ColdFusion Muse

Always Check on the Last Thing You Changed

If you can sing this with a sort of smarmy accent like Eric Idle it makes it really pop to the tune of "Always Look on the Bright Side of Life".

Your server's feeling bad,
It can really Make you mad,
JRUN maxed can make you swear and Curse,
When your chewing CFGristle,
Don't Grumble, Give a Whistle
And this will help things turn out for the best

Always check on the last thing you changed
(whistle cheerfully here)
Always check on the last thing you changed.

If CF's being Rotten,
There's something you've forgotten
And that's to check the freaking SVN,
For anything that's newish
Roll it back, don't be bluish
Just pucker up and whistle, that's the thing

Always check on the last thing you changed
(whistle cheerfully here)
Always check on the last thing you changed.

...I'm not sure what was in that mimosa...

Protecting the CFIDE directory in IIS

Yesterday I had a server with IIS and a few hundred sites on it. Some, though not all, of the sites had an unprotected CFIDE directory mapped. So my task was to protect these directories by denying all IPs from access except a specific IP range. Before I describe the task and my trick let me remind you that this is not time to tout Linux or Apache or bash Microsoft in the comments. The muse welcomes comments but enjoys variety. We all know about Apache and its manifest benefits. We don't need you to remind us in spite of your excellent credentials and biting wit. IIS is fine platform with many strong points too and there are folks who need this information. They should not feel like they are sneaking into the adult section of the video store to get it. Now back to the Muse' usual good humor. Here's the scoop....


That Pesky CFIDE Directory

If you are CF community connected (and if not why not?) you know about the latest "sub-zero" exploit to ColdFusion that once again targets the Administrator or adminapi directory under the CFIDE directory. It leverages tags that work with files from within these directories to place code on your server which can then be leveraged to do other things. Basically it can function as a hostile takeover of your server. See this entry titled 0-Day Exploit for ColdFusion by the awesome folks at Edge web hosting for more information. It will point you to the Adobe Docs. The exploit targets CF 9 and 8 if I'm reading the source correctly.

The lockdown guide will give you a few dozen steps some of which will have you pulling out your hair unless you have carefully built your server. But the main "fix" for this exploit is fairly simple. Do not allow arbitrary access to the CFIDE/Administrator and CFIDE/adminapi folders from the web. This seems to be pretty head scratchingly obvious but you'd be surprised how many folks say "But don't you need a password to get into the administrator?". Yes, and you need a key to get into your house too, but an "exploit" is rather like a brick through the window. To really secure your house you need a security system, good locks, good lighting, and a Rottweiler the size of a pony.

Why is it there in the first place?

This is a question I get sometimes. "I don't remember adding that virtual directory. How did it get there?" No you did not fugue off while adding web sites - unless you see one for a Ukrainian tether ball team or something - then probably yes you did fugue off. The real story is that when you install ColdFusion using selecting the "configure all websites" option during the install the CFIDE is mapped on all the sites on your web server as a physical (for the default site) or virtual (for everything else) directory. That's how it seems to "show up" everywhere. In addition the "connector" scripts - the ones you run to "remove all" and "add all" will add it as well. If you are like me you configure each site separately outside of the CF ecosystem. Then you join it to the ColdFusion engine using wsconfig. My servers use the multi-server config and I use the built in web-server (at ports 830X) to admin them from inside the network. When a new site is needed I add it in IIS or apache, then I use wsconfig to connect it to the ColdFusion instance I want. Yes it's extra steps and yes it requires more knowledge, but it's the way I like it. And I'm worth it. Doing it this way does not add the CFIDE directory by default - which is why if I need the scripts directory I use an alias or virtual and alter the setting within the admin.

But what I notice from time to time is that there actually is a CFIDE directory that shows up on some of my sites. How can this be? I've been so careful. Here's what happens. A team member - a developer - is assigned to a site for the first time. Perhaps this is the first site they have set up on their local environment, or perhaps they are sys admin challenged and don't know how to create an alias or virtual directory. For whatever reason the CFIDE physical directory is installed and is living in the root directory of the site. Then at some point the developer remembers (through the prodding of his project manager) that he needs to do regular updates of our subversion repository as a part of his task list. Suddenly (with apologies to Emeril if he's still alive and has not exploded) BAM! the CFIDE directory itself is now part of the source code. Our Jenkins CI server ignores this directory and does not deploy it to either staging or production but usually the initial site setup is not done by Jenkins. So one thing leads to another and the directory is deployed to staging (small yikes) or production (big yikes and a shudder).

Of course this is bad in more than one way. For one thing this directory has the vulnerabilities in question in the form of CF Scripts. For another it is likely not being used to admin the server - which means that updates in the form of hot fixes and security patches will never make it into this code. It might also end up being the wrong version of admin as the site code is transitioned from version to version. I'm not sure if that last is bad or good - but it is another thing to worry about.

In conclusion get out there and secure those directories (and other things). Let's make sure we are on top of this before it get's out of hand. :)

Setting Timeout Successfully on a Web Service Call

One of the annoying things about ColdFusion (yes even the Muse gets annoyed) is the sort of haphazard way it deals with timeouts. If the process you are timing out involves a call to an external service it's really a crap shoot whether or not it will work. Once CF hands off to the external service and starts its vigil waiting for the callback, the timeout value is largely ignored. Don't believe me? Create a long query to a DB Server and then pull the network cable while the query is running. The thread will usually continue to hang even if you have added a timeout value.

Recently Super Guru Jared Riley (Computer Services Inc. (CSI)) was lamenting this very problem with regard to a web service he was using. Because the web service would sometimes hang at the other end due to reliability issues his server was accumulating dormant ColdFusion threads which eventually would fill up the simultaneous request pool and begin to queue all other requests - effectively locking up the server.

It turns out a savvy developer named Jeff Nelson (also of CSI) came up with a solution for this particular issue. Before I share I must warn my readers that this is an undocumented solution that sets an underlying AXIS property. That means that subsequent changes to some future version of the underlying Axis libraries could cause this to error out at some point. The Muse has been known to use undocumented features successfully from time to time - but it pays to be vigilant when upgrading or patching. Also keep in mind this is only for web services. It will do nothing for Queries or cfmail etc. With that in mind here is the "fix".

Setting the timeout axis property

<cfset webservice =
createObject('webservice', '') /

<cfset webservice._setProperty("axis.connection.timeout",
                        javaCast("int",10000)) /

Now some of you might immediately say "hmmmm.... that's the connection timeout, but it doesn't really cover long running requests that occur AFTER the connection is made does it?" Jared has actually done a good bit of testing and claims that this property will timeout a request for either a connection reason or a time of process reason.

So if you are trying to solve this particular problem this might be an appropriate course of action. Now if we could just find similar settings for various DB Drivers my life would be complete.

Follow Up

For those of you who want to remind me that there already is a timeout property to cfinvoke that can be used here I would respond that that setting works correctly for creating the stub classes. In other words if ColdFusion can't compile the WSDL with the time alloted it will timeout. But it doesn't work for actual calls to the methods instantiated.

In the Hunt for ColdFusion Programmers (Again!)

It's that time again. CF Webtools is looking for a talented, advanced ColdFusion programmer. We value a developers who:

  • Take ownership of a problem and find a solution.
  • Participate in the community through lists, blogging, user groups etc.
  • Have a high skill set and a professional learning ethic.
  • Know how to communicate technology concepts across disciplines.
  • Respects and honors our customers.
  • Have a great sense of humor.
  • Love being a part of a "family" of developers who work together without a lot of drama.
For more info on what it takes to be a CFWT consultant check out my post on You Might be a Muse All-Star.

Frequently Asked Questions

  • Do you allow telecommuting? Yes all our development positions are full-time remote positions.
  • What sort of dev environment can I expect? We are en eclipse shop and rely on SVN, Jenkins, and an agile like approach to development. Having said that, as an outsource development company we frequently integrate with external teams. That means you can't always predict everything about the approach for the project you are working on.
  • What Industries are you working in? We have sites we develop and maintain in the Financial sector (stocks, options, commodities, retirement planning and management etc.), Insurance, Medical, Pharmaceutical, retail sales, real estate, etc. We have a very broad client list.
  • Will I get to meet the Muse? Yes of course... you'll be sick of me inside of two weeks.
  • Do you use frameworks? Yes - all of them all the way back to Fusebox 2. We work on new projects in common frameworks like FW/1 or DI/1, but we also support a host of legacy applications done on custom frameworks or with no framework at all.

As stated above, our positions are full-time remote telecommute. On rare occasions they might require some travel. We pay a competitive salary and benefits. CF Webtools maintains sites on virtually all ColdFusion and Database platforms. Our work is challenging, invigorating, sometimes poke-your-eyes-out frustrating, but never boring. Our development group is full of witty, interesting and extremely talented developers. It's a true mentoring community. If that sounds like a place you would like to work (and you meet our high skill-set standards) send your resume to - or contact the Muse directly if you like. Tweet me @cfwebtools or use the "Ask a Muse" link on this blog (I'm easy to find). You can also call 402 408 3733 and ask for Mark or Jason - we'll be thrilled to speak with you about our opportunity. The official job posting may be found on our corporate site at the Job Openings page.

CF 10 Does Not Honor "Maxrows" on Sybase Stored Procedures

In working with CF 10 on a site that uses Sybase as a backend database server one of our tasks was to convert various "inline" queries over to stored procedures. In some cases these queries used the "maxrow" attribute to limit the number of rows returned to the driver. Personally I usually revert to LIMIT or TOP (or whatever the DB Server syntax provides) for that purpose. With maxrows the DB server works just as hard (my best guess) and the driver simply counts the number of rows sent to the buffer and limits it there. In other words, I have always suspected that maxrows limits the number of rows sent from the DB Server and not the number of rows actually produced by the query. Still there are situations where it hardly matters in either case - and maxrows has a purpose there I guess.

So when it came time to convert our queries over to stored procedures - and with a requirement to change as little as possible on the DB Server - we dutifully added the maxrow attribute to our cfprocresult tag like so:

<Cfprocresult maxrows="15" name="blah"/>
But to our suprise this had no effect. Sybase (or perhaps the Sybase db driver) simply failed ot honor the maxrows attribute. This might be one of those cases where only some drivers or DB servers are capable of implementing the attribute for a stored proc. For example the attribute dbvarname used on the cfprocparam tag is ignored by several DB servers (MSSQL among them). You must place your params in the correct order instead. Still, I wish an appropriate error message would be thrown rather than simply allowing the stored proc to execute and ignoring the attribute like a quirky basement dwelling uncle. Anyway I thought it was worth blogging this nuance of the Sybase driver for the 6 ColdFusion servers out there still connected to Sybase. :)

Debugging and a Return to Dodge City

One of the things the Muse likes best about ColdFusion is the excellent debug information provided during development. Of course you should never ever leave debugging enabled on a production server. Not only are you generating a great deal of additional data with each request (adding overhead), you are potentially exposing a mother lode of technical information that a nefarious hacker would salivate to see. But during development, the debug information is where you ought to live. Indeed, if you are not constantly checking the debug information start doing it now - make a habit of it! You will learn things about performance, iterations, database interactions, cookies, paths, and all sorts of goodies that will make you a better programmer.

I've had my head buried in the debug information since I started with ColdFusion. Back then (in the Wild West days of CF 4.01) we never heard of newfangled ideas like "cfqueryparam". We just stuffed our variables into queries willy nilly and trusted the good Lord to protect us. It feels like I have spent the last 7 or 8 years cleaning up after code written like that. But writing queries in the raw (unprotected I mean... I don't generally code naked, although I did experiment in college) had one main advantage. As you probably know a lot of debugging goes back to the database. The debug output pre-cfqueryparam was "well formed" query code that could be copied and pasted directly into a query tool like MSSQL studio or Navicat. This made debugging pretty easy. You could swipe a problem query out of the debug, run it and tweak it unit it gave you what you needed, then past it back into CF. But that changed when we all started using CFQUERYPARAM.


The Journey: Winning the Clone Wars Part 1

In my last post on this topic back in September, Phase II - The Clone Wars, I discussed the first phase of our business development. We talked about how I tried to duplicate my own skills and energies by hiring likeminded folks, and how this led to a lack of diversity and innovation. In this post we will pick up on some of the solutions to those issues. Let me say at the outset that some of these issues (founders syndrome for example) are systemic and require constant vigilance and an ongoing effort to resolve. After all, we didn't come up with this list overnight at Denny's and pop in the next morning with neat and tidy solutions to all of them. Some of the items on our list (the need for sales, the value of diversity, the importance of management, team building etc.) required some convincing and cajoling and even some hard knocks to move us in the right direction. But I can say that in spite of "peaks and valleys" (which was incidentally my nickname in high school) we are moving in the right direction. So let's talk about solutions for moving off of the clone model and to something more workable for a larger, team-oriented staff.


Work for the Muse and Change Your Life

CF Webtools is looking for bright, talented, and motivated developers with high skill sets in ColdFusion, .NET and Mobile development (including IOS and Droid). We value developers who:

  • Take ownership of a problem and find a solution.
  • Participate in the community through lists, blogging, user groups etc.
  • Have a high skill set and a professional learning ethic.
  • Know how to communicate technology concepts across disciplines.
  • Respects and honors our customers.
  • Have a great sense of humor.
  • Love being a part of a "family" of developers who work together without a lot of drama.
For more info on what it takes to be a CFWT consultant check out my post on You Might be a Muse All-Star.

Our positions are full-time remote telecommute. On rare occasions they might require some travel. We pay a competitive salary and benefits. CF Webtools maintains sites on virtually all ColdFusion and Database platforms. Our work is challenging, enervating, sometimes hair-pulling, but never boring. Our development group is lively, talented and a true mentoring community (and growing more so daily). If that sounds like a place you would like to work (and you meet our high skill-set standards) send your resume to - or contact the Muse directly if you like. Tweet me @cfwebtools or use the "Ask a Muse" link on this blog (I'm easy to find). You can also call 402 408 3733 and ask for Mark or Jason - we'll be thrilled to speak with you about our opportunity. The official job posting may be found on our corporate site at the Job Openings page.

Please note - while I'm getting better, I'm not am often pulled in many directions. If you feel like I have "dropped the ball" when you sent me a resume in the past - you are probably right. Please don't hesitate to contact me again. I'll make sure that Jason and Melissa (who handle the details) don't let you fall through the cracks this time.

The Journey: Phase II - The Clone Wars

I was recently chastised by a twitter follower (a beat down in 140 characters or less) for starting series that I fail to finish. So I'm coming back to my "Journey" series to add to the CF Webtools story a bit. When last we met on the subject I spoke of the 3 attitudes you need to succeed in the consulting business:

  • Work Hard and Be Patient
  • Be a People Person First
  • Avoid Perfection Paralysis and Do What You Can Do
With those thoughts in mind I'd like to talk about Phase One of your consulting business - building Clones.

More of Me

Anyone who's ever been successful as a contractor and thought about expanding has thought to themselves, "If I only had 2 of me." Aside from the obvious stress it would put on my wife you would think that having 2 of the Muse would be exceedingly useful. But knowing me, I would doubtless be playing golf right now leaving me behind to do all this work. That's just like me. It would make me so angry I'd be beside myself. Still, the idea is compelling when you are starting out - so compelling that you think about it a great deal when contemplating that all important first hire.

Consulting businesses are often started by knowledge experts with little or no business experience. When expanding such a business the first choice is usually "more of the same". In my case since I worked a certain way, I geared all my documentation, proposals, and estimates to the skill set of the Muse. So what did I look for in my first hire? Muse II of course (same level of action with a weaker plot I guess). It made sense to expand the current way of doing business by simply gathering similar skill sets to myself and dividing the work up amongst them. My first hire (Jason Herbolsheimer who is now CF Webtools VP of development) was an energetic can-do programmer able to find creative solutions to difficult problems. He worked at a similar speed to my own and was (and still is) a terrific people person. It was a great fit. Suddenly we were able to do roughly twice the work as before. In fact, my first 3 hires where like that. They were proven CF developers who I had known previously. Two of them had worked with me at my previous Job. The 4 of us divided up our customers and simply worked them in the same manner that I had worked them when I was an individual contractor.

This approach reminds me of that moving company "2 men and a truck" (would that be a "Mac" truck?). My guess is they started out as 2 men... and a truck. When they decided to expand they were probably considered changing their name to 4 men and 2 trucks, then 6 men and 3 trucks. There's some magic to this approach. It actually works well in many cases - especially if you assemble the right folks. If your team members work well independently and have the right soft-skills (inner-directed, owning problems, eclectic skill set, customer driven etc.), it can work quite well. The 4 of us did fine and had a great time along the way. I know of 3 or 4 consulting companies who operate at this level and intentionally stay at this level. And why not? They make good money, have very low overhead, and the level of responsibility is less crushing. Still, if you plan to expand beyond a handful of developers, the "clone model" (not to be confused with cloning an actual model which my wife says is out of the question) comes with some penalties.


The Phonetic Enforcer - Customer Service Run Amuck

From the absurdist school of customer service I bring you another tale of woe and frustration (and comic insight).

I write for a living. I know most folks think I actually code, troubleshoot, run a company etc - but in truth a large part of my job is to communicate in email, documents and instant messaging. Recently I got to thinking about purchasing a new software that would help me with style and editing (I'm a notoriously wordy writer). I started poking around and found this link with some excellent choices so I started reviewing them. I settled on one of them (I won't say which but it was pale and misty) for my first trial. It was inexpensive and appeared to have an easy interface. More importantly it seemed to be able to jump to life within any software I was using. Since I use Word, Evernote, Outlook, Gmail, Google docs, and Homesite (for blog writing using hand coded HTML) I thought that was a great feature.

I downloaded a copy and tried it out on a few things - emails mostly. I liked it so I purchased a licensed. I began with a document that I was prepping. Uh oh.... the software has a 10,000 character limit - it won't scan more than 10,000 characters at a time. That's a non-starter for me - and it's too bad. The software was really nice and slick - and I was digging it. I contacted support and they were extremely helpful in answering my questions and confirming that it would not meet my needs. I asked for a refund (I'd had my license about an hour) and they said "no problem". They forwarded me to "Lee" in the payments department. That's when the trouble started. Here's a rough outline of how it went.


Muse Review: Exploring CouchDB With Matt Woodward

On Saturday I sat in on ColdFusion genius Matt Woodward's session on practical couchDB. I have experience with both Memcached and MongoDB so I thought I was prepared for the general sense of what you could do with CouchDB (which I had never explored). I assumed it was just another "no SQL" database. But Matt demonstrated some things that were new to me and I am intrigued enough to experiment with them - hopefully engendering a few more "CouchDB" blog posts. Here's a couple pros and cons gleaned from the presentation.


Muse Reviews: Charlie Arehart on ColdFusion 10 Server Options at Cfobjective

I'm sitting in on Charlie Areharts workshop regarding how ColdFusion 10 and Tomcat live together and how to configure it. It's obvious that a good deal of my specialized JRUN knowledge will be less than useful in a couple years but I'm really excited about the change. Charlie does a good job of identifying:

  • Where everything is at - log files and config files live in new locations now.
  • What should you watch for - lots of new files and folders that may or may not be useful to fool with.
  • What you should not be paying attention to. Tomcat is an app server that can do far more than just serve up jsp (or cfm) files. Charlie spent some time helping us understand what to ignore.

Of Note...

Charlie identified a Tomcat filter (valve) called CralwerSessionManager that can truncate a session for an indexing bot to be very short-lived. That could be very useful for high traffic sites as those of you who have written extensive bot checking code to shorten the session timeout can attest. This would handle that automatically (if I understand what he's saying) at the server app level. He also identified some "listeners" that look interesting. I'm really looking forward to understanding more about Tomcat.

One of the new features is to save sessions after a restart. to do this you have to modify context.xml by uncommenting a node and adding a path. The Muse will try to write this up in his own style at some point. The gotchas are that it has to be a graceful shutdown (not a crash) and it can be a lengthy process which may negate the purpose on a busy server with a great many sessions. Still, under certain circumstances it would be a real plus I think. Another option is to use the built in Tomcat Persistent Session Manager which is able to save to a database or individual files.


As usual Charlie's presentation is replete with tons of URL resources so I'm going to point you to his site

Muse Review - Code Reviews With Jim Priest at Cfobjective

Great workshop on Code Review by Jim Priest (The Crumb). Jim demoed a product called Review Board a product that integrates with Git or SVN and provides a mechanism and workflow for reviewing code in a team. Like coding standards it is probably more important that you do review code than exactly how you review it. Spending some time looking at what you and your team is doing with an eye toward improvement and consistency. Great Seminar Jim - I learned a lot.

Addendum - Jim also mentioned Smart Bear as a good resource for code reviews.

Muse Review - Intro to HTML 5 With Ray Camden at Cfobjective

Sitting in on the first third of Ray's HTML 5 intro. He has a "buttload" of code (his word - one wonders about the capacity but I digress) and with his usual efficiency he has posted all his sample code on github here. Great quote from Ray.

"Whenever I hear descriptions of HTML 5 it reminds me of a drug commercial. It's one sentence of benefits followed by 2 minutes of horrible side effects."

Instead of focusing on esoteric things like canvas, Ray's preso spends a lot of times on form features. This is one of the best things about HTML 5. There are simple and straightforward ways to make forms more usable. A great example is the autocomplete implemented entirely on the client side and entirely without Javascript.

<input type="text" name="foo" list="gurus">
<datalist id="gurus">
<option>Ben (the elder)</option>
<option>Ben (the younger)</option>

The really cool thing is that datalist is ignored by older browsers and picked up by more modern browsers. It sures beats having to gin up some Ajaxian bindings (not that there's anything wrong with that). There's still be times when you need use Ajax for autocomplete when you have a query to run or a huge dataset. But it sure makes those simple select fields easier and provides a great user experience. Remember you have to have that Doctype added so your browser knows to try to render in HTML 5.

As usual Ray teases out some of the most practical and useful tidbits - things that can be used immediately. Make sure and check out the excellent samples at github. Ray also recommends Can I Use - a great site to test your HTML version code.

More Entries

Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.