr indexes). At least one open source project is already dedicated to mitigating this issue, and we hope to explore this and various asynchronous solutions in the near future.