Does Google Gears expose your data to desktop security problems?

Google just kicked off another new product to offer offline web applications. There’s a simple plugin that’s available as a free download under a BSD license. It works for:

• Firefox
• IE
• Safari (almost!)

(With Safari it works if you build Safari’s webkit from source.)

As for operating systems it supports the big three:

• Mac
• Windows
• Linux

The first example showed Google Reader being used offline. It grabs the last 2000 feeds. The pain point is you have to tell it you’re going offline, so the syncing is a bit manual. There’s actually a tiny button to toggle. They seem to understand it just needs to know when you are offline or online and handle the syncing automatically.

SQLite is the offline database engine and it can handle full text searches of millions of documents.

Finally, the security bullet showed up. It has the same strict-origin security model.

• A web page with a particular scheme, host, and port can only access resources with the same scheme, host, and port.
• Using the Google Gears plugin is explicit and the user has to opt-in.

They didn’t address the main issue that will concern corporate IT security folks, but it is discussed on their security page:

On the other hand, two people using the same OS login could theoretically access each other’s Gears data files, just as they could access any other file on the machine.

– Google’s Security Documentation for Google Gears

The nasty scenario is one of your salespeople downloads a few hundred thousand customer records to their own machine. With traditional web applications the data never leaves the server other than to display small sections say in a search results page. With a local database cache you’re carrying around a copy of all of that information.

Looks like we’re going to see a big push for offline web applications.

Update

Turns out at least some developers have already thought about the stolen laptop use case with offline web apps. A developer of Dojo Offline talked about what to do about a stolen laptop. Dojo Offline is a new javascript library for offline use of web applications. It uses Google Gears for offline.

Without a good answer an entire swath of industries won’t dare touch offline mode. Right now Dojo offline adds a DES encryption library with functions to encrypt and decrypt. The example used encrypting/decrypting SSNs. He also pointed out that doing this in javascript can be computationally intensive and hasn’t been that feasible before. Right now though using Google Gears worker threads they can encrypt/decrypt in javascript at about 80k/second.

Good to see developers are already realizing this issue needs to be figured out.

Technorati Tags:

GDD07

May 23rd from 6:30-9:00pm the first Sacramento Ruby User Group Meeting was held at the Invision Design and Development offices in Old Sacramento. In attendance:

• Ryan – a full time Rails developer with Invision.
• Layton – a Rails developer.
• Tom Mornini – CTO of EngineYard.
• Ed Gibbs – author of this blog.

No planned agenda. No sponsored pizza and snacks. No presentations. Plenty of good conversation. I got in a little late, but the group had been discussing Rails Conf 2007. All of them were able to attend, though Tom went as a vendor so he didn’t really get to attend sessions.

The topics ranged from Django versus Rails to virtual hosting. Tom shared a few items about EngineYard, our local successful Rails startup:

• He recently hired Evan Phoenix of the Rubinius project to create a pure Ruby interpreter for Ruby.
• Ezra Zygmuntowic is moving down to the Sacramento area in the next month or so, which will help build up the local community.
• Using Xen virtualization has worked really well for them.

I’m looking forward to the next meeting.

Assumptions

• You are experienced with Java and have at least dabbled around with Ruby on Rails.
• These steps worked for me on a Mac OS X 1.0.4.9 system
• I’ve walked through the steps 3 times from scratch, but your mileage may still vary.

Install and Configure JRuby

First step download install JRuby. You can get it at:

• http://dist.codehaus.org/jruby/

After pulling down the tarball,

, I unpacked it and installed at:

• 1	/Applications/jruby1.0.2RC

Next, add the environment variable

to point to

. I added it to my

since I’m running the bash shell by default on Mac OS X:

Since I don’t want to take out my normal Ruby C install I just export it in front of the path just for this terminal session:

Double check that JRuby is setup:

This should return something like:

Test With A Simple JRuby App

Go ahead and setup a directory for your JRuby apps:

The last step assumes your using textmate. You can replace it with any

or any other editor you want.

Write a small JRuby app and save it:

[ruby]

require ‘java’

include_class ‘java.util.ArrayList’

list = ArrayList.new

list.add “Ruby”

list.add “+”

list.add “Java”

list.add “=”

list.add “JRuby”

puts “#{word}”

end

[/ruby]

Go ahead and run the simple ruby script and test the java integration of JRuby:

Should see:

Rails Setup

Run:

This should take about a minute. There are lots of notes on how ri and Rdoc take a long time to run right now, but it wasn’t too bad, about 5 minutes on a duo core Macbook Pro, but you can keep the two switches and save a little time.

The next step is a bit odd. For some reason the rails and rake files don’t get installed as executable. You have to make them executable and then pick up the changes using the bash

command.

Sample Rails App Running in JRuby

Then create your test rails app in JRuby. I used that idea of a book store application:

Go ahead and do a smoke test by booking up the server.

Should see a default rails page at

• http://localhost:3000

ActiveRecord JDBC Setup

Kill WEBrick and install the ActiveRecord JDBC gem:

Modify the

:

Modify

to add jdbc as an adapter type. The code goes just above

[ruby]

if RUBY_PLATFORM =~ /java/

require ‘rubygems’

RAILS_CONNECTION_ADAPTERS = %w(jdbc)

end

[/ruby]

Get the MYSQL JDBC driver at:

• http://www.mysql.com/products/connector/j/

I grabbed the file

and added it to my

. You can also add it to your

instead.

Start your MySQL server if it isn’t running. I just do this from the MySQL Preferences pane.

Time to setup the databases:

Go back to the rails app and create a model for Books.

Create a simplistic migration script in the file

:

[ruby]

def self.up

table.column :title, :string

table.column :author, :string

end

end

[/ruby]

Run the migration:

Then create the scaffolding for Book:

Startup the server:

Go to the URL and see the scaffolding using JDBC:

• http://localhost/books/

Running the Tests

You should be able to run the rake command and run all the tests now. Instead you get an error about like this:

Turns out this is due to some hard coded values in the rails rake tasks. It has an easy fix by way of Ola Bini:

This pulls down a file

that I could only find in the subversion repository for now. Copy that file to the bookstore lib/tasks directory:

Time to run all the default tests with rake:

All the tests pass!

Create the WAR

Kill WEBrick again and install the rails-integration plugin to deploy setup rake tasks to create wars:

It appears the war created uses the production settings so you’ll need to create the production database:

Then fix the

to include jdbc adapters for test and production:

Go ahead and run the migration for production as well:

Then you run:

This may take a few minutes the first time, but it appears to be much faster in subsequent builds.

Deploy to Tomcat

At this point you just need to drop the mysql JDBC driver in TOMCAT’s lib directory at:

Copy the bookstore.war file to

Then startup Tomcat:

Goto the app at:

• http://localhost:8080/bookstore/books/

Now do your happy dance! Or maybe just take a break and grab a soda.

Sources

I got this recipe for deployment together from several sources:

• The general recipe was cobbled together from Buggy Velarde.
• Ola Bini for the getting started tutorials with JRuby.
• Nick Sieger for his post on ActiveRecord JDBC.
• And the Rails Integration article on the JRuby wiki.

Things To Come

• Deploy a big rails app.
• Deploy to a commercial container like Websphere Appliation Server.

When we started Faces 1.0 it was very important for us to work with tools, that’s where a lot of our focus was. But now, we really want to focus on ease of development without tools.

– Roger Kitain

– Staff Engineer, Sun Microsystems

– Talk at Javapolis on Dynamic Applications With Faces and AJAX

A more enlightened approach focuses on ease of development. Our developers spend next to no time in the drag and drop tooling of JSF plugins, but various JSF pains like dealing with spotty error reporting from the 6 phase life cycle have consumed hundreds of hours of valuable time.

Apparently they’re going to focus on AJAX in the 2.0 spec as well. We’ve gone ahead and used AJAX Anywhere over the past year.

The really unfortunate part is JSF 2.0 is still in just getting started and since Websphere doesn’t have J2EE 1.5 support yet we can’t move up to even JSF 1.2.