Secure Your Application – PCI DSS Specifications

26th January 2009 in Adobe ColdFusion, Authentication, BlueDragon, Code, ColdFusion, Databases, Payment Processors, Railo, Server Side, Web Servers by Simon | 5 comments

PCI DSS stands for Payment Card Industry Data Security Standard, and is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. A company processing, storing, or transmitting cardholder data must be PCI DSS compliant.

Types of Data on a Payment Card

The PCI SSC (Council) is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.

All in-scope companies must validate their compliance annually. This validation can be conducted by Qualified Security Assessors, i.e. companies that have completed a three-step certification process by the PCI SSC which recognises them as being qualified to assess compliance to the PCI DSS standard. However, smaller companies have the option to use a Self-Assessment Questionnaire. Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant’s region.

The current version of the standard specifies 12 requirements for compliance, organised into 6 logically related groups, which are called “control objectives.”

  1. Build and Maintain a Secure Network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  2. Protect Cardholder Data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  3. Maintain a Vulnerability Management Program
    • Requirement 5: Use and regularly update anti-virus software
    • Requirement 6: Develop and maintain secure systems and applications
  4. Implement Strong Access Control Measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to cardholder data
  5. Regularly Monitor and Test Networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  6. Maintain an Information Security Policy
    • Requirement 12: Maintain a policy that addresses information security

Compliance with these requirements can be summarized into 3 main stages:

  • Collecting and storing: Secure collection and tamper-proof storage of all log data so that it is available for analysis.
  • Reporting: Being able to prove compliance on the spot if audited and present evidence that controls are in place for protecting data.
  • Monitoring and alerting: Have systems in place such as auto-alerting, to help administrators constantly monitor access and usage of data. Administrators are warned of problems immediately and can rapidly address them. These systems should also extend to the log data itself –- there must be proof that log data is being collected and stored.

What does this actually mean for web application developers?

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time. If you follow the guidelines below, you will go along way to securing you application in line with the PCI DSS regulations. Many of the measures apply to general application security, but since PCI DSS is all about security, they are worth mentioning.

Server-level Security:

  • Separate web- and database-servers on to different physical machines.
  • Secure the web- and database-servers with traditional techniques. Only authorised accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.
  • Keep servers up-to-date with the latest patches and software releases.
  • Minimise the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.
  • Secure information in transit between servers. This may mean physically securing the network to prevent evesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.
  • Secure the database server behind a firewall.

Application-level Security:

  • Separate ColdFusion, the webserver and database server user accounts. They should never be under the same system account.
  • Create a database user specifically for your ColdFusion datasource and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.
  • Revoke privileges in the ColdFusion datasource definition to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.
  • General settings in the ColdFusion Administrator:
    • Check the Disable access to internal ColdFusion Java components option.
    • Check the Enable Global Script Protection option.
    • Add a Missing Template Handler.
    • Add a Site-wide Error Handler.
    • Reduce the Maximum size of post data from 100MB.
    • Enable Timeout Requests, and set to 60 seconds or less.
    • Disable Robust Exception Handling on production servers.

Web Application-level Security:

  • Use secure HTTP to transfer data and/or when logged into ‘administration’ secutions of your web application.
  • Timeout sessions after 15 minutes and on browser close.
  • Provide multi-level login processes. For example, lock the application after 3 failed attempts for a period of 10 minutes.
  • Do not identify whether the username or password are incorrect, simply notify the user that their login failed and that they must try again.
  • Encrypt passwords stored in the database with a standard such as SHA-256 or ’stronger’.
  • Use CAPTCHAs (textual and aural) to prevent automated robots hacking into your application.
  • Run regular penetration tests on your application to identify potential problems.
  • Encrypt credit card information held in the database or other storage mechanism. Only store credit card data in line with the PCI DSS regulations.

Code-level Security:

  • Application.cfc – Set the scriptProtect Application variable to true to enable application-wide cross-site script protection.
  • CFQueryParam – This tag, importantly, verifies the data type of a query parameter and, for RDBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times. There are limitations to the use of the cfqueryparam tag. In ColdFusion 7 for example, you cannot use them in queries using the cachedWithin attribute. Similarly, they cannot be used in ORDER BY clauses, although the use of conditional logic should resolve the need for order by variables.
  • Functions – As a rule of thumb, validate all the data being passed into a query prior to it being used. ColdFusion MX 7 saw the introduction of the isValid() function. This function tests whether a value meets a validation or data type rule and can be used to replace a large number of type-specific functions such as isArray(), isBinary(), isBoolean(), isDate(), isNumeric() and isSimpleValue() etc.
  • Stored Procedures – I often favour the use of stored procedures over standard queries. Not only do they add an additional level of performance, they provide an additional level of security; ColdFusion does not do any raw processing of queries in the web code, it simply passes variables down the wire to the database server.

Conclusion

The goal of the PCI Data Security Standard is to protect cardholder data that is processed, stored or transmitted by merchants. The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card. Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorisation. This includes sensitive data that is printed on a card, or stored on a card’s magnetic stripe or chip – and personal identification numbers entered by the cardholder.

By following the points made above, you will go a long way to meeting the PCI DSS guidelines, whilst also securing your infrastructure and applications in a more general sense.

Caveat: The views and comments written in this article are provided as a guideline. I hold no responsibility for the security of your applications and data based upon the information provided.

Adobe’s LiveCycle Powered by Amazon’s Cloud

14th January 2009 in Adobe, Adobe ColdFusion, Adobe LiveCycle, Amazon, Cloud Computing, ColdFusion, Podcast by Simon | 2 comments

Adobe recently announced, in conjunction with Amazon, that they would bring LiveCycle to Amazon’s Elastic Compute Cloud (EC2). To quote Adobe:

Adobe is now offering developers subscribed to the Adobe Enterprise Developer Program access to their own virtual instance of LiveCycle ES through LiveCycle ES Developer Express. LiveCycle ES Developer Express provides a pre-configured, virtualized installation of LiveCycle ES Solution Components in a self-contained development environment. LiveCycle ES Developer Express is hosted on the Amazon Elastic Compute Cloud (Amazon EC2). AEDP members can test, build, store and develop their applications in a cloud-base environment where all LiveCycle ES applications are pre-configured and running. The Adobe Enterprise Developer Program will offer a minimum of 10 hours of runtime per month, with additional hours to be available separately.

What is cloud computing and why is it important?

The term cloud computing, as used by some commentators, refers to the use of scalable, real-time, Internet-based information technology services and resources. This somewhat nebulous concept incorporates software as a service (SaaS), utility computing, Web 2.0 and other recent technology trends. The common theme stresses reliance on the Internet for satisfying the computing needs of users, without them needing knowledge of, expertise with, or control over the technology infrastructure that supports them. An often-quoted example is Google Apps, which provides common business applications online that are accessed from a web browser, while the software and data are stored on Google servers.

The cloud element of cloud computing derives from a metaphor used for the Internet, from the way it is often depicted in computer network diagrams, and is an abstraction for the complex infrastructure it conceals.

How do Adobe and Amazon fit into the equation?

Adobe and Amazon have similar goals. They both want to gain more share of the enterprise market. Amazon needs to convince the enterprise that its version of the cloud is capable of supporting the demands of enterprise applications. On the other hand Adobe wants to convince the developers who already use AWS that LiveCycle is the platform of choice for the enterprise.

What is Adobe LiveCycle?

Adobe LiveCycleAdobe’s LiveCycle Enterprise Suite is a J2EE-based server software product used to build applications that automate a broad range of business processes for enterprises and government agencies.

LiveCycle combines technologies for data capture, information assurance, document output, content services, and process management to deliver solutions such as account opening, services and benefits enrollment, correspondence management, request for proposal processes, and other manual based workflows.

What are Amazon Webservices?

Amazon Webservices LogoSince early 2006, Amazon Web Services (AWS) has provided companies of all sizes with an infrastructure web services platform in the cloud. With AWS you can requisition compute power, storage, and other services–gaining access to a suite of elastic IT infrastructure services as your business demands them. With AWS you have the flexibility to choose whichever development platform or programming model makes the most sense for the problems you’re trying to solve. You pay only for what you use, with no up-front expenses or long-term commitments, making AWS a cost-effective way to deliver applications to customers and clients.

How do they fit together?

Essentially, Adobe has put a Red Hat JBoss J2EE stack on AWS and deployed LiveCycle on the stack. Adobe state that this platform is purely for prototyping, developing and testing applications, rather than production environments, but that is likely to change.

The future

Deploying LiveCycle on AWS has wider implications, not only for Adobe products. By setting up a J2EE stack on AWS it makes it possible to deploy any Java-based application; yes that does mean one developed in Adobe’s ColdFusion or indeed its chief rival, Railo.

Let’s not Dilly-Dally: ColdFusion has its Merits

9th January 2009 in Adobe, Adobe ColdFusion, Business, ColdFusion, Flex, The Web by Simon | 10 comments

ColdFusion is 13 years old. That make makes it the daddy of the web world! It does not make it any less hip or useful than the relatively new kids on the block.

Take this scenario. A company I once worked for had what can be described as a business directory built upon a licensed, yet bastardised, version of a popular ColdFusion-based CMS. It didn’t work that well! The decision was made to redevelop the application in Java. It took two years to reach the same level of functionality! What happened next? Ruby-on-Rails is what! The rest is history and beyond the topic of this post.

So, in effect, the application almost went full-circle in its development paradigm — both ColdFusion and Ruby-on-Rails can be considered Rapid Application Development environments, Java, certainly not. Why did the decision makers not stick with ColdFusion and put time aside to actually build it properly in the first place? To put it simply, they lost faith in ColdFusion; it was largely mis-understood.

The weakness of every programming language does not lie with the language itself per se — albeit it can have an important influencing factor — but rather with the ability, or indeed inability, of the developer to leverage the language in the most efficient and optimal way.

ColdFusion, like every other programming language has had and I’m sure still does have its fair share of poor developers; those people simply working with it as a means-to-an-end, rather than those passionate about the language, those people programming without understanding the fundamentals of programming or the implications of their poorly written code. This is apparent from .NET to Java, ColdFusion to Ruby, JavaScript to ActionScript.

Let’s not dilly-dally, bicker or insult one another about which is best, which one is dying and which one is not worth the computer it is compiled on. What is important is to understand the merits of each language and decide which one best suits the application, not only in technical terms, but also in terms of time-to-market, cost of development, availability of a skilled workforce etc.

ColdFusion, whether rightly or wrongly in some people’s opinion, can sit proudly amongst its peers and provide a truly compelling alternative.

Here’s how (in no particular order):

  1. Low Total Cost of Ownership – frequently, ColdFusion is described as expensive, it simply isn’t especially if you consider the natively supported functions. But to put it bluntly, if your company cannot afford the cost of ColdFusion standard, or indeed ColdFusion hosting, you have bigger things to worry about regarding the profitability of the company; you won’t be able to afford much of anything! The problem becomes not the product. ColdFusion applications are quicker to develop and developers are vastly cheaper to employ than their peers in Java or Ruby, just look at ITJobsWatch for examples.
  2. Rapid Application Development – ColdFusion vastly simplifies tasks. What would take other languages numerous lines of code to produce is efficiently encapsulated either in a tag or function or as a setting in the administrator. This is a simplistic yet indicative example: where else can you connected to a database simply with one line of code or indeed simply by name? ColdFusion changed the idea of specifying development time in terms of months and years to weeks and months or small features a matter of hours and days. Simplicity is not the mother or all evil. To be pragmatic, simplification reduces costs.
  3. Rich Internet Applications – ColdFusion may or may not have pioneered the RIA paradigm, but it has played a significant supporting role to Flash and now Flex. ColdFusion natively supports Flash remoting, providing the all important data access tier.
  4. Platform Maturity – ColdFusion 8 is built upon the latest version of Java (1.6). Along with internal improvements to the ColdFusion application, this has afforded ColdFusion unprecedented speed improvements and stability.
  5. Language Maturity – with each major release of ColdFusion comes many language enhancements added to the core. This means that previous addons, for example image manipulation, which came at a premium are now standard. Adobe and other companies that produce CFML engines are now participating in a CFML advisory committee, which aims to set standards for the core language. This is not only a sign of maturity but a letter of intent by the industry that will mean your application will work on any engine, assuming no proprietary functionality is used.
  6. The Ultimate Middleware – ColdFusion sits comfortably between any backend and front end system. Be it interfacing with a host of databases, Java, .NET, COM, Corba or connecting to classic HTML or rich Flash, Flex and AJAX frontends with little or no configuration.
  7. Feature Rich – what other web technology natively supports PDF generation, charting, enterprise-level search, AJAX, image manipulation, Atom and RSS creation, Zip and JAR file manipulation, a server monitor, Flex integration, encryption libraries, all important database connectors, webservice creation, XML manipulation, inbuilt reporting application (similar to Crystal Reports), email, FTP to name but a few? I hazard a guess at none, unless you’re happy to pay a premium.
  8. Platform Independent – since ColdFusion 6, when Macromedia redeveloped the entire application in Java, ColdFusion has been platform independent. You can install it on practically any machine.
  9. OpenSource Alternatives – BlueDragon and Railo are both significant alternatives to Adobe ColdFusion and both have opensource alternatives, the latter of the two having recently joined the JBoss community. Adobe are also considering providing a free edition to academic institutions.
  10. The Future – many commentators have mentioned Hibernate as a significant addition to the next release of ColdFusion, version 9. But having seen the prerelease notes, that is not all that will be added. Alas I’m under NDA, but rest assured, there is going to be a significant intake of breath when developers get hold of the next release. ColdFusion 8 was firmly geared towards middle management with fuzzy additions, ColdFusion 9 is set to re-address the balance with compelling language and functionality enhancements.

ColdFusion evangelism needs to step up a gear! Adobe certainly doesn’t afford much marketing budget to the product, prefering The Community do the hard work. It is not always easy convincing the decision makers that ColdFusion is a good product of choice, without Adobe’s unnerving support, but we have to work hard, break down those barriers, encroach on events outside the comfortable sphere of the ColdFusion world and demonstrate ColdFusion’s match-winning ability.

ColdFusion isn’t dying, it’s simply niche. Every niche has its place.

UPDATE: If you would like to view the ensuing debate regarding ColdFusion prompted by Aral Balkan, feel free to do so. This post should serve as a positive reminder of ColdFusion’s virtues, alongside the need for a balanced and polite debate.

ColdFusion Becomes a Teenager

10th July 2008 in Adobe ColdFusion, ColdFusion, Miscellaneous by Simon | 1 comment

Today ColdFusion moved into the next stage of its life and became a teenager, hopefully not a precocious one!

Happy 13th Birthday ColdFusion.

Adobe ColdFusion has had a long and illustrious life. The first version of ColdFusion–written almost entirely by one person, JJ Allaire and then called “Cold Fusion”–was released in 1995. This first version, although revolutionising how web applications were built, was primitive by modern standards, doing little more than database access.

Although originally built in Visual C++, Allaire, around 1999, took the decision to rewrite the entire ColdFusion engine in Java–a project named “Neo”–which would allow for greater portability among different platforms. The rewrite, released under the monicker MX 6, would prove to be somewhat problematic and a wholescale update to the version resulted.

In 2001 Allaire was acquired by Macromedia. This union brought with it the integration of Macromedia’s Flash platform via Flash Remoting; a huge step towards rich Internet applications.

In 2005 it was the turn of Macromedia to be acquired and they merged with Adobe. A period of instability in the ColdFusion world resulted, brought about by the knowledge that Adobe was a company that developed tools, not programming languages. However, following a successful release of ColdFusion 8 in 2007 and the announcement that a version 9 would be developed, code-named “Centaur”, fears about ColdFusion’s future have subsided–albeit the continued debate over “ColdFusion is Dead” remains boiling in the background.

The primary distinguishing feature of ColdFusion is its associated scripting language, ColdFusion Markup Language (CFML), which compares favourably to its rivals, JSP, ASP.NET, or PHP and resembles HTML in syntax. “ColdFusion” is often used synonymously with “CFML”, but it should be noted that there are additional CFML application servers besides ColdFusion, and that ColdFusion supports programming languages other than CFML, such as server-side Actionscript and embedded scripts that can be written in a JavaScript-like language, known as CFScript. Adobe ColdFusion also includes native support for Flex, PDF, Verity and the embedded Derby database amongst a host of other features.

ColdFusion 9 is set to be an exciting release, much like its predecessor, with more features added to the core tag set, whilst also integrating other technologies such AIR and Hibernate.

Exciting times lay ahead. Let’s hope Adobe takes full advantage with such a fine product.

See Also:

ColdFusion Is Hotting Up in the UK

27th June 2008 in Adobe ColdFusion, BlueDragon, ColdFusion, Coldspring, Flex, Frameworks, Fusebox, Mach-II, Model-Glue, Railo, Silverlight, Spry by Simon | No comments

In the past, the US has held a near monopoly not only in ColdFusion-based user groups, but also conferences, with CFUnited, cf.Objective() and the more general Adobe MAX leading the way.

But the landscape is changing and the UK is challenging for its share of the scene. 2008 is seeing a renaissance in the ColdFusion world following on from the buzz created around the release of ColdFusion 8 in 2007 and the eagerly anticipated future release of ColdFusion, codenamed Centaur. This buzz has resulted in not one but three conferences for 2008: CFUnited Europe was held in London in March, Scotch-on-the-Rocks was held in Edinburgh in June and soon we will see the return of CFDevCon.

The inaugural CFDevCon one-day-conference was held back in 2006, in Croydon, but in September 2008 it is heading down to what is arguably one of the creative capitals in the south of England, Brighton. The conference has not only become a two-day conference, but its scope has moved beyond simply Adobe-based products, with the introduction of Microsoft-based technologies, specifically IIS7.0, Silverlight and SQL Server 2008 and technology-agnostic topics such as Regular Expressions, Search Engine Optimisation (SEO) and Accessibility.

As with all great conferences, CFDevCon has a great line-up of speakers with the likes of Sean Corfield, Hal Helms, Peter Elst, Peter Bell, Aral Balkan and Simon Bailey, to name a few, all presenting sessions.

So, lets get excited people, support the conferences and user groups and evangelise ColdFusion.

A Minor Rant About The ColdFusion 8 Developer Exam

24th June 2008 in Adobe ColdFusion, ColdFusion by Simon | 2 comments

The Adobe ColdFusion 8 Developer Exam arrived earlier this year and it is about time I took it. But like Ben Nadel, the exam scares me! Why? Because there is so much more to know. With the introduction of new AJAX tags, native JSON support, .NET integration, image manipulation, threading, interfaces, not to mention full PDF integration, the presentation builder and across the board enhancements, there are a lot of new things to know.

If it wasn’t for the fact that I am also an Adobe Certified Trainer, I would probably shy away from taking the exam, since, apart from showing that I have gained an Advanced level of knowledge of what’s available in the language/application, is it really relevant?

Now for the moan…

I like to prepare for exams properly. I studied hard for the CFMX6.1 and CFMX7 exams because I wanted to achieve the best result I possibly could. I don’t much like the stigma of mediocrity, so I try hard. But with the advent of the ColdFusion 8 exam, Adobe aren’t making life any easier and this isn’t because of the increased number of features. It’s because they are not supporting their exam with the appropriate study material.

In the past, Ben Forta had been commissioned to create the official developer study guide. However, according to Ben, this appears no longer to be the case (at least for now).

It beggars belief that Adobe release a product, then release a related exam, but do not have the will to produce a study guide. Yes we have the Web Application Construction Kit and Livedocs, but for me, they are either not succinct enough or not available in print. It makes it tough to study.

Clearly there is a cost issue, but Adobe Publishing can be smarter these days with their print-runs. Indeed they could even allow developers to choose between a print and PDF versions, much like Manning and many other publishers.

Perhaps Ben is busy. Surely not! But if it is the case, I’m sure there are a number of his peers that could take up the mantle. Cue…

A ray of hope…

There is a small ray of hope. There is likely to be an updated version of the popular CFMX Exam Buster by CentraSoft. Brian Simmons is working hard on the latest version.

Anatomy of the Application.cfc in ColdFusion 8

18th March 2008 in Adobe ColdFusion, ColdFusion by Simon | 11 comments

With the release of ColdFusion MX 7 came the introduction of the Application.cfc ColdFusion component. This component replaced the traditional Application.cfm and OnRequestEnd.cfm ColdFusion application templates. Furthermore, if Application.cfc is present, both of these templates are ignored by the application.

In addition to replacing the Application.cfm, the Application.cfc introduced a number of built in methods that handle specific events. These events, as discussed in detail below, allow for a greater control over events within the application.

Application Variables

The THIS scope in the Application.cfc contains several built-in variables that allow you to set the properties of the application.

The following cfscript briefly outlines the variables that you can set to control the application’s behaviour.

<cfscript>
//the application name (should be unique)
THIS.name = "ApplicationName";
//how long the application variables persist
THIS.applicationTimeout = createTimeSpan(0,2,0,0);
//define whether client variables are enabled
THIS.clientManagement = false;
//where should we store them, if enabled?
THIS.clientStorage = "registry"; //cookie||registry||datasource
//define where cflogin information should persist
THIS.loginStorage = "session"; //cookie||session
//define whether session variables are enabled
THIS.sessionManagement = true;
//how long the session variables persist?
THIS.sessionTimeout = createTimeSpan(0,0,20,0);
//define whether to set cookies on the browser?
THIS.setClientCookies = true;
//should cookies be domain specific
//i.e. *.domain.com or www.domain.com
THIS.setDomainCookies = false;
//should we try to block cross-site scripting?
THIS.scriptProtect = false;
//should we secure our JSON calls?
THIS.secureJSON = false;
//use a prefix in front of JSON strings?
THIS.secureJSONPrefix = "";
//used to help ColdFusion work with missing files
//and directory indexes. tells ColdFusion not to call
//onMissingTemplate method.
THIS.welcomeFileList = "";
//define custom coldfusion mappings.
//Keys are mapping names, values are full paths
THIS.mappings = structNew();
//define a list of custom tag paths.
THIS.customTagPaths = "";
</cfscript>

Method Summary

Below is a brief discussion of the built-in event methods available to the Application.cfc. Since the Application.cfc is a regular ColdFusion component, you can also implement your own methods alongside the built in ones (assuming the names are uniquely different).

The onApplicationStart Method

Runs when the application first starts up: when the first request for a page is processed or the first CFC method is invoked by an event.

<cffunction name="onApplicationStart" returnType="boolean" output="false">
	<cfreturn true />
</cffunction>

This method is typically used to initialise code; for example to to set variables, such as datasource, into the APPLICATION scope, or create Singleton instances of ColdFusion components.

For example:

The following example creates structures in tha application scope to store general configuration settings and Singleton objects that can be later referenced by the application framework.

<cffunction name="onApplicationStart" returnType="boolean" output="false">
	<cfscript>
	// INITIALISE CONFIGURATION VARIABLES AND APPLICATION BUSINESS COMPONENTS
	// **********************************************************************
	// LOAD COMMON SITE VARIABLES INTO APPLICATION SCOPE
	// create structure to hold configuration settings
	APPLICATION.strConfig = structNew();
	//site-wide datasource(s)
	APPLICATION.strConfig.datasource = "DatasourceName";
	// default records per page for pagination
	APPLICATION.strConfig.recordsPerPage = 15;
	// **********************************************************************
	// LOAD PERSISTENT OBJECTS INTO APPLICATION SCOPE
	// data for object instantiation
	strArgs	= structNew(); // flush strArgs
	strArgs.datasource = APPLICATION.strConfig.datasource;
 
	// create structure to hold objects
	APPLICATION.strObjs = structNew();
	APPLICATION.strObjs.objUserManager = createObject("component","com.whatley.user.UserManager").init(argumentCollection=strArgs);
	//etc...
 
	// instantiate utility service objects
	APPLICATION.strObjs.objEmailServices = createObject("component","com.whatley.service.Email");
	APPLICATION.strObjs.objFileServices = createObject("component","com.whatley.service.File");
	APPLICATION.strObjs.objQueryServices = createObject("component","com.whatley.service.Query");
	//etc...
 
	// native coldfusion objects
	APPLICATION.strObjs.objServiceFactory = createObject("java","coldfusion.server.ServiceFactory");
 
	// **********************************************************************
	return true;
	</cfscript>
</cffunction>

Since the objects above are created as Singletons, we do not have to create or destroy objects throughout the application, but simply reference the object held in memory. This is efficient, but of course, would not be suitable for per-session objects, such as shopping carts.

For example:

Referencing and invoking an object from the APPLICATION scope:

<cfinvoke object="APPLICATION.strObjs.objUserManager" method="getUser" returnvariable="qryGetUser">
	<cfargument name="userId" value="#SESSION.strUser.userId#" />
</cfinvoke>

The onApplicationEnd Method

Runs when the application stops: when the application times out or the service is stopped.

<cffunction name="onApplicationEnd" returnType="void" output="false">
	<cfargument name="applicationScope" required="true" />
</cffunction>

This method is typically used to clean-up currently activities, save the current state of the application to a database or log the application’s end to a file. The latter can be useful to help determine when and why an application ended.

Below is a simple example of how you could implement a simple log:

<cffunction name="onApplicationEnd" returnType="void" output="false">
	<cfargument name="applicationScope" required="true" />
        <cflog file="#THIS.Name#" type="Information"
        	text="Application #ARGUMENTS.applicationScope.applicationName# Ended" />
</cffunction>

Notes:

  • The method is not associated with an individual request so you cannot use it to display data to a user.
  • If you call this method explicity, ColdFusion does not end the application, but does execute the code within the method.
  • The method can access the SERVER scope directly, but does not have access to the SESSION and REQUEST scopes.

The onMissingTemplate Method

Triggered when the user requests a ColdFusion template that doesn’t exist.

<cffunction name="onMissingTemplate" returnType="boolean" output="false">
	<cfargument name="targetpage" required="true" type="string" />
	<cfreturn true />
</cffunction>

ColdFusion invokes this method when it encounters a file not found condition, that is, when a URL specifies a CFML page that does not exist. This is an important addition to ColdFusion 8 and allows missing template errors (also known as HTTP 404 errors) to be captured more efficiently by the application framework.

The onRequestStart Method

Runs before the request is processed.

<cffunction name="onRequestStart" returnType="boolean" output="false">
	<cfargument name="thePage" type="string" required="true" />
	<cfreturn true />
</cffunction>

This method is great for user authorisation and login handling and for request specific variable initialisation. For example, you could use this method to log statistics to a database (performance and usage).

As this method runs at the beginning of a request, we can also use it to fire other events. In the example below, I reinitialise the Application which enables me to refresh objects held in memory that may have changed during code development or release.

<cffunction name="onRequestStart" returnType="void" output="false">
	<cfscript>
	//flush the application scope
	if ((CGI.server_name == "localhost") || (structKeyExists(URL,'refresh') && structKeyExists(URL,'password') && URL.password == "p455w0rd"))
	{
		onApplicationStart();
	}
	return true;
	</cfscript>
</cffunction>

The onRequest Method

Runs before the request is processed, but after onRequestStart.

<cffunction name="onRequest" returnType="void">
	<cfargument name="thePage" type="string" required="true" />
	<cfinclude template="#ARGUMENTS.thePage#" />
</cffunction>

This event handler provides an optional request filter mechanism for ColdFusion page requests. Use it to intercept requests to target pages and override the default behavior of running the requested pages. You can use this method to do preprocessing that is required for all requests. Typical uses include filtering and modifying request page contents (such as removing extraneous white space), or creating a switching mechanism that determines the exact page to display based on available parameters.

The onRequestEnd Method

Runs at the end of the request when all pages have been processed.

<!--- Runs at end of request --->
<cffunction name="onRequestEnd" returnType="void" output="false">
	<cfargument name="thePage" type="string" required="true" />
</cffunction>

This method can be useful for gathering performance metrics, or for displaying dynamic footer information (although I wouldn’t generally put display code in an Application.cfc).

For example:

Log the CGI variables to a database table.

<cffunction name="onRequestEnd" returnType="void" output="false">
	<cfset var qryInsertStats = queryNew('tempCol')>
	<cfquery name="qryInsertStats" datasource="#APPLICATION.strConfig.datasource#">
	INSERT INTO tbl_site_stats (template,query_string,referer,user_agent,remote_addr,datetime)
	VALUES
	(
		<cfqueryparam value="#CGI.PATH_INFO#" cfsqltype="cf_sql_varchar" />
		<cfqueryparam value="#CGI.QUERY_STRING#" cfsqltype="cf_sql_varchar" />
		<cfqueryparam value="#CGI.HTTP_REFERER#" cfsqltype="cf_sql_varchar" />
		<cfqueryparam value="#CGI.HTTP_USER_AGENT#" cfsqltype="cf_sql_varchar" />
		<cfqueryparam value="#CGI.REMOTE_ADDR#" cfsqltype="cf_sql_varchar" />
		<cfqueryparam value="#now()#" cfsqltype="cf_sql_datetime" />
	)
	</cfquery>
</cffunction>

The onError Method

Triggered when an error is encountered that is not caught by a try/catch block.

<!--- Runs on error --->
<cffunction name="onError" returnType="void" output="false">
	<cfargument name="exception" required="true" />
	<cfargument name="eventname" type="string" required="true" />
	<cfdump var="#ARGUMENTS#" />
        <cfabort />
</cffunction>

This method is used to handle errors in an application-specific manner. This method overrides any error handlers that you set in the ColdFusion Administrator or in cferror tags. It does not override try/catch blocks.

For example:

The following displays a friendly, static error page to the user if it is not a development server whilst also logging the error. If the error is on development, simply dump the error to screen for debugging.

<cffunction name="onError" returnType="void" output="true">
	<cfargument name="exception" required="true" />
	<cfargument name="eventName" type="string" required="true" />
	<cfif CGI.server_name neq "localhost" and CGI.server_name neq "127.0.0.1">
		<!--- Live application, handle error --->
		<cfinclude template="error/error.htm">
		<!--- Log all errors. --->
	        <cflog file="#THIS.Name#" type="error"
	            text="Event Name: #ARGUMENTS.Eventname#" >
	        <cflog file="#THIS.Name#" type="error"
	            text="Message: #ARGUMENTS.Exception.message#">
	        <cflog file="#THIS.Name#" type="error"
	            text="Root Cause Message: #ARGUMENTS.Exception.rootcause.message#">
	<cfelse>
		<!--- dump error for Staging and Development --->
		<cfif len(ARGUMENTS.eventName)>
			<cfdump var="#ARGUMENTS.eventName#" />
		</cfif>
		<cfdump var="#ARGUMENTS.exception#" />
	</cfif>
</cffunction>

The onSessionStart Method

Runs when your session starts.

<cffunction name="onSessionStart" returnType="void" output="false">
</cffunction>

This method is used for initialising SESSION-scoped data, such as a shopping basket and application form.

For example:

<cffunction name="onSessionStart" returnType="void" output="false">
	<cfscript>
	SESSION.start = now();
	SESSION.strShoppingBasket = structNew();
	SESSION.strShoppingBasket.items = 0;
	</cfscript>
</cffunction>

The onSessionEnd Method

Runs when session ends

<cffunction name="onSessionEnd" returnType="void" output="false">
	<cfargument name="sessionScope" type="struct" required="true" />
	<cfargument name="appScope" type="struct" required="false" />
</cffunction>

Use this method for any clean-up activities when the session ends. A session ends when the session is inactive for the session time-out period. You can, for example, save session-related data, such as shopping basket contents or whether the user has not completed an order, in a database, or do any other required processing based on the user’s status. You might also want to log the end of the session, or other session related information, to a file for diagnostic use.

Adobe Livedocs has a whole section dedicated to the Application.cfc.

I have created an example Application.cfc, which is available for download.

Microsoft SQL Server 2005 JDBC Driver 1.2

14th March 2008 in Adobe ColdFusion, ColdFusion, Java, SQL Server 2005 by Simon | 2 comments

Download the SQL Server 2005 JDBC Driver 1.2, a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in J2EE (Java2 Enterprise Edition).

This release of the JDBC Driver is JDBC 3.0 compliant and runs on the Java Development Kit (JDK) version 1.4 and higher. It has been tested against all major application servers including BEA WebLogic, IBM WebSphere, JBoss, and Sun.

The Java Behind a ColdFusion Array and Structure

12th March 2008 in Adobe ColdFusion, BlueDragon, ColdFusion, Java, Railo by Simon | 2 comments

Following a conversation with a friend regarding how ColdFusion handles arrays and structures in ‘the background’, I was interested to find out what Java classes each were mapped to. This was a relatively simple case of using the functions getClass(), getSuperClass() and getName() to parse out the name of the Java classes.

<!--- Arrays (repeat up the hierarchy) --->
<cfdump var="#arrayNew(1).getClass().getName()#">
<cfdump var="#arrayNew(1).getClass().getSuperClass().getName()#">
<!--- Structures (repeat up the hierarchy) --->
<cfdump var="#structNew().getClass().getName()#">
<cfdump var="#structNew().getClass().getSuperClass().getName()#">

What became immediately apparent was that both were handled differently. In the case of a ColdFusion array, the parent class was the java.util.Vector, which seemed obvious. The Vector class implements a growable array of objects. Like an array, it contains components that can be accessed using an integer index. However, the size of a Vector can grow or shrink as needed to accommodate adding and removing items after the Vector has been created.

ColdFusion structures, however, are handled entirely differently, with the parent class being a coldfusion.runtime class. In fact, as we can see below, the code to handle a ColdFusion structure is entirely written for ColdFusion until the root class of java.lang.Object. Clearly ColdFusion does some complex wizardry to handle the complex nature of structues (associative arrays).

The class hierarchy for an Adobe ColdFusion array:

java.lang.Object
	java.util.AbstractCollection
		java.util.AbstractList
			java.util.Vector
				coldfusion.runtime.Array

The class hierarchy for an Adobe ColdFusion structure:

java.lang.Object
	coldfusion.util.CaseInsensitiveMap
		coldfusion.util.FastHashtable
			coldfusion.runtime.Struct

Being an inquisitive person, I applied the same code to Railo and BlueDragon, with equally interesting results.

The Java class hierarchy behind a Railo array:

java.lang.Object
	railo.runtime.type.ArrayImpl

The Java class hierarchy behind a Railo structure:

java.lang.Object
	railo.runtime.type.StructImpl

The Java class hierarchy behind a BlueDragon array:

java.lang.Object
	com.naryx.tagfusion.cfm.engine.cfData
		com.naryx.tagfusion.cfm.engine.cfJavaObjectData
			com.naryx.tagfusion.cfm.engine.cfArrayData
				com.naryx.tagfusion.cfm.engine.cfArrayListData

The Java class hierarchy behind a BlueDragon structure:

java.lang.Object
	com.naryx.tagfusion.cfm.engine.cfData
		com.naryx.tagfusion.cfm.engine.cfJavaObjectData
			com.naryx.tagfusion.cfm.engine.cfStructData

Adendum: Ben Nadel has a good little post on ColdFusion Data Types from Different Sources and How ColdFusion Sees Them.

New Atlanta Open-Sources BlueDragon

11th March 2008 in Adobe ColdFusion, BlueDragon, ColdFusion by Simon | No comments

New Atlanta is announcing today, at CFUnited Europe, a ColdFusion technology conference in London, U.K., that they will be creating and distributing a free open-source Java Platform, Enterprise Edition (Java EE) version of BlueDragon, their ColdFusion-compatible web application server.

You can read the full release here:

http://www.newatlanta.com/products/bluedragon/open_source/faq.cfm

Will Adobe follow suit with their ColdFusion server technology? They have done similar things with the BlazeDS, so it stands to reason that ColdFusion could follow the same route.

Terrence Ryan sees things differently, however, and has a good article here:

Yawn, BlueDragon Goes Open Source.