DougHughes.net

'Hackproofing Your ColdFusion Applications' Presentation Files

Its been a busy week since I got back from MAX and I am just now getting around to posting the files from my presentation, ‘Hackproofing Your ColdFusion Applications. The session seemed to be well received and the room was packed (by far the largest group of people I spoken in front of since my days as a stand-up comic).

I thought MAX was a great experience. I spent a great deal of time at the “CF Unconference” which was run by Ray camden. The Unconference was chock-full of great speakers on interesting topics, I really hope Adobe cintinues that trend in future MAX events.

See the link below for the presentation files.

The Best Way To Create Temporary Files in ColdFusion

This morning my day was kicked off with a warning from OS X that I had next to no space left on my hard drive and that I’d better clean stuff up pronto. Luckily, I knew exactly what to remove and I took care of it. However, while cleaning up files I stumbled across a set of files in my home directory with names like “c:/temp924A8A06-FE9F-462A-F4BDCA63C95797CE”. Now that’s an odd name for a file on a Mac!. I opened one of these files to see a barcode image and realized what was going on.

One of my client’s developers had been working on creating these barcode images and must have hard coded the creation of the images to their “c:temp” directory on Windows. My experience highlights one reason why this might not be the best way to create temp files: The directory might not exist! Or, it’s conceivable that the non-standard c:temp directory might not exist. Or that ColdFusion might not have rights to write to that directory. Or the application might be running on a non-Windows system like OS X, Linux or Unix.

So, with that in mind, what is the best way to create a temporary file in ColdFusion? This is a fairly easy problem to solve with two built in ColdFusion functions, GetTempDirectory and GetTempFile.

The GetTempDirectory function simply returns the path to a temporary directory that exists and ColdFusion can write to.

The GetTempFile creates a file in a specified path with a prefix.

Using these two functions together you can safely create a temporary file. This is the example from the ColdFusion documentation:

<h3>GetTempFile Example</h3>

<p>The temporary directory for this ColdFusion Server is
<cfoutput>#GetTempDirectory()#</cfoutput>.</p>

<p>We have created a temporary file called:
<cfoutput>#GetTempFile(GetTempDirectory(),"testFile")#</cfoutput></p>

One other point related to this, no mater what platform you’re running on, you should always use a front slash as your path separator and not a back slash. Java will automatically translate this to the correct separator for the platform your application runs on.

Speculation of a Possible Future

Since Adobe announced Bolt there has been a lot of speculation about whether this spells the end for CFEclipse and whether or not Adobe will charge actual money for Bolt and, if Adobe does charge for Bolt, how that will impact the platform overall.

I was thinking about this, and the other various developers pine for in ColdFusion and came up with a hypothetical future that we all may enjoy. First, I ask you to bring into your mind some common platforms. For example, PHP, the Flash platform and the .NET platform. Now ask yourself, what is their profit model? All of the aforementioned ostensibly are provided free of charge. However, their organizations sell IDE products such as Zend Studio, Flex Builder, and Visual Studio.net as the best available tool for creating applications in their respective languages, though for each there are free alternative IDEs.

Additionally, there are both official and third party extensions which can be purchased to provide capabilities that are not built into the platform or are difficult to implement. Charting is a common example of a non-free extension. To this point we’ve established that some other platforms give the “core” language (or whatever) away for free. You can purchase an IDE to make development easier and you can purchase extensions which are not included in the core language. That’s the most common profit model.

So, first off, clearly there will still be demand for CFEclipse. Especially if Adobe chooses to charge for Bolt. Now, let’s take this another step and consider what it might mean if Adobe charges for Bolt. As a part of this thought experiment I’d like you to consider Railo, the highly regarded open source CFML engine from JBoss. I was at the Scotch on the Rocks conference when it was announced that Railo was being purchased by JBoss/Redhat. Over the following three days I watched Adobe’s reaction to the news and sat in on many conversations between the public, various Adobe representatives (who were not speaking in an official capacity), and the folks from Railo.

During these conversations a few themes arose. Specifically, ColdFusion’s architecture is not very robust compared to the interface-based architecture for Railo. Further, the Railo team made it clear that they have no interest in competing with Adobe on the RIA feature set.

Based on this there was a lot of talk about the possibility that maybe someday Adobe might adopt the Railo “core” and build many of the RIA features of ColdFusion features such as PDF generation, Flex integration, etc, on top of Railo. Now, if you look at Kristen Schofield’s CF Evangelism Kit you will see a roadmap on page 5. This includes a description of “Link”, which I assume to be the future codename for ColdFusion 10. One of the bullet point descriptions is a “Pluggable Architecture”. Could that not be built on top of Railo?

To continue down this road of pure speculation and theory, would that not put Adobe in a good place to sell the IDE, allow JBoss/Railo to offer the free, open source, “core” CFML engine and to also sell a custom version of CF built on top of the Railo engine which provides many of the RIA features we’ve come to depend on? I love this idea because we all get what we all want: Developers get the option of having a completely free and open source ColdFusion development stack or purchasing an IDE and advanced services. Adobe still gets to make money by selling the IDE as well as advanced closed source services for creating RIA applications. We all win!

An interesting possibility, no? So maybe before we all condemning Adobe for possibly charging for Bolt we should wait and see what’s really in store for us?

Is It Cold In Here, Or Is It Just Me?

Sadly, I’m not attending Max this year. I spent my budget this year on four other conferences (CF.Objective, CFUnited, WebManiacs and Scotch on the Rocks) and there just wasn’t time or good will enough from my wife to go to Max as well. So, with keen interest I’ve been watching the blogosphere to see what’s going on. I’ve seen the various announcements about Gumbo and Catalyst, which I think are very exciting. But the thing that really caught my eye was the 64 bit preview release of Flash 10 for Linux. Yes, Linux! And no, I’m not a Linux on the desktop kind of guy. I thought about it before switching to Mac, but I’m not one to want to run Photoshop in VMWare.

The reason I find this exciting and shocking is the largely positive press this has gotten in the Linux community. Historically speaking, I’ve never seen a truly positive article about Flash posted to Slashdot. Nor have I seen comments about Flash (or ColdFusion) on Slashdot be even remotely civil. Comments tended to deride Flash for being closed source, being non-free-as-in-speech, used to create annoying ads, being “buggy” or, most commonly, not running on 64 bit Linux. Today that seems to have largely changed! With the announcement of a 64 bit prerelease version of Flash player for Linux the comments on Slashdot have been downright civil and, dare I say it, praiseful of Adobe!

A few interesting quotes from the comments:

“Linux users asked, and adobe listened. Great stuff.”

“That’s the crux of the issue,”.

“Adobe Flash has [64-bit support], Sun Java does not”

“The vast majority of users aren’t going to cut off their nose to spite their face by refusing to use “non-free” software, and nor should they.” (Referring to the use of free-as-in-speech software vs. free-as-in-beer.)

“Where’s the 128-bit version?!” (You knew it’s be there as well as demanding support for FreeBDS, Sparc and other various 64 bit architectures.)

“I just tried it on my Fedora 9 64-bit installation and it works just fine. No crashes, no freezes”.

Now, really, has hell frozen over?! Slashdot had nice things to say about Adobe and the Flash Player! Excellent! So, for that reason alone I found the 64bit Flash preview release the most interesting announcement out of Max so far. What’s caught your eye?

VMWare Fusion Tricks

I have two quick VMWare Fusion tricks I wanted to share with you today.

Powering Off Your Virtual Machine

So, like many Mac users, I have Windows running in VMWare. Problem is, twice now Windows has automatically applied updates and hung while rebooting. All I see in the VM is a message saying Windows is rebooting. But nothing ever happens. The problem is, it seems as if there’s nothing you can do. If you use the Shut Down Guest command VMWare simply tries to tell Windows, which is already stuck, to reboot and nothing happens.

Sending a Control-Alt-Delete does nothing as well. I even tried using the Activity Monitor to kill VMWare but when I restarted VMWare the Virtual Machine was still sitting there in the same state. It turns out that there’s an annoyingly hidden feature of VMWare which allows you to virtually power off your Virtual Machine. By default, this is what the Virtual Machine menu in VMWare looks like:

Note that the highlighted option reads “Shut Down Guest”. If you hold down the option key while looking at this menu you will instead see the following menu:

Note that we now have two options, Power off and Reset. Either of these will do the job and let you reboot the hung Virtual Machine.

Using VMWare with Spaces

The final trick I have is more of a tip. I’ve not been a big fan of Unity mode. Don’t get me wrong, I think it’s fantastic, but it just doesn’t work well with how I work. That, and though it’s amazing engineering, it still has a ways to go. Historically I’d simply keep Windows in a window. But, a couple weeks ago I had an epiphany and realized I could enable spaces in OS X 10.5 and set Windows to run in full screen on that space! I tried it and found that it works really well. To move to Windows I simply hit Ctrl-right arrow and I slide to windows. To go back to OS X I simply hit Ctrl-left. Who knows, maybe you’ll like this too.

Alagad will be at MAX

Well, some of the team will be. I am presenting a session at MAX North America entitled, ‘Hackproofing Your ColdFusion Applications”. In this session we will discuss some problems inherent to all web applications such as SQL Injection and session hijacking and how ColdFusion developers can protect themselves from such attacks.

If you hapen to see my ugly mug walking around, please stop and say ‘Hi’.

New RIAForge project: TypeCast

I just uploaded a new pet project to RIAForge (YAY! I have an RIAForge project!). While it’s not officially (or even unofficially) sanctioned by Alagad, I figured I’d put the word out here any way.A brief description from the RIAForge project page:

TypeCast uses CF 8 features to allow you to specify your ColdFusion install directory, browse all the jar files installed with ColdFusion, browse all the Java packages and classes within them, and view the javap output for any of those classes. Enables one to find Java class definition information for ColdFusion classes quickly and easily.

The project page is athttp://typecast.riaforge.org/. Enjoy!

FlexBuilder 3 Standalone, Eclipse 3.3.3 and Eclipse PDE: It can be done!

A while back I went to install Mylyn on my copy of FB3 Standalone and was rebuffed by the installer because, it claimed, I needed to be running the Eclipse Plugin Development Environment (PDE) to install it. I asked Tim Buntel about it and he forwarded my plea for assistance to an engineer, but the road ended at the fact that FB3 is running a stripped-down version of Eclipse with no extras and I was pretty much out of luck. Until, that is, today.

I was looking to install the Data Tools Platform because I’m tired of having ADS and Eclipse open all the time, and it has prerequisites for the Eclipse Modeling Framework… so I started poking around in the Help > Find and Install… window. On a whim I selected Eclipse Updates and hit Finish… what popped up next blew me away. There were updates for Eclipse 3.3.2 (which is what FB3 standalone is based on)… and they included the full PDE stack, updates to Eclipse 3.3.3, and a bunch of other stuff! So, with a bit of trepidation (and knowing that if it blew up I’d be reinstalling Eclipse+Plugins today), I selected all the 3.3.2 updates I could find and hit the “Intstall all them thar updates” button.

This took a while, but once it was done I restarted Eclipse, I had 3.3.3, I had the PDE, and I had an even bigger surprise. On an entirely non-scientific basis, FlexBuilder 3 is now about 100% to 150% faster than it was before the update!! Seriously, it blew me away, opening Flex applications, switching between perspectives, toggling between code and design view in MXML components, everything… extremely much tons faster.

The one thing that really surprised me is that Adobe never suggested I do this! So, now that I have this installed, I am going to install the Data Platform Tools, Eclipse Modeling Framework and, finally Mylyn. Alagad uses Trac and Subversion and having them integrated into Eclipse via Mylyn is going to be awesome… although that’s a whole other set of blog posts.

Keep one thing in mind: I don’t know if this is a supported configuration or not, so follow this process at your own risk. What I do know is that after restarting FlexBuilder 3 and running some cursory checks everything seems to work fine. Thinking about it, it does make sense that, since FlexBuilder can be installed on Eclipse as a plugin, it would work just fine.

More than anything I was wondering about Eclipse 3.3.3 compatibility, but like I said, it seems more than compatible, it drastically improves performance. As always with nonscientific observations like that: your mileage may vary.

Still, if you’re running FlexBuilder 3 and want Eclipse updates or even to add the PDE libraries to your Eclipse installs, don’t despair, just go to Help >Software Updates > Find and Install…, choose “Search for new features to install”, click the Eclipse Updates button and install all the Eclipse 3.3.2 updates the next panel lists. It takes a few minutes, but it works great! Once you get this stuff all installed, FlexBuilder will prompt you to restart your workspace and BOOM, you’re back in business using what is now a lot more like Eclipse with the FlexBuilder plugin than it is your original FlexBuilder 3 Standalone.

Good luck!

Vote!

I wouldn’t normally post a blog entry that is so off topic, but for those of us in the United States it’s Election day! I want to remind and encourage everyone who reads this blog to go cast your vote today. I don’t care who you vote for, just exercise your civic duty and make your opinion known. In fact, here at Alagad I’m paying employees for their time to go vote. That’s right, they can get paid for the time driving to the polls, standing in line, and voting! To add to that, I’m paying my employees to volunteer to drive people to the polls. I’m not sure if anyone is actually doing that, but it’s an option. Myself, I’m waiting for someone to call me with further instructions.

Happy Election Day, everyone!