Using Inner-Classed Enums with ColdFusion and Java

Written by Russell on . Posted in App Dev, Gotchas

I recently had to call a method from Java that required an Enum type. In my case I did not have control over the java code and the Enums were stored inside a Class called Enums. It was not readily apparent to me on how to access these inner-classed Enums and there wasn’t any specific documentation that I could find on the topic. I struggled a bit with trying to make a string work (the true end result), using JavaCast and trying to instantiate the class and Enum directly. Thankfully the final solution was actually easier than expected.

First we need to get the Enum from the Java Class.
<cfset local.FULL = createObject("Java", "$RegistrationResultsFormat").FULL />

Pay close attention to “$RegistrationResultsFormat”. This resolves to my Enum “public enum RegistrationResultsFormat { … }”.

If you perform a CFDUMP on the results of the createObject you will get a list of your possible options. In my case, RegistrationResultsFormat had FULL, COURSE and ACTIVITY. It is important to note that a CFDUMP of both the core createObject as well as the results of .FULL are exactly the same. Do not fret, you are still getting the desired end result and you may use it as is.

Next we need to pass the Enum value into that Java method. In my example it is the second argument.
<cfset local.results = anotherJavaMethod( javaCast("string",, local.FULL) />

In my actual use case, I stored this result in the variables scope of my component and got the value inside the init method.

User Input, Part 1 – Encoding

Written by jbriccetti on . Posted in App Dev, Gotchas

The Problem

Security 101 – ensure you are implementing input validation to prevent XSS. From the OWASP Top 10 Attack Vector #2

You need to ensure that all user supplied input sent back to the browser is verified to be safe (via input validation), and that user input is properly escaped before it is included in the output page. Proper output encoding ensures that such input is always treated as text in the browser, rather than active content that might get executed.

Example 1: outputting request parameters

<cfset = "Jon" />
Thank You, <cfoutput></cfoutput>

In the above example we are setting the form field “Jon” But if we collect the value from a user (like forms normally do), AND if  the user supplied the name as follows:

<cfset = "<script>document.location=''</script>" />
Thank You, <cfoutput></cfoutput>

What happens when the output gets “displayed” to the screen? What happens is an instruction is executed by the browser! The script instruction redirects the browser to wikipedia. Imagine if that website was Evil. Really Evil. We’re not talking “the diet coke of evil” or the “margarine” of evil, we’re talking Real Evil. Bad news for your browser.

So we have to figure out a way to tell the browser not to treat these characters as instructions? But before we try to figure out how to do that, what characters are we talking about?


character encoding
 <  &lt;
 >  &gt;
 “  &quot;
 ‘  & #39;
 &  &amp;

The bracket characters you already know are characters that can embed a <script> tag into a page. These are big naughty characters. Big. Naughty.

But what about the ” and the ‘ character? Well, checkout this example:

<cfset = 'Jon" onMouseOver="javascript:alert(document.location);"' />
<input name="name" type="text" value="<cfoutput></cfoutput>" />

So it’s pretty obvious where this is going. Any characters that are used for markup should be encoded, lest they be used for big naughty things. Or small naughty things for that matter.

The solution (or at least a solution)

The simplest of solutions is encoding the data on the way out (when sent to the browser). So in the above examples, if we were to simply squeeze our output through the built in ColdFusion function xmlFormat(), we’re good to go:

<cfset = "<script>document.location=''</script>" />
Thank You, <cfoutput>#xmlformat(</cfoutput>

<br />
<cfset = 'Jon" onMouseOver="javascript:alert(document.location);"' />
<input name="name" type="text" value="<cfoutput>#xmlformat(</cfoutput>" size="100" />


Next Steps:

In part duex, we’ll look at a slight drawback to using the xmlFormat() function. Also, we’ll examine an approach to encode the input on the way in. Finally, we’ll look at filtering input to wipe out any other characters that are used for naughty purposes, such as tabs, carriage returns and other non printable characters. Until then, stay safe…



Migrating fckeditor 2.6.4 to ColdFusion 10

Written by Perry Woodin on . Posted in App Dev, Gotchas

I moved a site with FCKEditor from ColdFusion 8 to ColdFusion 10. When testing the file browser capability I was seeing the following error:

The server didn’t reply with a proper XML data. Please check your configuration.

The FCKeditor I was using relies on a ColdFusion connector that calls a custom function called FileUpload. This function is located in /editor/filemanager/connectors/cfm/cf_command.cfm. Since FileUpload() is a reserved function in ColdFusion 9+, the server was throwing a 500 error and the FCKeditor was displaying the less than useful error message above.

The fix was pretty easy. Just do a search and replace in /editor/filemanger/~. I replaced FileUpload with fckFileUpload. You will end up changing nine files total. That’s it. I probably should have simply updated the editor, but there were some custom js configurations that I didn’t want to track down. So… there you go.

Jenkins ChromeDriver plugin Killing my Nodes

Written by Perry Woodin on . Posted in Deployment, Gotchas

I decided I wanted to learn how to use Selenium with Jenkins so I installed the ChromeDriver and Selenium plugins on Jenkins 1.486. Immediately after doing so, my Jenkins nodes started displaying the “Connection was broken” error message from the master Jenkins instance. Checking the connection from the node itself, everything looks fine. The node appears to be connected, but the master thinks otherwise.

I’ll obviously have to to some trouble-shooting. For now, I removed the ChromeDriver plugin and my node connections are working again.

No daddy

Written by jbriccetti on . Posted in Gotchas, Misc Ramblings

I was in the fray when a few clients called me today to say “help, the website is down” – it seemed odd a few sites were down, others weren’t. of course trying to get o the websites that were experiencing problems, well i just got nuthin’ – no error message back from the webserver or anything. seemed odd.

I saw the webserver instances were up so i added host headers for the IP quickly, just to see if i could get traffic routed there – and it worked – so i knew immediately it was a dns issue – and that’s when i discovered go daddy was down for the count.


Dealing with Case Sensitivity of Database Table Names at the Persistance Layer with Hibernate

Written by Sean Ryan on . Posted in App Dev, Architecture, Gotchas, Strategy

It’s been a while since my last post so it’s about time I got back to it since I’m backlogged with all sort of awesomeness.

Recently, I took over a pretty big Spring project. Lucky for me, it was written largely in Spring 3.0 so my periodic upgrades to 3.1 haven’t been too difficult. I’m the only developer on the project but it’s not that bad (anymore) and it’s given me a chance to really focus on my Spring skills.

Since I develop locally, I backed up the production database on the server and brought it down to my laptop. Before I could work on it, I needed to run the data through a conversion routine that migrates the database model and its data into the new and improved model for the next release.

The Problem

The problem is that the server is Linux and my computer is a Mac.

Why does this matter? It matters because each OS has different case sensitivity. The conversion routine uses Hibernate as the persistance provider and it’s configured to use the DefaultComponentSafeNamingStrategy which maintains the same case as the managed entities. This is fine except that the application uses a custom naming strategy that converts everything to lower case and acts as a wrapper around the DefaultComponentSafeNamingStrategy. The only time this would ever cause a problem is when the operating system the application is run on is case sensitive. Linux is but Windows is not case sensitive and neither is Mac. I didn’t know this. In fact, I was under the impression Mac was a good OS.

Any of my collegues reading this right now are smiling because I’m constantly listing the ways Windows is terrible and Macs are better as programming tools.

The Effect

This problem wasn’t actually a problem on Windows or Mac. It manifested itself when I moved my converted data up to the server and restored it into the database. When I fired up the application, all the data was gone! Pretty sure a pink slip was in my future, I scrambled to figure out what happened. This was the first time the data was updated since my firm took over the project and they had put their faith in my ability to not blow the database away. I had just blown the database away, or so I thought. It took a while to figure out what happened.

As it turns out, the data was there but with camel casing but since the app uses a lowercase naming strategy, it wasn’t able to find any of the tables.

For example, a table named MyWidgetTable was being looked for under the name mywidgettable.

Finding the Best Solution

This might seem like an easy fix, just update the naming strategy for the conversion routine. It’s true, that’s the best solution and the one I selected but, it’s important to realize why it’s the best solution.

For instance, another option would be to configure the database – in this case, MySQL – to use lowercase naming when creating objects. People do this. You can read more about that here

Although this is an option, I don’t recommend it.  Doing so will more tightly couple the database implementation to the application and whenever possible we like to make each tier in an architecture as pluggable and removable as possible.  Changing databases has more side effects when you start introducing configurations that directly impact the design of a system.

In general, when you need to deal with filesystem objects, try to choose an implementation that will work across the big players to keep your code as portable as possible even when you think you’re environment won’t change. It will and in this field, crap changes every couple of days! The previous developer knew this and that’s probably why he wrote the custom lower case strategy to begin with.