[Looking for Charlie's main web site?]

New "ColdFusion 8 developer security guidelines" at Adobe DevCenter

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I haven't seen much mention of this elsewhere, but I happened upon a new 47-page whitepaper called "ColdFusion 8 developer security guidelines", by Erick Lee, Ian Melven, and Sarge Sargent. It's listed in the Adobe Security DevCenter, which shows it having been posted as of today.

Like other whitepapers that have been put together by Adobe, Macromedia, Allaire, and others, this one offers overviews of key concerns along with proposed best practices.

Is it complete? Does it really need to be?

As with any such document, there will be debate among some readers about whether the practices are always really the "best". It's inevitable. But let's give credit that the authors do try to give a rather brief round up of the features, their options, and the impact of choices.

Just as Ben's famous CF "Certification Study Guide" is a quick summary of key things in CFML (and no substitute for the complete ColdFusion documentation or the WACK books), so too would I argue that this guide is a quick summary of important points to consider. Readers would do well to understand the issues completely, both in terms of the generic concerns they raise and the specifics of CFML features and options. For that, the docs and other books would be great resources.

Still, many readers won't have time for that, so despite the fact that some may pick it apart, it will serve a large percent of the community who might otherwise have no knowledge of the concerns and configuration features. For that, we should thank the authors.

Its sections

The document is divided into the following sections: Authentication, Authorization, CFCs, Session Management, Data validation and interpreter injection, Ajax, PDF integration, .NET integration, HTTP, FTP, Error handling and logging, File System, Cryptography, Configuration, Maintance and References.

Earlier editions, and what's updated in the CF8 guide?

While the guide does focus on CF8, there is another version of the document for those running CF7, the "ColdFusion 7 developer security guidelines". It, too, is by 2 of the 3 authors of the other whitepaper, Erick Lee and Sarge Sargent. It's only 33 pages, and it too is listed at the Adobe DevNet Security Developer Center, where it show it having been updated as of Oct 2007.

You might think that the CF8 guide is updated only to refer to things new in CF8, but in fact I find some things in the CF8 guide that are not in the CF7 guide, but are not new for CF7. Perhaps they decided to expand the CF8 guide in ways that they didn't push back down into the CF7 guide (understandable if time was limited). That means that CF7 developers may want to read the later guide, though they'd have to ignore features that are indeed new to CF8.

For instance, I found a discussion of the trusted cache feature only in the CF8 guide (more on that below). I didn't do a careful comparison of what's different.

BTW, I'll add that I found references in searches both on the Adobe site and Google to a version of the security guidelines at a URL that no longer works. Since I couldn't access it, I was unable to determine how this CF7 version was updated (or if it was simply renamed, to distinguish it from the new CF8 version. Perhaps the authors can comment here if they read this entry.)

Where to offer feedback?

That last comment brings up a concern I have with the whitepapers offered on the Adobe site (and the articles offered on the Developer Center, as well, of which I've been an author recently.) There's no place for folks to leave feedback. It would be nice for there to be a place to have discussions about the things written in such whitepapers or articles. (The Devnet articles do offer a feedback link, but it's one way, not an open discussion.)

I'm sure some will want to comment on or trade best practices regarding the topics in this paper. Also, I'd like to share at least one error I found: in the discussion of the trusted cache feature, it's described as, "Enable Trusted cache in production environments. When enabled, ColdFusion will only server requested templates held in its memory cache. This provides performance gains but also prevents ColdFusion from running hacked or invalid templates."

Yikes. I wonder who wrote that (and who missed it during any review).That's not the purpose of trusted cache at all. It's about whether the server should look to disk to see if a template, once compiled and loaded into memory, has changed on disk. The server always only serves (not the typo, too, "will only server") pages held in its memory cache. Using trusted cache is certainly a performance gain, but I really have no idea what the reference is to "hacked or invalid templates". That makes me think the person writing this has a very wrong idea about the feature. But I'm not meaning to rip the guidelines. As I said earlier, I'm sure that many will find them very useful, and since folks rarely read the docs, it's a nice way to condense into 40+ pages some key points. I'll let others comment here about any other concerns they have. At least it will serve as one place to have such discussion. If there's a better place, I'll welcome people pointing to that.

It's AttributeCollection, not AttributesCollection, ArgumentCollection, nor ArgumentsCollection!

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
By now I think most have heard of the new AttributeCollection option available for most tags in ColdFusion 8. It's a cool way to dynamically add attributes to a tag.

One problem, though, is that people seem to confuse its name. I've seen it referred to by different names both in current discussions and in older blog entries. Some of the confusion is understandable.

For the record, it's AttributeCollection, not any of the following:

  • ArgumentCollection: this is indeed a legitimate attribute for CFINVOKE, when calling a CFC method or UDF instance, or when used similarly calling an instance created by CFOBJECT or createObject.
  • ArgumentsCollection: well, this actually was the name of the attribute as of the Beta of CF 8. Ben wrote about it back then, so some confusion could stem simply from people seeing such older entries.
  • Arguments: Again, you may well see some blog entry or email list discussion mentioning this, because this what what the attribute was called in the Scorpio Alpha. There was a lot of discussion on blogs pleading that the attribute be named AttributeCollection instead. In fact, Damon Cooper wrote that there were "69 Beta forum message threads about the proper naming of attributeCollection" in his note on Engineering stats for CF8.
  • AttributesCollection: and ultimately, it was named AttributeCollection, but since it was for a while called ArgumentsCollection (with the s) it's understandable that some may made the final attribute name plural.

In case anyone's wondering, they may recognize AttributeCollection as not being new as of CF8. In fact, it's not. It was (us) used on the CFMODULE tag to pass in attributes to a custom tag (and also when calling a custom tag as CF_tagname).

For more on using the new attribute, as well as examples of its use, see the CF docs or blog entries by Ben Nadel and Brian Rinaldi. Those also explain where the tag cannot be used (just a small fraction of tags where it really wouldn't make sense, like CFIF, CFSET, and some others) and also how when you use it, you can't use any other attributes.

Hope that clarification above helps someone.

CF8 Hidden Gem: New option to save java source for web service proxy--with createobject only

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Have you ever wanted to see the Java source code for the proxy/stub that's created when you invoke a web service from Coldfusion? Well, here's a hidden gem in CF8 (one of dozens I discuss in my "hidden gems in cf8" talk) that does just this.

Curiously, it's only available when you invoke a web service using createObject(), not CFOBJECT or CFINVOKE.

It's enabled using the new ArgStruct argument that I discussed last month.

<cfscript>
wsargs = structnew();
wsargs.savejava="yes";

convert=createobject("webservice","http://www.webservicex.net/CurrencyConvertor.asmx?wsdl",wsargs);

writeoutput(convert.ConversionRate(FromCurrency='USD',ToCurrency='EUR'));
</cfscript>

You may wonder why you have to put it in this argStruct when it's the only key being put in the structure. That's just the way it is. Of course, I could have created the structure using the new implicit array creation syntax, as in:

wsargs = {savejava="yes"};

which replaces 2 lines with 1.

For those who don't care for CFSCRIPT

Of course, you don't need to use CFSCRIPT to use createObject, for those not comfortable with it. I could just as well have done it all in tags, as:

<cfset wsargs = structnew()>
<cfset wsargs.savejava="yes">

<cfset convert=createobject("webservice","http://www.webservicex.net/CurrencyConvertor.asmx?wsdl",wsargs)>

<cfoutput>var="#convert.ConversionRate(FromCurrency='USD',ToCurrency='EUR')#</cfoutput>

Where the Java source is placed

So where is the Java placed? In the same directory where the java proxy stubs have been placed since CF6: [coldfusion]/stubs/. In the case of the standalone version of CF8, that might be c:\coldfusion8\stubs.

Each invocation of a web service in CF (whether you use the saveJava option or not) will create a directory there, typically in a form like WS729914123 (one for each separate web service invoked by any CFML requests), and within the subdirectories of that directory you'll find class files reflecting the name of the called web service.

If you don't use the saveJava option, you'll see only class files. If you'll see corresponding .java source files for each.

Finally, note that the Java source files will be removed automatically if the web service is refreshed (manually or in the CF Admin) and you call it without the SaveJava option (which also means if you invoke it using CFOBJECT or CFINVOKE).

(*Update*: In the original entry, I said the source would be removed if you called the web service without the SaveJava option, but I should clarify that it's if you do that and you cause the web service to be refreshed, not just any call, since that would use the compiled result of the earlier call unless you told it to do otherwise.)

Still, for those who have long wished to better understand these Java proxy stubs, it's nice that we have the option to see the source if we want to.

Still more to come

There's still more power in CF8 for those that like to tinker with the java proxy/stub generation. More on that in a later entry.

My latest Adobe Devnet article on CF8 monitoring: Part 2, "Using the Server Monitor in production"

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Some may be interested to learn that I've had another article published on the Adobe Devnet site yesterday: "ColdFusion 8 server monitoring - part 2: Using the Server Monitor in production".

This follows up the part 1, which focused on uses of the monitor in development. There will be 4 parts ultimately, all listed in the Developer Center, with the 3rd part discussing the alerts and snapshots features, and part 4 discussing the Multiserver Monitor, Admin API monitoring features, and various miscellaneous observations.

The CF8 monitor offers a lot more than many would think, and insight into certain inner workings of CF that we've just never had before. I try to highlight things that you may have missed if you've only glanced at it or attended brief overviews at conferences or user groups. I will likely to my own presentation on it in the future..

No one should read from this that I'm any less supportive of 3rd party tools like FusionReactor and SeeFusion. As I've stated before, there's clearly a place for those tools for shops not yet on CF8, and even once on CF8 I believe there are differences among all the tools that could warrant having more than one at once.

On the cover of the rolling stone...gonna buy 5 copies for my mother

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Well, today I got to experience something I hadn't in 5 years: holding in my hands a book with my name on it. I've not talked about it much, but I'm privileged and honored to be one of the contributors to Ben's 3-part CF8 books (contributing to all 3).

Author copies of the first one arrived today, just as Ray announced also.

The first book is formally called, the Adobe ColdFusion 8 Web Application Construction Kit, Volume 1: Getting Started.

Look for the others (Volume 2: Application Development and Volume 3: Advanced Application Development) to come out in the future. Don't ask me when. I really have no idea.

Still other books in my past

What book did I do 5 years ago that I mention above? The ColdFusion MX Bible, which I did with Adam & David Churvis and Hal Helms. It came out in early 2003, just after the launch of CFMX 6. It got a lot of high praise and good ratings, due mostly to the efforts of "the Churvii" (the father and son Churvis team), who did most of the book.

Here's some trivia: in what other CF book was I a co-author? It's tricky, because if you follow the link for my name on the books above, it shows them only. But search for Charles Arehart instead. You'll see that I contributed to the original CF 4 for Dummies, with John Paul Ashenfelter and Alexis Gutzman. I did just one chapter (on CFMAIL), and as John will tell you, we both decried much of its content but the publisher and lead author were hard-pressed to get it out at the time (2000) and it went as is. The reviews suffered accordingly. I've never blogged my association with that book until now. Hopefully time has cast it to an abyss so there's no harm. :-)

That same year, I also contributed to Professional WAP, doing the chapter there on Wireless programming with CF. (With those multi-author Wrox books, I was listed first so many think I was the lead author, which was not the case.)

Like most, these books are a team effort

And so it was these CF8 books: I'm just one of many hands that make up each of the CF8 books.

But I do want to thank Ben for including me in the books this round. It's a great team of folks spread out over all the books, and I really am grateful for the opportunity to contribute.

Speaking at CFUnited Express Chicago, and I'll see you at Max

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
For those going to Max, or who will be in the Chicago area but not going to Max, note that there's the CFUnited Express event going on also in Chicago the day before Max, Sunday Sept 30th. It's a day-long conference (9-5) with several speakers, including myself, Ray Camden, Shlomy Gantz, and others. These Express events are much more intimate than CFUnited (or certainly Max), so it's a great way to meet other CF developers.

I'll be presenting two talks, both of which I've presented before (so well-practiced):

After that, of course, we'll enjoy the rest of the week at Max, and I'll hope to see you there! :-)

CF8 Hidden Gem: New ArgStruct argument for createObject with web services

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Here's another hidden gem in CF8: did you know that there's a new optional "ArgStruct' argument for use with createObject(), when using it to invoke web services?

Following on my previous note about a new RefreshWSDL option in CF8 for CFINVOKE and CFOBJECT, I mentioned there that it was also an option in the createObject() function, but naturally it can't be passed as a tag attribute like with those above.

Instead, it's enabled using this new ArgStruct argument. Technically, it's not "named" ArgStruct but rather it's simply a new optional 3rd argument you can specify when invoking a web service (the term "argStruct" simply comes from the CF docs for the function, where it refers to it by that name. (While yo umay notice that the docs indicate this also allows setting a timeout for the web service invocation, note that that only times out the requesting of the WSDL, not subsequent method calls against the object.)

Anyway, in that structure you create, you simply define RefreshWSDL as a key within it, all of which is passed into the createObject() function as that 3rd argument:

<cfscript>
wsargs = structnew();
wsargs.refreshwsdl="yes";

somevar = createobject("webservice","http://[server]/[webserviceurl]",wsargs);
...
</cfscript>

Of course, you could just as easily do all the above in 3 CFSET tags. It doesn't matter. The key is the addition of the 3rd argument to the createObject(). And it doesn't matter at all what you call the structure (I named mine "wsargs").

Now, you may think this approach seems clumsy, and ask, "why didn't they just permit the refreshWSDL itself as a new argument on the createObject()?". It's a fair question.

But it turns out there's actually a little more to this new ArgStruct option, and it's different enough that I'll talk about it in a separate entry.

CF8 Hidden Gem: Refreshing Web Service WSDL and CF proxy/stub with new RefreshWSDL option

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
One of the many hidden gems in CF8 (and I've found dozens of them) is a new attribute on CFINVOKE or CFOBJECT (and argument for createObject) called RefreshWSDL. It's a another solution to the long-standing problem of invoking web services whose metadata may have changed since previous executions. I'll explain the older approaches, some new in CF 6 and 7, later here for those who missed them.

So what's the problem it solves? If you have CFML code that calls a web service, and one day it just stops working, the problem may be that the web service itself has changed. Perhaps the owner changed the return type or some other metadata.

The new solution allows you to refresh that WSDL on the CFINVOKE or CFOBJECT tags, or the createObject method.

Doing it in CFINVOKE/CFOBJECT

Here's how to do it in CFINVOKE.

<cfinvoke webservice="http://[server]/[webserviceurl]" method="[methodname]" refreshWSDL="yes" ...

Adding it as an attribute for CFOBJECT would work essentially the same way, for those familiar with that tag.

Doing it in createobject()

Doing it in the createObject() function, however, is quite a bit different and leverages some new syntax for that function. I'll show that in another blog entry and will point out another new feature for that function.

There are a couple more points to consider about this, but first I just want to explain why it's needed, for those who haven't heard of such options.

Why should you have to refresh the web service metadata?

Just to back up for a moment, the problem stems from CF's attempt to help. On the first request for a given web service, CF does some caching to make future requests go faster, not caching the results of the web service method but rather the artifacts used by CF based on the description of the web service itself.

CF uses the web service description (WSDL) reported at the time of that first call to create a java proxy/stub based on that, which it then reuses on future calls from CF to that web service.

The issue arises if/when the web service metadata changes. CF won't know, and will continue to use the older cached proxy/stub, and your long-running code may fail if it doesn't match the new WSDL returned by the web service.

So we need a way to tell CF to refresh its cache of that proxy stub.

This new feature is certainly the easiest way to make that happen, but it's not the only way.

Not the only way to refresh the cache, but the easiest

Some may know (and I've written previously) about two programmatic ways to refresh the proxy/stub, whether you're using CF7 (which added a new method in the Admin API) or using CF 6 or above (using an undocumented/unsupported service factory method), as well as an available button in the CF Admin console that could do it (since CF6).

A benefit of this new approach is that it doesn't require you to know the CF Admin password.

Easier, yes, but could be used inappropriately

Of course, with power comes responsibility. You don't want to leave this indicator in your code for all requests, such as in production. That would force CF to do extra work on each web service invocation, defeating the whole purpose of the caching. It's like the tools CFLOG or CFTRACE. Well, more like the former. At least the latter has an Admin console option to disable it even if left in production code.

It's one of those things where opinions will differ. On the one hand, the ease of mistakenly leaving this in to get into into production could make one argue that it ought not be in code, or at least should not be in code calling the web service but rather code to manage the cached stub itself, which is what the previous features did.

On the other hand, those required admin access to perform (except for the unsupported servicefactory approach). Similarly, even if there WAS an option to disable refreshwsdl in production, you'd be stuck if you needed to refresh the cache in production and had no admin access.

At least we have the choices now, and forewarned is forearmed.

Finally, as for more CF 8 hidden gems, I'll note that I've got a user group presentation on the topic, and I have a few dozen more I share. I'll start sharing more of those in blog entries.

CF8 monitor doesn't run on CF8 Standard, or any 6 or 7. What to do?

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I'm surprised to still see people lament when they learn that CF8's server monitor does not run on CF8 Standard, or that it doesn't run at all against CF 6 or 7. My surprise is that their comments often make no mention of being aware of alternatives. On one list, someone said they might even be willing to pay double CF Standard's price to get monitoring in Standard. They just didn't like paying 6 times more (for Enterprise).

Well here's the thing: you can indeed get CF server monitoring, whether added to CF8 or made available in CF 6 or 7, and for far less than even double the cost of CF Standard. Some of you know where I'm going, but in case it needs to be said...

Check out FusionReactor and SeeFusion, both tools that I've written about before (see the "related entries" links at the bottom of this entry.)

Both these tools not only run on 8 (any edition), but they run on 7 and 6 as well, which CF 8's monitor does not. Further, FusionReactor can monitor not just CF but also any J2EE servers or app (including LiveCycle Data Services, for instance), and SeeFusion has a sister product, SeeJava, that can do this as well.

I've been a huge fan of both tools for a couple of years. No, they're not identical to CF8's monitor, and CF 8's monitor has access to a lot of information that those tools don't (for now, though they could be modified to access it as well, via the Admin API if running on CF8 Enterprise). But even until then there are features each of them has that CF's monitor doesn't, and vice versa.

I know some instead want Adobe to offer the monitor somehow to those on Standard, whether at some price or in some new edition. The chances of that seem seem pretty slim for now, though certainly interested folks should make their concern known. And certainly, it's worth noting that one can run the CF8 monitor on the Developer edition.

But some rightly point out that they want CF server monitoring in production and they can't use Adobe's on CF8 standard (or on 6 or 7). (And they're asking for more than just monitors to tell if the server's up or down, etc. Sure there are plenty of tools to tell that, but they want real insight into the processing of requests, threads, queries and more, which only these tools can do.)

I just want to make sure those folks know there are indeed good, professionally managed alternatives to get that on CF8 standard and earlier versions of CF, and those options are at low costs and come with free trials. (Same goes for step debugging. While the new debugger in CF8 works only with 8, FusionDebug, from the same company that makes FusionReactor, works in 6, 7, and 8.)

As I wrote before, I don't feel that the availability of the CF8 monitor (or debugger) diminishes the value of the third party tools for those on CF8. Keep an eye on the monitoring category here in my blog as I'll continue to write more about all 3 monitors in the future. They each have their strengths and their place.

Don't miss the CF8 version of the "getting started experience"

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

If you hadn't yet noticed, the CF 8 version of the "Getting Started Experience" site is now available on the Adobe site:

http://examples.adobe.com/cf8gettingstarted/experience/index_content.cfm

For many, the best feature in the GSE is the "Code Snippets by Feature and Tasks", which offers sample code (often also available as a live running example). In particular, note the section on "what's new in coldfusion 8", with examples for all the new tags and functions. Many of these are quite different from what's offered in the CF8 docs, both the "CFML Reference" and the "Developer's Guide".

Note that while you can click on the appropriate link in the page above to get to it, you can also link directly to:

http://examples.adobe.com/cf8gettingstarted/experience/snippets.cfm

It doesn't appear too much else in the GSE (getting started experience), such as the "Real World Apps", has been modified for CF8 (other than wording to refer to CF8 vs CF7). Maybe that will change in time. If anyone knows or finds differently, please comment here.

Also, you may notice that this CF8 GSE was not installed locally on your machine with the CF 8 install (as it was in CF7, under CFIDE\gettingstarted). I'm asking around about that at Adobe to see if we can get it to download. You can now download it, and extract it into your webroot. Check out the readme.txt that comes with it.

More Entries

Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting