[Looking for Charlie's main web site?]

CF911: Have you updated your ColdFusion JVM to _24 yet? Important security fix for CF 8/9

Posted At : October 28, 2011 11:06 AM | Posted By : Charlie Arehart
Related Categories: admin, cf911, java, security, troubleshooting
Comments: (42)
Note: This blog post is from 2011. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
This isn't new info, but you may have missed it. If you're running CF 8 or 9, did you know you can and should update the JVM that came with it? And that you have Adobe's blessing to do this update? This is because of a serious bug in the JVM that is not fixed until 1.6.0_24.

Both CF 9.0 and 9.01 run on older JVMs (and therefore need this update). And are you on CF8? You're not left out: Adobe even has confirmed this update can be applied to CF 8 and 8.01, too!

Note: if you are finding this blog post because you're searching the web for help on updating the JVM that underlies ColdFusion, note that this is a very old post (2011) about one specific JVM version. Instead, for a more general discussion of updating the JVM, and especially about solving and preventing common problems when doing that, see my more "recent" (2014) and more elaborated post: CF911: 'Help! I've updated the JVM which ColdFusion uses, and now it won't start!'.

Still more updates since this originally was posted:

Update 1: Since I wrote this blog entry in Oct 2011, Adobe has since come out with a new technote in Oct 2012 saying that you are now permitted to update to any version of Java 1.6 (for CF 8/9/10).
Update 2: Since posting this note, I've realized I should document an important fact to be aware of if you DO update the JVM: after doing so, it may seem that changes you made to allow CFHTTP calls to SSL pages (or other tags in CFML that talk via SSL or TLS) may "seem to have been lost". The issue is likely that you had modified your current CF setup to import specific certificates for such sites, but those changes are "lost" when you change the JVM that CF is now using (which has its own keystore). But these cert changes can be recovered. For more on that, see the next to last section below.
Update 3: In Feb 2013, Adobe did come out with an update that authorizes moving to Java 1.7 in either 9 or 10. You must apply the update first, though. More in this Adobe blog entry.

Old news, but not everyone knows

[....Continue Reading....]

Comments (42)

CF911: Lies, damned lies, and when memory problems not be at all what they seem, Part 1

Posted At : November 3, 2010 5:58 PM | Posted By : Charlie Arehart
Related Categories: logs, cf911, railo, java, troubleshooting, lucee
Comments: (12)
Note: This blog post is from 2010. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Following on my earlier entry, CF911: Lies, Damned Lies, and CF Request Timeouts...What You May Not Realize, another common source of confusion and misunderstanding for people is when they think their server is "running out of memory", when in fact the problem is often not at all what they think. In this entry, I want to apply the same "cranky" tone :-) and extended explanation to this equally controversial/confusing topic.

I hear people raise concerns with memory problems quite often, whether in my CF Server Troubleshooting practice, or just in my participating in many mailing lists. Indeed, addressing this issue more than a few times the past couple of weeks has motivated me to create this, which will be a series of blog entries.

The series parts are expected to be:

  • Step 1: Determine if indeed you are getting "outofmemory" errors (this entry)
  • Step 2: Realize that having high memory usage is not necessarily a problem (entry to come)
  • Step 3: Realize that OutOfMemory does not necessarily mean "out of heap" (entry to come)
  • Step 4: Diagnose why you really are running out of heap (if you are) (entry to come)
  • Step 5: Realize that CF is maybe suffering because you set the heap too large (entry to come)
  • Step 6: If CF is hanging up but NOT due to memory, what could it be? (entry to come)

Let's get started and see how far we get...

[....Continue Reading....]

Comments (12)

Some code to throttle rapid requests to your CF server from one IP address

Posted At : May 21, 2010 1:03 PM | Posted By : Charlie Arehart
Related Categories: tools, java, tuning, monitoring, troubleshooting
Comments: (19)
Note: This blog post is from 2010. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Some time ago I implemented some code on my own site to throttle when any single IP address (bot, spider, hacker, user) made too many requests at once. I've mentioned it occasionally and people have often asked me to share it, which I've happily done by email. Today with another request I decided to post it and of course seek any feedback.

It's a first cut. While there are couple of concerns that will come to mind for some readers, and I try to address those at the end, it does work for me and has helped improve my server's stability and reliability, and it's been used by many others.

Update in 2020: I have changed the 503 status code below to 429, as that has become the norm for such throttles. I had acknowledged it as an option originally. I just want to change it now, in case someone just grabs the code and doesn't read it all or the comments. Speaking of comments, do see the discussion below with thoughts from others, especially from James Moberg who created his own variant addressing some concerns, as offered on github, and the conversation that followed about that, including yet another later variant.

Update in 2021: Rather than use my code, perhaps you would rather have this throttling done by your web server or another proxy. It is now a feature offered in IIS, Apache, and others. I discuss those in a new section below.

Background: do you need to care about throttling? Perhaps more than you realize

[....Continue Reading....]

Comments (19)

Revisiting CF/Java integration

Posted At : April 27, 2008 3:57 PM | Posted By : Charlie Arehart
Related Categories: java
Comments: (5)
Note: This blog post is from 2008. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
On a mailing list, someone asked about running/integrating Servlets, JSPs, Struts, and EJBs in CF. This is one of those topics that was discussed a lot when CFMX came out, but those who didn't switch at the time may have missed out.

I thought I'd share here my answer to his question (pointing out several resources for him to learn more), in the hope that it may help others also who may only now be considering such integration.

Since he was already familiar with running JSPs on CF, but some readers here may not be, I'll start with just a quick point about that, then I'll offer what I replied to him.

CF and Java Integration

It may be important to clarify that technically, it was CF 4.51 that first afforded the option to integrate with Java (including EJBs). Though CF then wasn't built upon Java, you could point to a JVM in the CF Admin and various CF tags and functions afforded some Java integration.

CFMX 6, however, was not only only built upon Java but the Enterprise (and Developer) edition specifically added the ability to run JSPs and servlets directly within CF. More than that, there's some significant integration possible.

In the case of JSPs, you could just drop them into the same code directory with your CFML templates. Servlets take a little more work, as explained in my reply to the gent's email, below. He had been reading a JSP/servlet book and wanted to know how to run the latter, especially, on CF, as well as how to integrate with the Struts framework:

I hope I can help and I think you'll find I have good news.

You mention looking at a book on JSPs and servlets, and you ask how to implement them (and JSPs) in CF. Of course, that book won't help with that--but neither really will the CFML Reference (or a site like CFQuickdocs), if you may have looked that. You need to look at the ColdFusion Developers Guide in the CF docs (http://livedocs.adobe.com/coldfusion/8/htmldocs/Part_4_CF_DevGuide_1.html), or any CF books out there. The CF manual has a chapter specifically on this topic: Integrating J2EE and Java Elements in CFML Applications.

For instance, that chapter clarifies that to run a servlet called HelloWorldServlet, you put the servlet .java or .class file in the [CFserver]/WEB-INF/classes directory and refer to the servlet with the URL /servlet/HelloWorldServlet. It also discusses sharing data between CFML and such JSPs/servlets. You can even use JSP custom tag libraries directly within CFML, and lots more. And yes, the docs show (briefly) how to enable EJBs and call them from CFML.

That said, the coverage in the docs may leave one wanting more, so you may want to consider other resources that discuss it more. There was at least one book focused on that, Reality Macromedia ColdFusion MX: J2EE Integration. There were also lots of talks and articles back in the 2002 timeframe, when this stuff really took off with CFMX (though Java integration was added back in CF 4.51, which added a means in the CF Admin to point to a JVM that CF would work with.)

For instance, I did lots of presentations on CF/Java integration (as did others, of course). If you visit http://carehart.org/presentations/, and search for java, jsp, or servlet filters.

Doing Struts is not discussed in the CF docs, but there was at least one DevCenter article that discussed it specifically: Streamlining Application Development Using Struts in ColdFusion MX.

It's interesting to see these recent questions about things that came out with CF 6--many shops either didn't move from 4/5 right away, or did but didn't take advantage of the new features. Folks in that position will then not have necessarily followed all the resources (books, technotes, blog entries, user group talks) that came out back then.

This is one of the reasons I keep saying that any topic on the CF Meetup is welcomed. Not everyone needs only to learn new stuff, many need to learn what may seem "old" stuff. It's also the reason why I keep pointing to articles and talks I did in the way past. :-)

Though he didn't ask about it, of course also since CF 6 you 've been able to deploy CFML as a J2EE (or Java EE) web application/WAR or enterprise application EAR. That feature has improved from 6, to 6.1, to 7 (and of course is still possible in 8).

Certainly, if you're a shop that has any Java folks--and especially if there's some strong desire to lean that way, and CF is still seen mistakenly as a proprietary island--it's important to be able to convey to them that your CFML app can be deployed as a pure J2EE web app (WAR/EAR), which is a form they'd expect.

I think all this would be a topic worth my packing together for an upcoming CF meetup session. Until then, again, anyone interested in the topics can see the resources mentioned above that I and others have written.

Comments (5)
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting