Web Software Architecture and Engineering – Life on the Bleeding Edge

Archive for the ‘ColdFusion’ Category

ColdFusion 10 – Security Change – Be Aware!

I know what you are thinking. Not another ColdFusion 10 security post!

This one is serious. You need to be aware as it will, most likely, impact your application.

The issue is simple, and logically CF 10’s fix makes sense, except that is breaks backward compatibility and make some things harder on us.

Let’s work through the use case.

In an ideal world, your application would allow UserA with UsernameA to login to your application. If UserB used the same UsernameA, it should either give an error saying that UsernameA is in use, or kick UserA off and allow UserB in. This second scenario, kicking the user off, is what is the default in CF10.

Normally, you would think this is a good thing. Users shouldn’t share usernames anyways, right? Well, kinda.

Adobe’s assumption that this is the ONLY use case is incorrect. There are valid scenarios where users share usernames. But beyond that, let’s say you do a lot of server-side functional testing using Selenium or JMeter, and you have a single login for the script to use, as soon as user2 logs in, user1 is kicked out. This is what happened to us – all our server side tests started failing in CF10.

And lastly, what if you are developer, and need to login on two different browsers, say IE and FF, to compare how the screen looks and are doing your standard browser compatibility testing, suddenly you can’t – because one will log out the other.

The impact of this change is great in the way we do business as developers. You now have to support multiple logins, and in the case of JMeter test where the script ramps up to 20 concurrent users, provide twenty different logins. And then imaging deleting all that test data. The list of additional work goes on.

Some ideas that have been floated and I support, is to make this functionality optional. I would love to set this up to make it optional for my test accounts. The way I see that is a conditional setting in onSessionStart. Obviously there are other ways to skin this cat.

The downside to this is that it halts all sorts of testing for our app and our migration to CF10 is seriously tainted.

You can do a couple things. Vote here: https://bugbase.adobe.com/index.cfm?event=bug&id=3339008. And contact Shilpi Khariwal https://twitter.com/shilpikm – ColdFusion Security Czar.


ColdFusion 10 – Known Security Bug

Well, this didn’t take long!

I installed CF10 locally, and forgot the password over the weekend. So I did what every other developer does: play with ‘neo-security.xml’ and set ‘admin.security.enabled’ to false. Once I restarted the ColdFusion service, I was able to get into my CF Admin just fine.

But, here is where it gets interesting. Under Security->Administrator, the “No authentication needed (not recommended)” option was selected. Naturally, I changed that to “Use a single password only (default)”. Below that under “Root Administrator Password”, I entered the new passwords and hit ‘Submit Changes’ and CF Admin rejected me saying: “Password could not be changed as the old password is incorrect.”

Below where I set the new password is an input box for “Old Password”. Well – I don’t know the old password! So this means, the old password field is required, regardless of whether you forgot it or not.

So I’m stuck. To close the big security hole of people being able to log into my CF Admin, I set the option to “Use a single password only (default)” without setting a new password, and suddenly my CF Admin requires a password. Hackers can’t get in, but neither can I.

Basically, I’m stuck until Adobe fixes this. After some searching I found a bug logged in May for this. PLEASE VOTE: https://bugbase.adobe.com/index.cfm?event=bug&id=3187494.

All I can do now is set the xml to false, restart CF, make my changes, and set the option to require a password. Not fun.

Does anyone have a workaround? Make sure to vote!

Scratching the Seven-Year Itch

What an amazing seven years. This past year I’ve been so busy, I’ve rarely had a chance to blog. Ok, well, I blame Twitter.

I joined eCivis in 2005, and made their leading product, in my humble opinion, a world-class ColdFusion-based SaaS application. I’ve learned so much through the years, and have had the opportunity to climb the ladder at eCivis during that time.

Managing and growing the same app over seven years is an amazing experience: you really learn how to code to keep the future in mind, and you learn amazing ways to refactor and optimize code. Some of what I’ve done is so unique that many people said its impossible with ColdFusion. eCivis really nurtured my love affair with technology and product management.

Some of you may know, I’ve been pursuing a third bachelors degree on the side. In October, I had a big decision to make about my future and completing my degree. After speaking with my boss, who was very supportive, I made the hardest decision of my life.

Today, I’m 3000 miles away from home – in another country – pursuing a specialized certificate in an ancient foreign language to complete my degree. I’m among a handful of people who get accepted to study this way – its close to 4 years of study in a 6 month intensive format.

I left Southern California and it was 74 degrees in December, and when I got to my destination, the wind chill was -24 degrees Celsius. I’ve dragged my family along, and have moved to working part-time – just barely enough hours to make sure the goals I’ve set for the company and my team get met, and we still have a successful year despite my absence. I believe in them, and they continue to rock on without me.

I’ll have my head down and studying for the next 6 months. Forgive the radio silence. I’m nervous and excited – who knows what the future holds. Whatever it is, I think it will always include ColdFusion.

Lessons Learned: Moving from Verity to Solr (Part 8)

I’m a bit behind, but it seems a couple weeks ago Ray Camden finally approved my two CFLib entries for working with Solr.

As I mentioned in my previous posts, this is critical if you are moving from Verity to Solr, or you happen to come up against many of Solr little quirks.

I’m going to take a moment, and go through the UDFs here for your benefit.

First, grab them here: http://cflib.org/udf/solrClean, and http://cflib.org/udf/uCaseWordsForSolr.

Second, you’ll note that SolrClean sounds like the venerable VerityClean UDF. Its basically meant to do something similar: take your input and sanitize it for Solr. Also, SolrClean relies on uCaseWordsForSolr.

SolrClean essentially takes your text and does the following:

  • replaces any commas with OR – so happy,sad => happy OR sad.
  • strips any double spaces
  • strips bad characters
  • cleans up sequences of space characters
  • upper cases reserved words

The last one is especially critical since Solr can treat reserved words differently based on the case used. So we change and to AND, or to OR, and that is what the uCaseWordsForSolr is all about.

As a caveat – I am seeing some issues with the code, and it may or may not have to do with the UDFs. If there are any updates, I’ll let you know. My plans is to put everything up on GitHub anyways. I am also planning to work with a vendor who will take our Solr install to a whole new level implementing, among others: synonyms, field weighting, master/slave setup with replication, upgrading to the latest Solr version, “More Like This” functionality, caching/performance tweaks, paging search!, and so much more – so stay tuned.

My Notes on Finding a SaaS Email Company

Our ColdFusion-based SaaS application sends out roughly 8,000 – 10,000 emails per day, and even more on the weekends.

I wrote the code in 2007, and since then worked hard on improving memory usage. We optimized queries, re-worked string concatenation to use JAVA’s StringBuffer and StringBuilder classes, and so much more. But to tell you the truth, we always wanted to work with some other software to do the hard work for us. We have templates, to which we pass in variables and shoot that off to a slice of our clients.

Originally, we worked with WhatCounts back in 2008 to get this done. Unfortunately, their API wasn’t as mature as we thought, and batch processing was a pain. I spoke with the CEO on the phone back them, and we decided after working together for months to part ways.

I have to say our current solution is a work of art, but I’d like more. It would be nice to get email analytics – information on opens, clicks, etc. We could do that internally, but its not our core competency. So for a long time, I kept my eyes open for any new companies I could work with.

Originally, I thought that maybe I could make due with the ConstantContact and VerticalResponse’s of the world. But they are not built for this type of work, and are geared more for marketing campaigns.

Fortunately, there are some new players in the field. I narrowed the field down to half a dozen players, and did proofs of concept with the top 3: SendGrid, PostmarkApp, and PostageApp. They all feature APIs and could meet some of my needs. What wasn’t clear, was how mature the feature set was. But the great thing about them was they allowed for no-cost trials, so I went ahead and tried them.

My primary use case was the following. Remember when you first learned Microsoft Word, and that one of the neat features was doing merging… you could create a template or form, and passing an address book for example, and it would create a ton of letters? Well, that is the sort of use case I had with email. I wanted the 3rd-party system to house my templates, and for me to pass in via API – users who would receive the emails and variables with the content they would receive. Simple I thought – I mean I could write something like that in ColdFusion if I had to. The great plusses were the deliverability improvements, anti-SPAM measures, and of course the analytics and logging.

I’ll be featuring a few posts on my experience working with the 3. There was a clear winner, and some astonishing things that became quite apparent with a few – especially those written in Rails.

Does something like this interest you?

Lessons Learned: Moving from Verity to Solr (Part 7)

In our Verity days, we used a UDF called VerityClean (still available at CFLib), that did a lot of grunt work of cleaning keywords for Verity. In fact, if you read the description of the UDF, it says: “strips all invalid characters and word combinations from a search strign
to prevent verity from crashing.” Awesome, right?
Well, in moving to Solr, there was no equivalent. Solr can be very picky, it rocks when you have a UDF that:

  • Replaces comma with OR
  • Strips double spaces
  • Strips bad characters
  • Cleans up sequences of space characters
  • Uppercases Solr terms like AND, OR, etc.

I just submitted SolrClean and a sister UDF uCaseWordsForSolr to CFLib. Enjoy!

UPDATE: The submissions to CFLib were never approved or simply disappeared. I’ll bring it to GitHub.

UPDATE 2: The submissions are now available on CFLib. I am preparing a separate post on them.