Secure Your Application – PCI DSS Specifications

Monday, 26th January 2009 in Development, Technology by Simon | 5 comments

PCI DSS stands for Payment Card Industry Data Security Standard, and is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. A company processing, storing, or transmitting cardholder data must be PCI DSS compliant.

Types of Data on a Payment Card

The PCI SSC (Council) is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.

All in-scope companies must validate their compliance annually. This validation can be conducted by Qualified Security Assessors, i.e. companies that have completed a three-step certification process by the PCI SSC which recognises them as being qualified to assess compliance to the PCI DSS standard. However, smaller companies have the option to use a Self-Assessment Questionnaire. Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant’s region.

The current version of the standard specifies 12 requirements for compliance, organised into 6 logically related groups, which are called “control objectives.”

  1. Build and Maintain a Secure Network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  2. Protect Cardholder Data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  3. Maintain a Vulnerability Management Program
    • Requirement 5: Use and regularly update anti-virus software
    • Requirement 6: Develop and maintain secure systems and applications
  4. Implement Strong Access Control Measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to cardholder data
  5. Regularly Monitor and Test Networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  6. Maintain an Information Security Policy
    • Requirement 12: Maintain a policy that addresses information security

Compliance with these requirements can be summarized into 3 main stages:

  • Collecting and storing: Secure collection and tamper-proof storage of all log data so that it is available for analysis.
  • Reporting: Being able to prove compliance on the spot if audited and present evidence that controls are in place for protecting data.
  • Monitoring and alerting: Have systems in place such as auto-alerting, to help administrators constantly monitor access and usage of data. Administrators are warned of problems immediately and can rapidly address them. These systems should also extend to the log data itself –- there must be proof that log data is being collected and stored.

What does this actually mean for web application developers?

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time. If you follow the guidelines below, you will go along way to securing you application in line with the PCI DSS regulations. Many of the measures apply to general application security, but since PCI DSS is all about security, they are worth mentioning.

Server-level Security:

  • Separate web- and database-servers on to different physical machines.
  • Secure the web- and database-servers with traditional techniques. Only authorised accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.
  • Keep servers up-to-date with the latest patches and software releases.
  • Minimise the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.
  • Secure information in transit between servers. This may mean physically securing the network to prevent evesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.
  • Secure the database server behind a firewall.

Application-level Security:

  • Separate ColdFusion, the webserver and database server user accounts. They should never be under the same system account.
  • Create a database user specifically for your ColdFusion datasource and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.
  • Revoke privileges in the ColdFusion datasource definition to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.
  • General settings in the ColdFusion Administrator:
    • Check the Disable access to internal ColdFusion Java components option.
    • Check the Enable Global Script Protection option.
    • Add a Missing Template Handler.
    • Add a Site-wide Error Handler.
    • Reduce the Maximum size of post data from 100MB.
    • Enable Timeout Requests, and set to 60 seconds or less.
    • Disable Robust Exception Handling on production servers.

Web Application-level Security:

  • Use secure HTTP to transfer data and/or when logged into ‘administration’ secutions of your web application.
  • Timeout sessions after 15 minutes and on browser close.
  • Provide multi-level login processes. For example, lock the application after 3 failed attempts for a period of 10 minutes.
  • Do not identify whether the username or password are incorrect, simply notify the user that their login failed and that they must try again.
  • Encrypt passwords stored in the database with a standard such as SHA-256 or ’stronger’.
  • Use CAPTCHAs (textual and aural) to prevent automated robots hacking into your application.
  • Run regular penetration tests on your application to identify potential problems.
  • Encrypt credit card information held in the database or other storage mechanism. Only store credit card data in line with the PCI DSS regulations.

Code-level Security:

  • Application.cfc – Set the scriptProtect Application variable to true to enable application-wide cross-site script protection.
  • CFQueryParam – This tag, importantly, verifies the data type of a query parameter and, for RDBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times. There are limitations to the use of the cfqueryparam tag. In ColdFusion 7 for example, you cannot use them in queries using the cachedWithin attribute. Similarly, they cannot be used in ORDER BY clauses, although the use of conditional logic should resolve the need for order by variables.
  • Functions – As a rule of thumb, validate all the data being passed into a query prior to it being used. ColdFusion MX 7 saw the introduction of the isValid() function. This function tests whether a value meets a validation or data type rule and can be used to replace a large number of type-specific functions such as isArray(), isBinary(), isBoolean(), isDate(), isNumeric() and isSimpleValue() etc.
  • Stored Procedures – I often favour the use of stored procedures over standard queries. Not only do they add an additional level of performance, they provide an additional level of security; ColdFusion does not do any raw processing of queries in the web code, it simply passes variables down the wire to the database server.

Conclusion

The goal of the PCI Data Security Standard is to protect cardholder data that is processed, stored or transmitted by merchants. The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card. Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorisation. This includes sensitive data that is printed on a card, or stored on a card’s magnetic stripe or chip – and personal identification numbers entered by the cardholder.

By following the points made above, you will go a long way to meeting the PCI DSS guidelines, whilst also securing your infrastructure and applications in a more general sense.

Caveat: The views and comments written in this article are provided as a guideline. I hold no responsibility for the security of your applications and data based upon the information provided.

How to Protect Your Website from a Malicious Attack

Monday, 18th August 2008 in Development by Simon | 2 comments

Every seasoned developer will know that protecting your website from a hacker is a top priority, whether for your own reputation or for maintaining your company’s reputation and log-term revenue prospects.

Why should you be worried about security?

The Web is changing many of the assumptions that people have historically made about computer security and publishing. As the Internet makes it possible for web servers to publish information to millions of users, it also makes it possible for computer hackers, crackers, criminals, vandals, and other “bad guys” to break into the very computers on which the web servers are running. Once subverted, web servers can be used by attackers as a launching point for conducting further attacks against users and organisations.

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time.

This blog post started on the premise of protecting your website from a SQL Injection Attack. However, it is also appropriate to discuss, at a relatively high level, how to secure your server architecture and applications.

Server-Level Security

  • Separate web- and database-servers on to different physical machines.
  • Secure the web- and database-servers with traditional techniques. Only authorised accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.
  • Keep servers up-to-date with the latest patches and software releases.
  • Minimise the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.
  • Secure information in transit between servers. This may mean physically securing the network to prevent evesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.
  • Secure the database server behind a firewall.

Application-Level Security

  • Separate ColdFusion, the webserver and database server user accounts. They should never be under the same system account.
  • Create a database user specifically for your ColdFusion datasource and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.
  • Revoke privileges in the ColdFusion datasource definition to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.
  • General settings in the ColdFusion Administrator:
    • Check the Disable access to internal ColdFusion Java components option.
    • Check the Enable Global Script Protection option.
    • Add a Missing Template Handler.
    • Add a Site-wide Error Handler.
    • Reduce the Maximum size of post data from 100MB.
    • Enable Timeout Requests, and set to 60 seconds or less.
    • Disable Robust Exception Handling on production servers.

Code-Level Security

  • Application.cfc – Set the scriptProtect Application variable to true to enable application-wide cross-site script protection.
  • CFQueryParam – This tag, importantly, verifies the data type of a query parameter and, for RDBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times. 
    <cfquery name="qry" datasource="#APPLICATION.dsn#">
SELECT column1, column2, column3
FROM tableName
WHERE column4 = <cfqueryparam value="#variable1#" cfsqltype="cf_sql_bit" />
AND column5 LIKE <cfqueryparam value="%#variable2#%" cfsqltype="cf_sql_varchar" maxlength="200" />
AND column6 IN (<cfqueryparam value="#variable3#" cfsqltype="cf_sql_integer" list="true" />)
</cfquery>

    There are limitations to the use of the cfqueryparam tag. In ColdFusion 7 for example, you cannot use them in queries using the cachedWithin attribute. Similarly, they cannot be used in ORDER BY clauses, although the use of conditional logic should resolve the need for order by variables.

  • Functions – As a rule of thumb, validate all the data being passed into a query prior to it being used. ColdFusion MX 7 saw the introduction of the isValid() function. This function tests whether a value meets a validation or data type rule and can be used to replace a large number of type-specific functions such as isArray(), isBinary(), isBoolean(), isDate(), isNumeric() and isSimpleValue() etc.
  • Stored Procedures – I often favour the use of stored procedures over standard queries. Not only do they add an additional level of performance, they provide an additional level of security; ColdFusion does not do any raw processing of queries in the web code, it simply passes variables down the wire to the database server.

Additional Resources

Configuring ColdFusion 8 with Apache

Friday, 16th November 2007 in Development by Simon | 4 comments

After installing ColdFusion 8 and Apache successfully you may still see an “HTTP 500 Internal Server Error” when navigating to a ColdFusion page. All is not lost, you simply need to configure, or check the configuration of Apache.

Apache requires very little post installation modification, but it is always good practice to check the httpd.conf file to ensure that the ColdFusion “install” scripts did what they were supposed to do.

If you haven’t confirmed that Apache is running, open your browser and point it to http://localhost/ (unless you specified a real URL during installation). You should see the Apache test page. If you see an error, review the Apache installation steps to make sure you followed all the steps correctly, and/or check your log files for more detailed errors.

Now we know Apache is running, but how about ColdFusion? Point your browser to the ColdFusion Administrator found commonly at http://localhost/CFIDE/administrator/index.cfm and see what happens. One of three possible failures could occur:

  1. Your browser prompts you to save the .cfm file to your computer. There a couple of possible resolutions to this. Firstly restart the Apache service. If this does not resolve the issue you will need to check the httpd.conf file to ensure that the ColdFusion module is being loaded. The file can typically be found in the C:\Program Files\Apache Software Foundation\Apache2.2\conf\ directory.
    Make sure that the DirectoryIndex has a reference to the index.cfm file (i.e. the default file):Apache dir_module DeclarationEnsure that the LoadModule jrun_module "C:/ColdFusion8/runtime/lib/wsconfig/1/mod_jrun22.so" is also present:

    Apache JRun Settings

    If you need to edit this file, restart the Apache service after you have saved the changes.

  2. You get a message that the CFIDE folder cannot be found. This is more likely to be a problem with where you placed the ColdFusion application during install. The default location is in the Apache directory (C:\Program Files\Apache Software Foundation\Apache2.2\htdocs), so check in the http.conf file to ensure the DocumentRoot is pointing correctly. Alternatively, copy this folder to your localhost webroot (e.g. C:\WebRoot) ensuring that the DocumentRoot points to your webroot (see the yellow box in the second screen-shot).
  3. You get another message which probably means that you need to reinstall ColdFusion, and/or Apache!

And that is it, you can start using ColdFusion and developing applications.

Installing ColdFusion 8 on Vista

Monday, 12th November 2007 in Development by Simon | 12 comments

A few months ago I posted an article on Installing Apache on Vista, and it proved to be extremely popular. It appears that I was not the only one who found it a non trivial matter.

Now it is the turn of ColdFusion 8. ColdFusion 8 as we well know is the latest and greatest incarnation of the ColdFusion platform from Adobe. It has a lot of great new features such as cfimage, cfzip, cfexchange, some contentious features such as cfthread and cfinterface, and some not-so-necessarily-cool new “Web 2.0″ features such as cffeed and cfajax. But since this article isn’t about any of these, I better stick to the topic.

Like my article on installing Apache, installing ColdFusion on Vista is again not a trivial matter and involves only what can colloquially described as a “shed load of steps”. I’m probably being a little harsh towards ColdFusion as many of the problems I encountered were more closely related to Apache than ColdFusion.

NB: This article will assume that you have pre-installed Apache (although you could use IIS if so compelled), turned off Vista’s User Account Control (UAC), disabled any firewalls you have installed and finally, but most importantly, you have downloaded ColdFusion from the Adobe website.

Let us begin.

  1. Find where you downloaded your copy of the ColdFusion Installer. Right-click on the executable file and specify to “Run as Administrator”. The installer should start and you should see the screenshot below. Select “English”, or which ever your language preference is, and Click “OK”.

    1. ColdFusion Installer

  2. The ColdFusion Installation progress screen may or may not be briefly displayed.

    2. ColdFusion Installation Progress

  3. The Introduction screen will be displayed. Click “Next”.

    3. Introduction Screen

  4. The License Agreement screen will then be displayed. Agree to the “I accept the terms of the License Agreement” and Click “Next”.

    4. License Agreement

  5. The Install Type screen is then displayed. You don’t need to enter a serial number unless you are installing this into a production environment. Check “Developer Edition” and Click “Next”.

    5. Install Type

  6. The Installer Configuration screen should be displayed. Since we already have Apache 2.x installed as our web server (if you want to use IIS, you will need to skip steps 11.1 and 11.2), check “Server configuration” and Click “Next”.

    6. Installer Configuration

  7. The Sub-component Installation screen should be displayed. This is one of the noticeable changes from version 7 to version 8 of ColdFusion. Hovering your mouse over each sub-component will describe in more detail what each sub-component does. If you plan to integrate .NET (especially with WebServices) or carry out Flex development then make sure that the “.NET Integration Services” and “LiveCycle Data Services” items are checked. For simplicities sake, check everything and Click “Next”.

    7. Sub-component Installation

  8. The Select Installation Directory screen should be displayed. The default directory for a Serverconfiguration will be “C:\ColdFusion8″ on a Windows machine. Click “Next” to continue.

    8. Select Installation Directory

  9. As you have chosen to install LiveCycle Data Services, you will need to agree to a further Licence Agreement screen. Click “Next”.

    9. Licence Agreement (LiveCycle Data Services)

  10. The Adobe Livecycle Data Services ES Installation screen is displayed. You will need to enter a serial number into this screen for production environments. Since I am going to assume a development environment, simply click “Next”.

    10. Adobe Livecycle Data Services ES Installation

  11. The Configure Web Servers / Websites screen should be displayed. This is the point where we want to connect ColdFusion with Apache. By default “Configure web server connector for ColdFusion” is checked. We need to add Apache so Click “Add”.

    11. Configure Web Servers / Websites

    1. The Add Web Server Configuration screen is displayed, choose Apache from the drop-down.
    2. Add the relevant Apache directory paths, e.g.:

      11-2. Add Web Server Configuration (Directory Paths)

      1. The Configuration Directory C:\Program Files\Apache Software Foundation\Apache2.2\conf
      2. The Server Binary Directory C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
  12. The Review Configured Web Server screen is then displayed. If all the settings are correct, click “Next”.

    12. Review Configured Web Server

  13. The Choose Adobe ColdFusion 8 Administrator Location screen should be displayed. Since we are using Apache for our web server then the default Directory should be pointing to C:\Program Files\Apache Software Foundation\Apache2.2\htdocs. You can alternatively point this to C:\WebRoot or wherever you have set up your web project files. Select “Next”.

    13. Choose Adobe ColdFusion 8 Administrator Location

  14. The Adminstrator Password screen is then displayed, prompting for a password. Enter one, remember it (!!) and click “Next”.

    14. Adminstrator Password

  15. The Enable RDS & Password screen is then displayed. If you want to use this, check the box and provide an additional password. Don’t use RDS in a production environment. Click “Next”.

    15. Enable RDS & Password

  16. The Pre-Installation Summary screen is then displayed, detailing your configuration. This is your last chance to go back and make changes. If everything is OK, click “Install”.

    16. Pre-Installation Summary

  17. The Installing Adobe ColdFusion 8 screen is then displayed, showing a host of marketing messages.

    17. Installing Adobe ColdFusion 8

  18. The Please Wait screen is displayed, and be prepared to wait!

    18. Please Wait

  19. The Installation Complete screen is finally displayed and indeed the installation is complete. Now for the configuration! Click “Done”.

    19. Installation Complete

  20. Configuration and Settings Migration Wizard. Open up a browser and enter the url http://localhost/CFIDE/administrator/index.cfm to begin the ColdFusion 8 Configuration and Settings Migration Wizard. Enter your password and Click “Login”.

    20. Configuration and Settings Migration Wizard

  21. ColdFusion will now begin Configuring Server, which could take any number of minutes to complete.

    21. Configuring Server

  22. Once the Configuration Complete is displayed, you can login to the ColdFusion Administrator and start working, or playing, with the new interface, settings and Server Monitor.

    22. Configuration Complete

So, that only 22 steps! That may be the longest installation process you may go through, but the power now at your finger tips to produce hugely interactive websites is a compelling reason why to choose this version of ColdFusion, or indeed ColdFusion over other products.

Eliminating Whitespace in ColdFusion

Friday, 26th October 2007 in Development by Simon | 10 comments

ColdFusion has never satisfactorily removed whitespace from generated content, however, removing this whitespace can dramatically improve your website’s performance. Take a 100KB page for example. If 20% of the page is made up of whitespace, that is 20% that is unneccessary and 20% bandwidth cost that can be saved.

Currently there are two main ways a ColdFusion developer can prevent whitespace; via the ColdFusion Administrator and by including certain tags in their code:

1. ColdFusion Administrator

Under the Server Settings > Settings menu item there is a checkbox called ‘Enable Whitespace Management’. This checkbox should always be checked. According to the description, checking this checkbox “reduces the file size of the pages that ColdFusion returns to the browser by removing many of the extra spaces, tabs, and carriage returns that ColdFusion might otherwise persist from the CFML source file.” I am yet to be convinced, but it is worthwhile enabling it.

2. ColdFusion Tags

<cfsetting enablecfoutputonly="true"></cfsetting>

The cfsetting tag controls aspects of page processing, such as the output of HTML code in pages (inside and outside the cfsetting tag body). If enablecfoutputonly is set to true, HTML output is blocked if it is not wrapped in a cfoutput tag. Therefore, this tag ‘can’ be used to minimise the amount of generated whitespace.

<cfsilent></cfsilent>

The cfsilent tag supresses output produced by CFML within a tag’s scope. Therefore, you simply need to wrap the tag around anything you don’t want to output to the browser. As it does not return anything from with in it, so you have to be a little be careful when debugging.

<cfprocessingdirective supresswhitespace="true"></cfprocessingdirective>

One of the cfprocessingdirective’s purposes is to remove excess whitespace from ColdFusion generated content in the tag body. However, it does not affect any whitespace in HTML code. You can nest the tags and toggle supresswhitespace on and off, not that I ever identify a good reason to do so.

But there is a little known third way, using a servlet filter called Trim Filter.

Servlet filters are tools available to web application developers. They are designed to be able to manipulate a request and response (or both) that is sent to a web application.

Trim Filter lets you decrease the size of file your server will send to all clients. The filter removes extra spaces and line breaks from outputted documents. This can be especially useful for WAP/WML developers working with mobile devices, where the size for transferred documents is limited.

Setting up the servlet filter in ColdFusion

Using the Trim Filter servlet filter found at the following URL:

http://www.servletsuite.com/servlets/trimflt.htm

  • Download the trimflt.jar
  • Save trimflt.jar in the WEB-INF/lib folder in the ColdFusion Server wwwroot.
  • Edit the web.xml file in the WEB-INF folder in the ColdFusion Server wwwroot with the following code:

Trim Filter

  • Restart the ColdFusion Service

And now, when a ColdFusion page is invoked, the whitespace is suppressed and wow does it do a good job.

Installing Apache on Vista

Wednesday, 8th August 2007 in Development by Simon | 53 comments

Following the purchase of a spangly new Toshiba laptop running Vista, and not one for making life simple, I decided not to run my development environment on IIS7, but rather, I wanted to install the latest version of Apache.

Installing Apache under Windows XP was relatively trivial. This is not the case under Windows Vista. The creation of the Apache service fails, but not overtly. Furthermore, the all-important conf directory can™t be set up by the installer, probably due to user permission problems.

I finally got it working with the following procedure. I used the latest version of Apache (2.2.4) and Windows Vista Business Edition.

  1. Uninstall any previous installations of Apache Web server (Start > Control Panel > Programs and Features).
    Make sure that all old Apache folders are also removed (e.g. like C:\Program Files\Apache Software Foundation\…).
  2. Turn off your firewall via the Control Panel.
  3. Stop User Account Control (UAC).
  4. Get the most recent version of Apache from http://httpd.apache.org/ and put it on your desktop, or folder of your choosing. The file I used was called apache_2.2.4-win32-x86-no_ssl.msi, but for ease, it is a good idea to rename the install file to apache.msi.
  5. Start > All Programs > Accessories Right-Click Command Prompt and choose œRun as Administrator.
  6. Via the command prompt, navigate to the folder in which the apache.msi install file is located.
  7. Type msiexec /i apache.msi on the command prompt.

    Apache Install Command Prompt

  8. Run through the Apache installer.

    Apache Install Step 1

    Apache Install Step 2

    Apache Install Step 3

    Apache Install Step 4

    Apache Install Step 5

    Apache Install Step 6

    Apache Install Step 7

    Apache Install Step 8

    Apache Install Step 9

  9. I™m running it as a development server, so I left the domain as “localhost”.
  10. Choose the default server on port 80 for all users option.
  11. The default installation directory is C:\Program Files\Apache Software Foundation\Apache2.2\, but again for ease, you could change the installation directory to C:\Apache.
  12. Reboot your computer.
  13. The little Apache feather icon won™t appear on the task bar under Vista with the present version of Apache (2.2.4). To remove the œerror box that says blank or “the operation completed successfully on startup, go to All Programs > Startup, and remove the “Monitor Apache Servers” item there.
  14. Browse to http://localhost. It should say “It works!” If it doesn’t, panick, or check your httpd.conf file by going to All Programs > Apache HTTP Server 2.2.x > Configure Apache Server > Test Configuration. Follow the directions for fixing the configuration file.
  15. Turn your firewall back on.
  16. Turn UAC back on too, if you like to be constantly bugged by control messages!

Good luck!

Poor Man’s HTTP Compression with ColdFusion

Saturday, 17th March 2007 in Development by Simon | 8 comments

An interesting article I read in the CFDJ recently was entitled Poor Man’s HTTP Compression with ColdFusion. Almost every web application will benefit from the compression of content. A compression filter optimises the size of the content that is sent from a webserver to a web browser via the Internet. Since generating content and serving pages via the World Wide Web is the core behind web applications, it is simple components that aid these processes that are incredibly useful. This is where servlet filters come into play.

Servlet filters are tools available to web application developers. They are designed to be able to manipulate the request and responses that are sent to a web application, without manipulating the servlets, static pages like HTML and, in this case, CFM pages that are being used by the web application (unless of course that is the desired response). Servlet filters act like a chain of steps that a request and response must go through before reaching the page in the application.

Compressing Content Using a Servlet Filter

Compression is a process that reduces the number of bytes required to define a document in order to save disk space or transmission time. It is extremely useful for sending information across the web, because the speed at which people receive information from a web application is dependent upon how much data you are trying to send. The smaller the amount of information that is to be sent, the faster it can be sent. Therefore, compression and the associated responsiveness is a key component to retaining users and generating revenue from those retained users.

Compression can be effectively achieved by having a servlet filter conditionally pipe the produced content to a GZip-compressed file. GZip is supported by the HTTP protocol and almost all modern browsers (hence the servlet filter conditionally compresses the content).

GZip compression usually results in a 6:1 compression ratio, although this depends on how much content is being sent and what the content is.

Setting up the Servlet Filter in ColdFusion

Using the ColdBeans servlet filter found at the following URL:

http://www.servletsuite.com/servlets/gzipflt.htm

  • Download the GZipFilter.jar
  • Save GZipFilter.jar in the WEB-INF/lib folder in the ColdFusion Server wwwroot.
  • Edit the web.xml file in the WEB-INF folder in the ColdFusion Server wwwroot with the following code: 
    <filter>
<filter-name>GzipFilter</filter-name>
<filter-class>com.cj.gzipflt.GzipFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>GzipFilter</filter-name>
<url-pattern>*.cfm</url-pattern>
</filter-mapping>
  • Restart the ColdFusion Service

Now, when you invoke any .cfm page the GzipFilter will check out client’s browser settings. If the browser does not support gzip, the filter invokes resource normally. If the browser does support gzip, output will be compressed.

ColdFusion (CFML) Engines

Monday, 27th March 2006 in Development by Simon | No comments

CFML is the name of the scripting language used by ColdFusion and several alternative server environments. It stands for ColdFusion Markup Language and is similar to HTML in appearance in that it uses tags. CFML is the code that powers ColdFusion, a program available from Adobe (formerly Macromedia), as well as such engines as BlueDragon, IgniteFusion, Railo, Coral Web Builder, DigitalLattice Orange and other web development platforms.

ColdFusion originated as proprietary technology based on Web technology industry standards. However, it is becoming a less closed technology through the availability of competing products. In fact, one could now make the argument that ColdFusion is even less platform bound than say raw J2EE or .NET, simply because ColdFusion will run on top of a .NET app server (New Atlanta), or on top of any J2EE app server (Websphere, JRun, Tomcat, etc.) In theory, you could move a ColdFusion app unchanged from a J2EE app server to a .NET app server.

Currently, alternative server platforms generally support Coldfusion MX 6.1 functionality, with minor changes or feature enhancements.

I have listed some of the alternatives in order of maturity/populrity. However, I will leave it up to you to decide which one is the best and easiest to implement. Please tell me your experiences.

BlueDragon

The BlueDragon Server family of Java-based servers (Server and Server JX) enables the stand-alone deployment of CFML. Both BlueDragon Server versions contain a built-in web server for development and testing, and each integrates with Microsoft IIS, Sun ONE/Netscape/iPlanet (JX only), and Apache web servers for deployment.

BlueDragon offers flexibility for the deployment of ColdFusion Markup Language (CFML) pages with native technology platform integration on the operating system, web server and database of your choice.

Visit the New Atlanta website at http://www.newatlanta.com to download the latest version of BlueDragon.

Railo

Railo is a ColdFusion Compiler for translating and executing of ColdFusion based websites. The Compiler translates the ColdFusion code into Java classes which can be executed on a Java server. Railo also comes with a runtime engine, which contains all necessary libraries for the translated code. Railo automatically detects wether to translate a ColdFusion file or when to use the runtime engine. You can compare Railo at best with JSP interfaces. JSP uses an other syntax but the main functionality is almost the same. Because Railo implements most of the JSP interfaces, it is highly compatible to JSP interfaces.

Visit the Railo website at http://www.railo.ch

IgniteFusion

IgniteFusion is a ColdFusion compatible script engine that runs ColdFusion scripts. In addition to Coldfusion CFML compatibility IgniteFusion has functionality that extends Coldfusion. Although in Beta, it is approaching release.

Visit the IgniteFusion website at http://www.ignitefusion.com to download the scripting engine.

BlueDragon – ColdFusion (CFML) Engine

Wednesday, 19th October 2005 in Development by Simon | No comments

The BlueDragon Server family of Java-based servers (Server and Server JX) enables the stand-alone deployment of CFML. Both BlueDragon Server versions contain a built-in web server for development and testing, and each integrates with Microsoft IIS, Sun ONE/Netscape/iPlanet (JX only), and Apache web servers for deployment.

BlueDragon offers flexibility for the deployment of ColdFusion Markup Language (CFML) pages with native technology platform integration on the operating system, web server and database of your choice.

http://www.newatlanta.com

BlueDragon is an alternative CFML engine comparable to Macromedia’s ColdFusion. It is exclusively licensed and distributed by New Atlanta from TagServlet Ltd based out of Scotland. ColdFusion is a proprietary technology based on Web technology industry standards, however, it is becoming a less closed technology through the availability of potentially competing products.

New Atlanta’s BlueDragon product, released in 2002, provides a ColdFusion MX 6.x-compatible platform to run CFML-based applications on a variety of platforms ( Windows, Linux, Mac OS, and more). While ColdFusion MX 7 offers new features not available in BlueDragon, some new features in CFMX 7 have long been in BlueDragon (such as sourceless deployment, server-based deployment on OS X, and more.)

BlueDragon 6.2 is available in four editions: BlueDragon Server and Server JX (similar to ColdFusion Standalone editions), BlueDragon for J2EE Application Servers (BD/J2EE), and BlueDragon for the Microsoft .NET Framework (BD.NET).

The first two editions are standalone servers which run on Windows, Linux, and OS X. With BD/J2EE, CFML applications can be deployed on any J2EE server, enabling integration of CFML and J2EE as enabled in CFMX. BD.NET uniquely extends the .NET framework and IIS to permit deployment of CFML applications as native .NET web applications, offering integration between CFML and ASP.NET that’s not possible with CFMX.

The Server JX, J2EE, and .NET editions of BlueDragon are commercial products which are available as 30 day unlimited trials which convert to a single-IP developer edition with no expiration. Purchase and licensing information is available on the BlueDragon site.

The Server edition, on the other hand, is free for deployment (though not for hosting, redeployment, or (as of the 6.2 release) commercial use. Intended to gain favor with those comparing to other free web application platforms, there are no differences in CFML tags supported in the free Server edition, but it supports only ODBC drivers on Windows (and only MySQL or PostgreSQL on Linux and OS X), it supports only IIS on Windows or Apache on Linux/OS X, and does not support secured (SSL) connections.

None of the limitations of the free Server edition exist in the commercial Server JX, J2EE, or .NET editions.

BlueDragon offers several advantages (tags, functions, and other functionality) not found in ColdFusion. Similarly, there are a few tags and functions found in ColdFusion that are not supported currently in BlueDragon. New Atlanta maintains a complete list of incompatibilities with Macromedia ColdFusion MX in the documentation.

The .NET edition of BlueDragon may indeed be the most compelling edition for many, since it’s something that ColdFusion MX does not support. Designed to run on Microsoft’s .NET platform, BD.NET not only enables CFML applications to leverage the powerful benefits of the .NET platform, it also opens the door to integration between CFML and ASP.NET as well as .NET objects.