We just deployed a new bleeding edge CF architecture last month. I’m going to be blogging about it, and a lot more this year. Stay tuned!
I know what you are thinking. Not another ColdFusion 10 security post!
This one is serious. You need to be aware as it will, most likely, impact your application.
The issue is simple, and logically CF 10′s fix makes sense, except that is breaks backward compatibility and make some things harder on us.
Let’s work through the use case.
In an ideal world, your application would allow UserA with UsernameA to login to your application. If UserB used the same UsernameA, it should either give an error saying that UsernameA is in use, or kick UserA off and allow UserB in. This second scenario, kicking the user off, is what is the default in CF10.
Normally, you would think this is a good thing. Users shouldn’t share usernames anyways, right? Well, kinda.
Adobe’s assumption that this is the ONLY use case is incorrect. There are valid scenarios where users share usernames. But beyond that, let’s say you do a lot of server-side functional testing using Selenium or JMeter, and you have a single login for the script to use, as soon as user2 logs in, user1 is kicked out. This is what happened to us – all our server side tests started failing in CF10.
And lastly, what if you are developer, and need to login on two different browsers, say IE and FF, to compare how the screen looks and are doing your standard browser compatibility testing, suddenly you can’t – because one will log out the other.
The impact of this change is great in the way we do business as developers. You now have to support multiple logins, and in the case of JMeter test where the script ramps up to 20 concurrent users, provide twenty different logins. And then imaging deleting all that test data. The list of additional work goes on.
Some ideas that have been floated and I support, is to make this functionality optional. I would love to set this up to make it optional for my test accounts. The way I see that is a conditional setting in onSessionStart. Obviously there are other ways to skin this cat.
The downside to this is that it halts all sorts of testing for our app and our migration to CF10 is seriously tainted.
You can do a couple things. Vote here: https://bugbase.adobe.com/index.cfm?event=bug&id=3339008. And contact Shilpi Khariwal https://twitter.com/shilpikm – ColdFusion Security Czar.
Well, this didn’t take long!
I installed CF10 locally, and forgot the password over the weekend. So I did what every other developer does: play with ‘neo-security.xml’ and set ‘admin.security.enabled’ to false. Once I restarted the ColdFusion service, I was able to get into my CF Admin just fine.
But, here is where it gets interesting. Under Security->Administrator, the “No authentication needed (not recommended)” option was selected. Naturally, I changed that to “Use a single password only (default)”. Below that under “Root Administrator Password”, I entered the new passwords and hit ‘Submit Changes’ and CF Admin rejected me saying: “Password could not be changed as the old password is incorrect.”
Below where I set the new password is an input box for “Old Password”. Well – I don’t know the old password! So this means, the old password field is required, regardless of whether you forgot it or not.
So I’m stuck. To close the big security hole of people being able to log into my CF Admin, I set the option to “Use a single password only (default)” without setting a new password, and suddenly my CF Admin requires a password. Hackers can’t get in, but neither can I.
Basically, I’m stuck until Adobe fixes this. After some searching I found a bug logged in May for this. PLEASE VOTE: https://bugbase.adobe.com/index.cfm?event=bug&id=3187494.
All I can do now is set the xml to false, restart CF, make my changes, and set the option to require a password. Not fun.
Does anyone have a workaround? Make sure to vote!
Usually, when I add a new website under IIS, I create a new instance in CF9, and use WSConfig to map the instance to the website. Its a straight-forward process.
With CF10, I can’t seem to find any documentation on how to do that. Running WSConfig no longer has an option with a drop-down of instances, so I was left scratching my head.
Adobe’s notes @ http://help.adobe.com/en_US/ColdFusion/10.0/Installing/WSc3ff6d0ea77859461172e0811cdec18a15-7ffb.html have no mention of instances.
After much digging, I figured out that you cannot use the Web Server Configuration Tool in the Windows menu, rather you have to go to \*cf dir*\*instance dir*\runtime\bin, and run wsconfig.exe and select the right website from the drop down.
Essentially, every time you create a new instance, you have a new wsconfig.exe that you will use to connect that instance to a website. The one in the Windows menu is only for the cfusion instance, which makes it useless if you are used to a more advanced setup, nor is this documented very well.
Why in the world, when you had the flexibility before, was that taken away and not documented well? Adobe!!!
No I’m not going to speak about the lack of CF developers. Quite the opposite, I think there are plenty out there. The quality? Well, that’s what we’ll mention here.
Over the past 8 years, at my current position as an executive who also develops actively, I’ve reviewed probably over 300+ resumes, and phone interviewed over 200+ CF folks alone from all over the world. There are some things you learn along the way as a hiring manager – how the market for talent works, the general capabilities of CF developers, and what their typical strengths and weaknesses look like.
I did want to mention two recent resumes and hiring experiences that both went south. This is advice for all CF folks, as I’ve waited to write this to make sure nothing I said would be personal or negative, rather that I could put a positive spin on things and give advice.
As a developer, there really needs to be a focus on self-improvement. In most cases, I don’t find that – I’m surprise how many people “settle.” For me ColdFusion enables each and every day to accomplish an overall vision I have for the projects that I work on – ColdFusion is not the goal in and of itself, nor is the pay check that drives me. I couldn’t work in an environment which gave me access to ColdFusion, but restricted my ideas on how to improve the projects I worked on, or paid me a high salary – but denied me a voice.
Very few developers (roughly 2% from experience) have anything to show for self-improvement. Have they kept up on blogs, read books, attended a conference, tried new techniques, improved their understanding of object-oriented (if not aspect-oriented) programming? What drives them? The answer I usually get is that they are interested in new techniques and approaches, it’s just that their work environment never provided them the opportunity to do so. This to me is a red flag – I expect any serious developers to have their own work environment at home, and work on their own pet projects on the side.
But I tend to forgive the developers, and blame the management in those companies for not fostering innovation. How often do folks meet to exchange ideas in your department, present on new findings, and are given time to develop new ideas on their own? As a manager, I think less about micro-managing or macro-managing, but finding opportunities for my folks to shine. I want to always market my team to the rest of the company as a high performing, well motivated team.
And that’s what sets our company apart, and that is also what leads to problems in hiring. I often talk, in the first round of interviews, about my philosophy, how the team is run, and how we’re simply different. This gets people VERY excited and I get them thinking about how they can contribute to this environment, what skills they bring, and what they’d like to learn. I often tell them that they can expect the first 90 days to be like a tidal wave – we use so many bleeding edge ColdFusion techniques (the rights ones, not all), that it can be very overwhelming.
The problem occurs when people come with years of experience, but that doesn’t translate to necessarily years of accomplishments. You may have worked for 12 years as a ColdFusion developers, in senior roles even, but if you have never touched a framework, then that is a problem. One year of experience here, I often say, is worth 3-5 at other places.
If you are serious at getting better as a developer, then you have to find an environment that is going to support (and push) you. That in itself is worth a lot.
And that’s where the problem is. I recently got two resumes from folks – who each had 12+ years of CF development experience, but I could not say they were truly senior (in my perspective). Regardless, I was willing to offer opportunities to them as Senior folks, with the understanding that they would be able to pick up all the exciting things I talked about.
And then… the focus turned to salary. Do you want to guess what both of them were asking for? Well, here it is – $130K-$135K annually plus benefits.
I was dumbfounded. I am no position to offer that kind of salary to anyone. Heck, even I don’t make that kind of money, and I’m a Director! You have to do your research: we’re a small company (less than 50 folks), and you have to add the value given by a supportive work environment.
I’m not saying we can’t attempt to meet your needs, but seriously… You know that old saying – you dress for the position you want, not the one you have? Well, that applies to CF developers as well. If you feel you’re worth a ton of money, then exhibit the qualities of a world-class developer. If I asked you to rate yourself on the scale of journeyman to master – where would you fall? Do you have experience leading a sophisticated team – often times filled with people who are smarter than you? No. Have you worked with OO frameworks in CF for 9 years like me? No. (I celebrate my 9 year anniversary with Mach II next month!) Are you a master of both the back-end and front-end languages? No. Do you have the communication skills to interface with all sorts of different stakeholders? No.
So what then qualifies you to ask for that much? Well – the answer usually is: “I can make that much consulting.” Well, if you want to pay for your own health insurance, forgo benefits, and work in an environment that really is not going to make you a better developer, and for a company that isn’t truly committed to ColdFusion as a development platform of choice, then go ahead. But if you want to earn a real salary, and be given the opportunity to prove yourself, and work your way up the ladder, then I’m here to support you and am all for that. But be real.
There is nothing at my company that say that you can’t make that kind of money, with benefits and possible bonuses, it’s quite possible. But you’ve got to also have the pedigree and focus to enable that. If you’re overly focused on salary, then I’m sorry – I have something to offer that is worth so much more.
There is probably more to say, but I’ll stop here. I’ve probably already said too much.
Back in California this week. Look forward to blogging again!
In case you didn’t know, ColdFusion 10 was released today. More information can be found @ http://www.adobe.com/products/coldfusion-family.html.
jQuery made a big announcement today! Looks like good news. Now if they could only get the plugins site back up! Jeez, its been long enough already!
What an amazing seven years. This past year I’ve been so busy, I’ve rarely had a chance to blog. Ok, well, I blame Twitter.
I joined eCivis in 2005, and made their leading product, in my humble opinion, a world-class ColdFusion-based SaaS application. I’ve learned so much through the years, and have had the opportunity to climb the ladder at eCivis during that time.
Managing and growing the same app over seven years is an amazing experience: you really learn how to code to keep the future in mind, and you learn amazing ways to refactor and optimize code. Some of what I’ve done is so unique that many people said its impossible with ColdFusion. eCivis really nurtured my love affair with technology and product management.
Some of you may know, I’ve been pursuing a third bachelors degree on the side. In October, I had a big decision to make about my future and completing my degree. After speaking with my boss, who was very supportive, I made the hardest decision of my life.
Today, I’m 3000 miles away from home – in another country – pursuing a specialized certificate in an ancient foreign language to complete my degree. I’m among a handful of people who get accepted to study this way – its close to 4 years of study in a 6 month intensive format.
I left Southern California and it was 74 degrees in December, and when I got to my destination, the wind chill was -24 degrees Celsius. I’ve dragged my family along, and have moved to working part-time – just barely enough hours to make sure the goals I’ve set for the company and my team get met, and we still have a successful year despite my absence. I believe in them, and they continue to rock on without me.
I’ll have my head down and studying for the next 6 months. Forgive the radio silence. I’m nervous and excited – who knows what the future holds. Whatever it is, I think it will always include ColdFusion.
Sorry folks – been swamped. Have some news and updates to my recent posts coming soon. Stay tuned!