ColdFusion Muse

ColdFusion and Java 8 and Java 11 Updates

As many of you are aware Oracle has changed their licensing for Java 1.8 and making it a pay to play for all commercial purposes. Here's a link to the licensing announcement. I'm not a lawyer and I'm not going to pretend that I understand these licensing agreements. But Oracle and Adobe (or their lawyers I presume) do understand these and as such there are changes to note. On January 24th Adobe announced that Adobe will maintain support. via a Long-Term Support Agreement with Oracle, for Java 8 and Java 11. Thank you Adobe!

I have questions as I'm sure everyone else does. I've been asking representatives at Adobe these questions.

What does this mean for us?
ColdFusion Server runs on Java from Oracle, and as such the new Oracle license affects all of our ColdFusion servers. To this point Adobe has secured licensing from Oracle that allows all ColdFusion Server owners continue running Java. It is very important to note that you now need to download Java from Adobe and NOT Oracle. Get your Adobe Licensed Oracle Java downloads HERE!

Is the Java version from Adobe Different that the same version from Oracle?
Great Question and I asked Adobe about this. Here is the answer "Wil, installers are same but license attached to them are different and this is for both Java 8 and 11".

What about my existing ColdFusion Servers?
Another great question! There are tens of thousands (or more) ColdFusion servers running and the vast majority of them are running on Java from Oracle. I know that the CF Webtools Operations Group maintains a very large number of servers for a large number of clients. Over time we have been upgrading the Java version on the servers to keep up with the security updates from Oracle. This means that most if not all of these servers are on Oracle Java from Oracle and not from Adobe. What do we have to do to remain compliant? I really hope we do not have to visit all of these servers and replace the Java with the one from Adobe simply because there is a different license agreement attached. I have submitted this question to Adobe and I'm awaiting anxiously for the answer. What I do know is that all servers that we need to update are going to get the Adobe Licensed version of Oracle Java to stay safe.

I received an answer today from Adobe on this.

Wil, to answer your question, if the JDK/JRE were downloaded before Oracle came up with Licensing change, it should not be an issue. Otherwise we recommend using the Adobe provided download as soon as possible, although we don't see a deadline around this.

This means that all the servers that I have recently updated will need to be re-updated with the Java from Adobe that has a different license agreement.

What about my New ColdFusion Servers?
This question has a simple answer. To install a new ColdFusion Server you need to use the ColdFusion installer from Adobe which comes with an Adobe licensed version of Oracle Java. If you want to use a newer version of Oracle Java then you need to download the Adobe Licensed vision of Oracle Java from Adobe. Download Here!

Do I have to use Oracle Java?
Awesome question and the answer is yes, no, maybe. There is OpenJDK that may work just fine to run ColdFusion servers. There is also a new player in the Java game and that is Amazon. "Amazon Corretto is a no-cost, multiplatform, production-ready distribution of the Open Java Development Kit (OpenJDK)." Currently their version 8 is production ready and they version 11 is in the Release Candidate stage. I have run ColdFusion 11 an dColdFusion 2016 on Amazon Corretto 8 and it ran fine for the very limited testing that I did. For now there isn't official support from Adobe for these two Java versions.

As I get more information from Adobe I will provide updates above. I'm sure there will be more questions that people will want answered.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

Converting Fusebox 2 to FW1 - Creating Scaffolding

A quick Muse post with a bit of code. I know I know it's been a while and my coding has suffered. Still, some of you may find this useful.

I'm converting a Fusebox 2 application to FW1 and I wrote a simple script to automate some of the shell files I need. FW1 uses a URL convention that looks similar to Fuesbox. In Fusebox you have a 2 part URL param that dictates what your code is supposed to do. For example, fuseaction=reports.users would logically be a "circuit" called "reports" - think of it as collection of code or an application within a suite of applications. The second part of the fuseaction dictates which report exactly is supposed to be run.

FW1 is not dissimilar to this approach although it tends to introduce complexity for complexity sake at times (don't @ me). In FW1 an "action" parameter dictates which controller to run which in turn calls services and views as needed to set up a page or action. So FW1 may have action=reports.users - it looks quite familiar.

Since my Fusebox application is well organized I created a script that builds off the circuit and creates the necessary FW1 files. For each circuit I am going to create:

• circuitName.cfc in the FW1 /controllers folder.
• circuitName.cfc in the FW1 /model/services folder.
• circuitName.cfc in the FW1 /model/DAO folder.
• A folder named for the circuit in the FW1 /views folder with a placeholder file within (default.cfm) for my eventual content.

The script is pretty easy and it's designed to be run within the fusebox application where the FW1 application is accessable via file operations. First some setup:

Next I created some placeholder files for controller, services and DAO. I'm going to read those files into variables.

Then I'm going to use my Fusebox applications structure called "Fusebox.circuits" and loop through it taking action on my plan.

That's it. The end result is matching DAO, Controller and service files and view folders. Of course I may delete some of them or merge or whatever as my FW1 application takes shape, but having a matching convention with Fusebox let's me examine code from one into the other without a lot of fuss.

Follow Up

I created a script that handles the "second" part of fuseaction and places an CFM in the views folder as a placeholder. Basically "reports.users" should result in a /views/reports/users.cfm file containing HTML. This is where the eventual display code will be housed.

Talent Search Continues - Eclectic ColdFusion Developers Sought

CFWT is growing again. We are looking for one, possibly two senior ColdFusion developers to join our staff. Our group is close-knit, dynamic and knowledgable. Here are a few things you should know.

• Yes you work from home and we will not ask if you are wearing a mask.
• You must be located in the US and legal to work here. (No agencies or overseas - sorry)
• Yes the position is W2 with benefits after a short (30 day) trial period.
• Yes benefits include health care.
• No our health care won't cover your hello fresh diet, but it's still pretty good.
• Yes there are other benefits - 401k, dental, PTOs, disability, life insurance, and a water cooler chat that keeps humming with each new edition.
• We work with our customers to meet their needs. We do not dictate the environment or the strategy. We are at their disposal (meaning we serve them - not that we stand at the kitchen sink).
• Yes you will have to tak a coding test. The test involves logging into a VM and coding through a few simple tasks. It should take you about an hour. We look at everything you do and there are no right answers. The focus is patterns of behavior and general problem solving and knowledge.

If you are still interested. Here is the sort of developer we are looking for.

---

Senior ColdFusion developer

This position is on a high quality team maintaining, upgrading and enhancing a broad suite of complex applications. Responsiveness, communication, security mindedness and teamwork are key elements of the ideal candidate.

• Mac User (especially for development). If you know Vagrant that's a plus.
• reactJS.
• Framework experience (especially FW/1)
• Lucee experience.
• High DB Skills in MSSQL or MySQL including optimization, design and indexing.
• Familiarity with SCRUM, Git, Agile and Jira as primary elements of SDLC

Folks on this team usually love it. It's engaging and interesting and contains some giant brains who are eager to share.

---

More about CFWT

We are not recruiters. We are not generalists either - we focus on the CF stack and try to know "all things ColdFusion". Yes you will work with and for customers but we care about developers and work culture. We try to find what makes you tick and we hope to provide a work environment where you can grow. We want you to want to come to work every day. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here's some items that you need in order to fit in here.

• You should be able to setup multiple local environments on your own with a minimum of assistance. Probably this means words like "Apache" or "IIS" shouldn't scare you too much. Yes you will be exposed to ______ (windows/mac) even if you are religiously devoted to ________ (windows/mac). We don't make the rules.
• Communication is key. We like folks who can write well and know how to show empathy and collaborate with others. Most of our customers use some form of agile, so being on time to stand ups and prepared to respond is key. You will also be required to record (log) your hours on a daily basis. We make it easy but a surprising number of developers struggle with this task.
• You should be able to work with SVN or GIT and sometimes other source control products.
• You should Maintain positive attitude - We interact with respect and gentle humor. Snark is minimized and encouragement is the order of the day. If you are quirky and self deprecating that will be a plus and you will love it here.
• You should Maintain and enhance your skills set - you will be given the opportunity to work on lots of code, different versions, platforms, integrations, libraries and SDLC organization and procedure. Everyone of these is a growth opportunity. If that has you licking your chops climb aboard.
• We like Balanced Developers - Our devs have a full life. They ride horses, snowshoe, skydive, sword fight, play instruments, love dogs, golf, learn languages, rear children, go to plays, like to bake, fish, hunting, equestrian sports, skydiving, guitar playing, dog training, macramé, Golf, racquetball, Mandarin, Politics (careful!), family outings, child rearing, school plays, choirs, baking, snowshoeing, ice fishing, hunting, aquaponics, mudding, and the list goes on. We love it all! We think those things make you a better developer and it makes us want to be around you. We aren't looking for 80 hour a week developers slavishly devoted to coding. We are looking for eclectic, interesting people who enjoy coding and want to do it for a living.

Hopefully this helps explain how we operate enough to pique your interest. If you want to take a shot send your resume to jobs@cfwebtools.com or call (402) 408-3733 ext 105 and ask for the Muse. We look forward to hearing from you!

It's Up To Us To Stop Hackers

The first month of 2019 has passed and it was full of year end wrap up articles about anything and everything from 2018. Most were fluff articles on pop culture and such. What I found most interesting were the articles that quantified the past year of hacking and security breaches. According to NBC News, Hackers stole nearly half a billion personal records in 2018. There were fewer breaches, but the breaches were bigger and worse and more data than ever was stolen. Crypto-miners have improved as well and not in a good way. Previously I wrote about Cryptojacking and Hacking for Bitcoins. These are malware attacks where hackers install crypto-miners on servers they have compromised. The Crypto-miners use your CPUs to make money for themselves. Hackers have taken this malware to a new level of deviousness. The malware can now target and remove cloud security products as reported here and here.

It's been a banner year for the hackers.

Read More

ColdFusion Bug Introduced In Newest Update

UPDATE: Adobe has released updates for the last update.

• ColdFusion 11 Update 17 was released that supersedes Update 16.
• ColdFusion 2016 Update 9 that supersedes Update 8.

Many of us have been testing these new updates including myself and so far they look good. We have not heard any news on any additional updates for ColdFusion 2018

alert everyone that there is a critical bug that was introduced with yesterdays updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Adobe is very actively working on a resolution. The bug is simply this, in cfscript queryExecute() is broken. This is the bug report.

Here is an example of what is no longer working. Example one is a cfscript based CFC file.

Example two is a cfscript block in a CFML file.

The code causes a Java error at the queryExecute() statement. Many of us are working with Adobe to provide test cases, stack traces, and testing hot fixes in order to get this resolved as fast as possible. Until there is a fix, if your application is using cfscript based queries, you will want to hold off on the update.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

New ColdFusion 2018 and ColdFusion 2016 Updates and Patches

Adobe just released updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Please note that this is most likely the last update that ColdFusion 11 will receive due to it's core support end of life is coming up in April of 2019.

Some New Features

• This update includes adding support for Java 11 to ColdFusion 2018 and ColdFusion 2016. ColdFusion 11 did NOT get this update most likely due to ColdFusion 11 nearing end of life.
• ColdFusion 2018: Server Auto-lockdown includes a new installer for Mac OS.
• ColdFusion 2018 and ColdFusion 2016: Updated the following OEMs:
  1. Jetty 9.4.12
  2. ExtJS 6.6
  3. JPedal 8.4.31
• ColdFusion 2018 and ColdFusion 2016: You can use cfloop as script for arrays, lists, structs, or queries.
• ColdFusion 2018: New platform support matrix for the following:

Adobe has updated more features for ColdFusion 2018 and ColdFusion 2016 including new mobile updates and Performance Monitor Updates. It's time to update your servers.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

CF Webtools Looking for Talent

CF Webtools is actively looking to fill 3 developer positions on our ginormous ColdFusion development team. Each position has a unique set of needs. Here are some facts about working with CF Webtools.

• Yes you work from home so your flip flops will not weird anyone out.
• Europe is great and has many fine developers, but our we are looking for folks legal to work in the US only. (sorry!)
• Yes the position is W2 with benefits after a short (30 day) trial period.
• Yes benefits include health care.
• No our health care won't cover your psychic or spa treatments in Barbados, but it's pretty good.
• Yes there are other benefits - 401k, dental, PTOs, disability, life insurance, and daily interactions with me if you so choose (most do).
• On holidays we party virtually like it's 1999 - I guess that means we don't worry about our carbon footprint on that day or something.
• Bad code sometimes, lack of framework, security issues - sure we get code like that. Not always, but enough to notice. Still, it's never ever boring around here - and not just because Wil is hysterical.
• We need advanced ColdFusion developers and yes, you will be tested. The test involves logging into a VM and coding through a few simple tasks.

If you are still interested. Here are 3 profiles for the folks we are seeking.

Profile 1 - The Team Pro

This position is on a high quality team maintaining, upgrading and enhancing a broad suite of complex applications. Responsiveness, communication, security mindedness and teamwork are key elements of the ideal candidate. Some other stuff:

• Mac User (especially for development). If you know Vagrant that's a plus.
• REACT js library.
• Framework experience (especially FW/1)
• Lucee experience.
• High DB Skills in MSSQL or MySQL including optimization, design and indexing.
• Familiarity with SCRUM, Git, Agile and Jira as primary elements of SDLC

Profile 2 - The Visionary

This position is on a team of 2 working on a high end code base with a demanding QA and business analyst team. Your team member here is a rock star and you will learn buckets. You need attention to detail, self-starting, thinking around corners and better than average front end skills are at a premium here. Other items:

• Bootstrap skills.
• jquery and Ajax asych programming.
• OO Design sometimes without a framework.
• Availability between 5 am PST (8am EST) and 5pm PST - standups etc. This company is multi-national so they need some availability guarantees.
• Visualization experience - datatables, high charts tableau etc.
• Strong SQL server DB Skills.
• Experience working with APIs (REST for example).
• CSS preprossing - SASS or LESS for example
• Test Driven development

Profile 3 - The Knowledge Master

For this position we need someone who is good at gleaning institutional knowledge of a system and code. If you like to dig in, find things about about a system and then use that knowledge to help others and make the system better, this is an ideal place for you. Additionally:

• If you have used Oracle in the past (programming PL/SQL) that is a plus.
• Familiarity with on-line testing, SCORM etc will help here.
• The ability to flesh out requirements and make appropriate assumptions without too much hand holding will help as well (although ramp up time is to be expected of course).

More about CFWT

We care about developers and work culture. We intend to get to know you and what makes you tick and we hope to provide a work environment where you can grow. We want you to want to come to work every day. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here's some items that you need in order to fit in here.

• You should be able to setup multiple local environments on your own with a minimum of assistance. Probably this means words like "Apache" or "IIS" shouldn't scare you too much. Yes you will be exposed to ______ (windows/mac) even if you are religiously devoted to ________ (windows/mac). We don't make the rules.
• You should be able to work with SVN or GIT and sometimes other source control products.
• You should Maintain positive attitude - We interact with respect and gentle humor. Snark is minimized and encouragement is the order of the day. If you are quirky and self deprecating that will be a plus and you will love it here.
• You should Maintain and enhance your skills set - you will be given the opportunity to work on lots of code, different versions, platforms, integrations, libraries and SDLC organization and procedure. Everyone of these is a growth opportunity. If that has you licking your chops climb aboard.
• We like Balanced Developers - Our devs have a full life. They ride horses, snowshoe, skydive, sword fight, play instruments, love dogs, golf, learn languages, rear children, go to plays, like to bake, fish, hunting, equestrian sports, skydiving, guitar playing, dog training, macrame, Golf, racquetball, Mandarin, Politics (careful!), family outings, child rearing, school plays, choirs, baking, snowshoeing, ice fishing, hunting, auquaponics, mudding, and the list goes on. We love it all! We think those things make you a better developer and it makes us want to be around you. We aren't looking for 80 hour a week developers slavishly devoted to coding. We are looking for eclectic, interesting people who enjoy coding and want to do it for a living.

Hopefully this helps explain how we operate enough to pique your interest. If you want to take a shot send your resume to jobs@cfwebtools.com or call (402) 408-3733 ext 105 and ask for the Muse. We look forward to hearing from you!

Using CDN for Entire Website and Country Blocking - Part 3

This is Part 3 in a short series of articles about blocking entire countries from a website. Parts one and two cover CloudFlare and CloudFront.

CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.

We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In my previous two articles I wrote about using CloudFlare and AWS CloudFront. In this article I'm writing about using a slightly better hammer in the Whack-A-Mole method to block entire countries. This is one of the simplest but also least effective methods.

The option many of us have traditionally done is blocking problematic IP's on a case by case basis and in extreme cases blocking entire IP ranges. I've often referred to this as the Whack-A-Mole method. It's reactive and not proactive. A real hacker would not use their own personal IP and there is no guarantee that the IP will always remain with an unscrupulous user. Normally I do not block an IP because bad stuff happened from that IP once. However, I have noticed the same IP or IP ranges launching attacks on multiple unrelated, hosted at different locations, and different client's servers. That's when I start pounding the IP with the ol' Ban Hammer! Also, blocking and entire country with this method would mean being able to know all the possible IP addresses or address blocks assigned to a particular country. This is knowable!

I did some research on this and found a few very helpful resources. Resources like this http://ipdeny.com/ipblocks/ and this https://www.sitepoint.com/how-to-block-entire-countries-from-accessing-website/. These sites keep an updated list of IP addresses assigned to every country in the world. These are made available in the form of individual text files per country. And in the case of the SitePoint page, you can download a pre-scripted config file for many versions of web servers and firewalls. Hammer Time!

In the case of the country our client wants to block there are over 130 IP entries. These are in the form of CIDR IP ranges. This is the good news. The harder part here is that means there would have to be 130 plus entries manually added into IIS or a firewall. And this is for a smaller country. Larger countries, including countries that are known for hacking, have many thousands of CIDR IP ranges. But at least I can download the scripts for Apache and IIS from the SitePoint page and paste them into the respective config files.

What are the downsides to this method? First off I do not know if there would be any performance hit to IIS or Apache if we were to start entering thousands of IP restrictions. I do know that AWS restricts Network ACL's to an absolute max of 40 rules in their VPC's due to "performance issues" if more were added. We're still whacking at moles. IP assignments for countries can change thus you would need to update your static list of IP bans in your web server.

This is an example of how Apache 2.4 is configured.

This is an example of how the IIS XML web.config is configured. The CIRD notation needs to be converted to IP and network mask format.

In conclusion each option; CloudFlare, CloudFront, and IP Banning, each have their benefits and costs. CloudFront was the easiest of the three to setup and if the downsides of the IP address masking isn't an issue then it is likely the most viable solution. The AWS CloudFront solution may be best if you are already on AWS and you have an understanding of AWS Solutions Architecting. Both CDN options have country restrictions (and rate limiting) that will help in preventing potential credit card scammers from misusing your shopping carts. IP Banning is simplistic, it has no additional dollar costs. But it may be a performance hit to your web server if you have a very large number of IP restrictions. You may also have to update the IP lists if IP assignments to a country change. It's also worth noting that all methods can be bypassed via proxies.

CF Webtools is an Amazon Web Services Partner. Our Operations Group can build, manage, and maintain your AWS services. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.