Blog

Adobe ColdFusion Summit 2016 Preconference Workshops almost Sold Out!
Thu, 09 Jun

There are only a handful of seats available for our preconference workshops on API and Security topics, so we will be closing registration very soon due to capacity limitations.  Please register today if you haven't yet!

As a reminder, these workshops are full day hands-on labs so it's a great learning opportunity for your teams.  Below is a summary of the workshop descriptions:

Topic 1
Developing and Managing APIs with Adobe ColdFusion API Manager

This full day preconference lab will cover API development with a focus on REST based APIs. It will include an overview of Adobe ColdFusion API Manager and walk through configuration of the environment, and various features available to create and manage APIs.

Topic 2
Security

This full day hands-on training session will focus entirely on the topic of security as it relates to web developers, reviewing examples of how vulnerabilities are exploited and how to mitigate these vulnerabilities within your code.

Both of these full day preconference labs will have prerequisites and will require students to bring their own laptops for use. Further details on what will be covered and prerequisite information will be provided soon.

 

Register today here: https://cfsummit.adobeevents.com/register/

ColdFusion 2016 and ColdFusion Builder 2016 Update 2 are available for early access
Wed, 01 Jun

ColdFusion 2016 and ColdFusion Builder 2016 Update 2 early access builds are now available for your testing and feedback.

Note that this is a test build and should not be used in a production environment.

ColdFusion 2016 Server

Change the update URL in ColdFusion Administrator -> Server Updates -> Updates -> Settings to the following:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/updates.xml

Refer this document for issues fixed.

Here are the install instructions for Server.

The build number after applying this update for ColdFusion 2016 should be 2016.0.02.299076

ColdFusion Builder 2016

Refer this document for issues fixed.

Here are the install instructions for Builder

Standalone installation:

Change the update URL in ColdFusion Builder -> Help -> Install New Software -> Add -> Enter this URL in the location field:

For Windows/Linux - https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/cfb31standalonerepo/

For OS X - https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/cfb31standalonerepomac/

Plugin installation:

Change the update URL in Elicpse 4.5.2 or above -> Help -> Install New Software -> Add -> Enter this URL in the location field:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/cfb31pluginsrepo/

What’s new in this Update

ColdFusion 2016 Update 2 :

  • Struct Serialization and Array Serialization :

For a struct, there isn’t a way to derive the data type info correctly and hence even today we see serialization issue where a "lastname" is being serialized as Boolean Bug #3337394.

We are providing an API on the Struct class to add metadata information to that struct object. This function will take a struct object wherein the key will be the actual key of the struct and value will be the data type of the value corresponding to that key. For example,

mystruct = StructNew() ;

mystruct.setMetadata({"lastname": "String", "age": "number"}) ;

structsetmetadata(simple,{"value":"boolean","firstname":"string", "currency": { "type": "numeric","name": "usd"}});

writedump (#mystruct.getMetadata()#); //returns: {ordered="insertion|unordered", keys={lastname="string", age="number"}}

For Array also we can set the metadata using setmetadata & getmetadata methods. Array metadata should contain the key “items” in the metadata which specifies the type of the array members.

array.setmetadata({"items":"numeric"});

writedump (#myArray.getMetadata()#); //returns: {"type":"synchronized", items="string"}

Application level support

Other than passing the type info at struct level, you can also define the at application level, like

this.serialization.structmetadata = {zipcode="String"};

If defined as above, you don’t need to define the data type for zipcode for all the struct which contains this key. At run-time, if the metadata of the struct is not passed at struct level but is defined at application level then we will resolve the struct value appropriately as per application metadata info. But if defined at struct, then the defined type at struct level will take priority over the application one.

  • Configure SSL- Access API Manager portals over HTTPS for better encryption and security
  • CAR settings migration- After deploying a CAR file, some settings are not migrated. You can view the list in the Archive Summary page (under the section Settings Never Migrated) while creating CAR as well as during deploying the CAR.
  • New member functions – ArrayDeleteNoCase, YesNoFormat, and BooleanFormat
  • CKEditor - FCK Editor has been deprecated. You can now customize and design text areas in a form using CK Editor in the cftextarea tag.
  • NTLM changes - The ntlmDomain attribute is required if a user is part of a domain. When the user is not part of a domain, the ntlmDomain attribute is optional.
  • Other bug fixes – API Manager, PDF, language, etc.

 

ColdFusion Builder 2016 Update 2

• Security Analyzer – You can view partial scan results after canceling a scan. Search for a file using the filename in Unscanned Files.

• PhoneGap – PhoneGap is upgraded to version 5.2.

• Other bug fixes – Performance, editor, Security Analyzer, etc.

We will look forward to your valuable feedback and suggestions.

Using ColdFusion APIM To Import API From Swagger
Wed, 01 Jun

As discussed in previous blog there are 5 ways of creating APIs in ColdFusion API Manager. We have already seen How To Create Manual API In ColdFusion API ManagerNow we will import an API from Swagger. 

Swagger is a specification for describing, producing, consuming, and visualizing RESTful web services. APIM supports Swagger 1.2 as well as 2.0.

Read more here : Using ColdFsion APIM to import API from Swagger

 

How To Create Manual API In ColdFusion API Manager
Wed, 01 Jun

ColdFusion API Manager helps you to create APIs that expose core functionalities of application and other backend systems. These APIs are then published and managed at runtime.

We can create APIs in multiple ways :

  1. Creating API Manually
  2. Importing API from Swagger
  3. Importing API from ColdFusion REST services
  4. Converting a SOAP service into a REST service
  5. Import a SOAP API through a proxy service
In the series of blogs to follow we will cover each flow. In this blog we will cover manual creation flow.
 
 
 
Adobe ColdFusion survey for the next version
Wed, 25 May

As you are probably aware, we are in the planning stage for the next version of ColdFusion. You may have already seen a blog post asking you to submit your wishlist for the next version.

This post is about a survey that will give Adobe valuable information about your usage of ColdFusion. Please take a few minutes to take this survey and provide your feedback. The data from the survey will be used to validate a set of hypothesis about the usage of ColdFusion. This will eventually help us build a great next version of ColdFusion, codenamed Aether.

Thank you for your valuable time. Here is the survey link again.

 

 

 

 

ColdFusion (2016 release) - Security audit report
Mon, 23 May

As you are probably aware, with each version of ColdFusion, security is at the top of the priority list. With the latest release of ColdFusion, it is not just the security related features. Emphasis was laid on the inherent security of the ColdFusion platform by itself. To validate this, the PSIRT (Product Security Incident Response Team) at Adobe helped arrange a third party security audit for ColdFusion. The audit did come up with a few findings. Our Product engineers did an excellent job of mitigating all the findings to the fullest. 

To validate the above claim, we now have a public facing security report, from the agency that performed the security audit, indicating that 100% of all findings have been mitigated. Here is the public facing report with all the details. You can also view the link to this security audit report under datasheets and whitepapers section of the ColdFusion product home page on the Adobe website.

Reminder: $199 Super Early Bird Rate ends May 31st!
Fri, 20 May

Remember that the $199 Super Early Bird Rate for ColdFusion Summit 2016 ends on May 31st so there are only a few days left to get that discount.  

The preconference sessions are also filling up quickly, and have very limited capacity so if you were considering attending please sign up soon.

You can register here: https://cfsummit.adobeevents.com/register/

 

Don't forget that call for speakers ends tomorrow as well, so please submit any topic you would like to speak about by tomorrow here: http://cfsummit.speakerform.com

ColdFusion Summit 2016 will be held at Mandalay Bay Resort in Las Vegas, NV on October 10th and 11th.  

The preconference workshops on Security and API Development & Management will be on October 9th.

 

See you there!

 

Submitting your wishlist for the next version of ColdFusion
Thu, 19 May

Here is a way to let us know your wishlist for the future versions of ColdFusion. The process is really simple.

 

1. Log into the public bug tracker https://bugbase.adobe.com

2. Click on Add Bug. 

3. Choose ColdFusion as the product and version as 2016. Remember, the version to be selected is 2016.

4. Select product area as wishlist and submit your list in the bug description.

 

That's it! We would love to hear your thoughts on what you would like to see as a part of upcoming versions.

 

 

Applying update on a ColdFusion instance running with a non-admin user
Fri, 13 May

You may run into issues if you are using a non-administrator user account to install ColdFusion updates manually, or if an installation is attempted from the ColdFusion administrator console when ColdFusion service is running with a non-administrator account. In such cases, the update may not install successfully. and may complete with errors.

The Windows user account used by the ColdFusion service should have the privileges to start and stop the ColdFusion service. The updater needs to stop the ColdFusion service, so that it can replace the class files used by the service. After the update is installed, the updater starts up the ColdFusion service. Similarly if the updater packages any updates related to the other ColdFusion services, such as ColdFusion Add-On/Jetty service or ColdFusion .NET service or ColdFusion ODBC service, it would stop and start these services as well.

To avoid running into the issue above, one can take either of the following 2 approaches: 

 - Stop the ColdFusion service manually before running the updater jar. Restart the service, once the update is installed. This, of course, would need to be done every time you install an update; or

 - Assign the ColdFusion user account the privileges to start/stop the service. This would be a one-time fix.

If you are using Windows 2003 server, XP you can follow this blog post, to assign start/stop privileges to the ColdFusion service user account. But, if you are on a later edition of Windows such as Windows 7 or Windows 2012 server, you can keep on reading.

Windows Service Controller command can be used to set permissions on a Windows service. We will be using the following 2 variants of the command :

SDSHOW : To display the permissions on a service. 

syntax : sc [<ServerName>] sdshow <ServiceName> <ServiceSecurityDescriptor>

SDSET : To set the permissions on a service.

syntax : sc [<ServerName>] sdset <ServiceName> <ServiceSecurityDescriptor>

The security descriptors in the syntax above are represented by what is known as "Security Descriptor Definition Language" (SDDL). An SDDL descriptor has it's own syntax and formatting conventions which, at first, may seem a bit intimidating, and I might add, somewhat bland. But we will just dwell on the elementary details that are relevant to our purpose. If you want to get into the nuances of the Language you can check out the resources referenced at the end of this post.

Before modifying the permissions to a service , it would be a good idea to view the permissions first. To do that run the following command:

sc SDSHOW "ColdFusion 2016 Application Server"

You can find out the name of the service from the service properties in the Services window. The output should be something similar to the following :

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;SU)

I'll break down the output above into subsections and try to describe them.

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;SU)

The prefix D is for discretionary access control list (DACL) permissions. it identifies users or groups that are allowed or denied access to a secured object.

S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The prefix S is for system access control list (SACL) which controls how access is audited. It enables administrators to log attempts to access a secured object in security event logs. This section is not pertinent to our interest, and hence will not be discussed further. 

Each segment enclosed by parentheses such as "(A;;CCLCSWRPWPDTLOCRRC;;;SY)", is an ACE or "Access Control Entry". It describes the permissions to a specific user or group.

The first letter in the ACE specifies the ACE type. 'A' here denotes "Allow". Similarly a 'D' would denote "Deny".

The next set of letters ("CCLCSWRPWPDTLOCRRC") denote the permissions. It is a combination of sets of 2 letters that specify the nature of permission. I'll list out the components below :

CC : SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration

DC : Delete All Child Objects

LC : SERVICE_QUERY_STATUS

SW : SERVICE_ENUMERATE_DEPENDENTS

RP : Read all properites

WP : Stop the service

DT : SERVICE_PAUSE_CONTINUE

LO : SERVICE_INTERROGATE

CR : SERVICE_USER_DEFINED_CONTROL

SD : Delete

RC : READ_CONTROL – read the security descriptor on this service.

WD : Modify permissions

WO : Modify owner

 

The last code in ACE denotes the trustee. Some of the values it can take are:

SY : Local system

BU : Built-in users

IU : Interactively logged-on user

BA : Built-in administrators

If the intent is to modify the permission for a specific user and not a group, then you should rather use the SID associated with that user account. Suppose the ColdFusion Application service is running with a non-administrator account called "cfuser". To get the security identifier (SID) for "cfuser" account, you can execute the following WMIC command :

wmic useraccount where name='cfuser' get sid

That should output something similar to the following:

SID

S-1-5-21-464414946-3681088821-1826911322-1510

To enable start/stop permission for "cfuser" on ColdFusion Application service, you can use the output generated in the SDSHOW command and append an ACE element for "cfuser" with the desired permission set, as follows : 

SC SDSET "ColdFusion 2016 Application Server" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-464414946-3681088821-1826911322-1510)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

And, of course, you should run the command with administrator privileges.

If you are using other ColdFusion services, such as ColdFusion Add-on Services, ColdFusion .NET Service, ODBC Agent and ODBC server, you can follow the same steps as above to change permissions to them.

 

References:

https://msdn.microsoft.com/en-in/library/windows/hardware/ff563667(v=vs.85).aspx

https://blogs.technet.microsoft.com/askds/2008/05/07/the-security-descriptor-definition-language-of-love-part-2/