CFCamp 2015
Monkeh Works are at CFCamp in Munich and will be posting notes of sessions attended throughout the day.
Thanks to Bluegras.de for organising this great event and for all of the sponsors for, well, sponsoring it.
Day 1
This is the brain dump from day one of the CFCamp conference and notes taken throughout the sessions attended.
Make of them what you will. May contain spelling mistakes.
20 Years of ColdFusion - Rakshith Naresh, Adobe
- 100% representation with top 20 banks
- 90% rep in government agencies
Security
Language, Infrastructure and Resources
Language
- OWASP (ESAPI and AntiSamy)
- CSRF Token Pattern
- Session Rotation
- CRLF Protection
Infrastructure
- Security by default (secure profile and secure sandbox)
- Audit logs
- Password and XSS protection
- Updated crypto libraries
Resources
- Adobe PSRT
- Testing processes
- Knowledge and training
- Teams are training (belt certification) in security updates and skills
- Security-related bugs take top priority
- 3rd-party audit
- security agency audits feature set built by Adobe in every release
Web Services and HTML5
CF able to react to industry requirements and add in features and functions including:
- REST creation and publishing
- HTML features
- Mobile (cfclient)
Language Enhancements in CF 11
- cfscript support
- OAuth2 support
- member functions
- JSON enhancements
- closures
Acrobat Integration:
- pixel-perfect HTML conversion
- high performance PDF generation
- e-signatures
- full DDX support
- archiving
ColdFusion next
Raijin (12) and Aether (13)
Raijin
High-level focus areas:
- performance
- security
- language improvements
Also focussing on:
- API management
- mobile enhancements
Performance
Preliminary testing numbers (not official white paper results)
- Arrays = 130% faster
- Cached queries = 12% faster
- Scope search = 10% faster
- cfm page execution = 15% faster
Security
Raijin will contain a built-in code analyzer
Within ColdFusion Builder (portal view within editor) to perform security analysis and report any vulnerabilities along with line numbers; also reports what type of vulnerability with pointers to fix issue.
Covers (not complete list):
- SQL injection
- XSS
- Cookie validation
- CSRF
- (and more)
CFIDE script separation - CFIDE now completely removed from webserver
NTML support - cfsharepoint
, cfinvoke
and cfobject
- sanitization
- redaction
- can define coords to redact data / content programmatically
- import / export metadata
- can also export / extract comments and import back in (not just metadata)
- archive standards update
- PDF2B standard supported in CF12
Language Improvements
Safe navigation operator
if(isdefined('foo'))
{
writeOutput(foo.bar());
}
else
{
writeOutput'not defined');
}
Make this easier using safe navigation operator:
writeOutput(foo?.bar());
writeOutput(employee?.address[1]?.street?.foo);
Ordered and Sorted collections:
str = structNew("sorted");
str.zero = "zero";
str.beta = "beta";
str.alpah = "alpha";
// change order
str = structNew("sorted", "desc");
passArrayByReference
setting
searchImplicitScopes
setting
CLI
cf.bat file (Windows)
file, database, email and webservice operations
arguments and named arguments can be passed to the command
read()
, writeLn()
and writeError()
methods available
API Management Capabilities
- 63% of CF user base already expose APIs
- 34% of which are intranet APIs
- 23% or which are internet APIs
- 43% have both internet and intranet APIs
APIs being used for:
- 47% mobile enablement
- 45% driving internal innovation (reuse and cost reduction)
- 32% new channel for data, services or technology (increased reach)
- 25% customer and partner enablements
- 18% new source of revenue
APIs - from concept to go-to-market:
- define business objectives
- design your API
- code your API
- secure your API - access control mechanism (uername and password or API key generation)
- manage your API
- engage developers
- measure impact
- detailed analytics from the API
Raijin will include steps 2-7. Security, measurement and management included in CF12.
Secure your API
- Basic authentication
- API key generation
- OAuth
- built-in OAuth server included with token generation
- OAuth with SAML
Manage your API
- API versions
- private, public or partner
- API lifecycle - draft, published, deprecated and retired
- SLAs - rate limiting and throttling
Engage Developers
- Import portal users/developers from LDAP/database
- full fledged developer portal
- explore APIs available
- read API documentation
- tryout APIs from UI
- sign up for APIs
Measure impact
- compare metrics to business objectives
- admin, publisher, subscriber roles (and dashboard)
- detailed dashboard to view analytics based upon role
- metrics - timestamp, version, publisher
- metrics (cont.) - SLA, request method, status code, request and response content size
Extra SOAP support
- SOAP to REST translation
- SOAP Gateway
ColdFusion Advantage
- direct import of REST services from CF server
- minimal configuration to go live
- in VM interaction for faster access
Swagger
http://swagger.io
Import Swagger API Descriptions into the API management console / dashboard
(Monkeh Works <3 Swagger)
Static site generation using Node.js - David Boyer
http://www.metalsmith.io/
Generate your sites dynamically, hosting static pages and sites.
Can be easily regenerated any time, anywhere.
Not tied specifically to Node.js - can use any language.
Generate your static site by script or application.
Why Not Dynamic?
Speed is key. Dynamic servers and apps will introduce latency and bottlenecks
"Every 100ms delay costs 1% of sales" - Greg Linden - Amazon (2006)
Dynamic resources add latency
- databases
- server-side manipulation
Security Concerns with Dynamic Apps
- secure version of your server-side language
- 3rd-party code (modules, libraries, extensions) need monitoring
- ensure server-side code is secure (parameter protected and XSS safe)
Every new additional layer to your app adds an extra point of failure.
With static sites these points of failure and bottlenecks are greatly reduced.
Running costs are much lower with static sites. HTML can be hosted anywhere (for free) with minimal layers.
Why Static?
- improved security - only a web server to attack
- faster, no databases or server-side processing to construct the page
- fewer points of failure
- easily cacheable or hosted across multiple servers
- easier to debug
- HTML only changes when you regenerate the content
Mix and Match
- static content pages mixed with dynamic server pages
- static generated site, backed by an API and client side Javascript for dynamic components
- dynamic content management system producing a static based site
- Areas of your static pages can still be dynamic using client-side JS
Suggested Usage (from Metalsmith site)
Metalsmith / static generation can be used for:
- project scaffolder
- build tool
- ebook generator
- technical documentation
- article / blog site
- startup / product based sites
Metalsmith
Recursive read of all files in the ./src
directory.
Manipulates the file data through a series of plugins.
Write the results to a ./buid
directory.
Install:
npm init
to create package.json file (if it doesn’t already exist)
npm install metalsmith --save
Plugins
- provided to metalsmith through the
.use(fn)
method - plugin is provided with a list of files found and parsed by metalsmith
-
a reference to the metalsmith instance
npm install –save metalsmith-markdown
Use YAML definitions to crate metadata.
The markdown plugin will be able to parse this information and use it when generating your site
The YAML for THIS blog post:
---
title: CFCamp 2015 Day One
slug: cfcamp-2015-day-one
date: 2015-10-22
categories:
- Events
- ColdFusion
tags:
- Events
- Developers
- ColdFusion
excerpt: "Notes taken during day one at CFCamp 2015 in Munich."
---
Many templating engines available. This blog uses Jade (as you can see from the above YAML)
npm install metalsmith-layouts --save
The metalsmith configuration file declares which engine is used
.use(layouts({
engine: 'jade',
directory: path.join(__dirname, 'templates'),
basedir: path.join(__dirname, 'templates'),
}))
Useful Plugins
** NOTE: I’ll be writing up a Metalsmith article after CFCamp to document how this site is generated **
Using ColdFusion as the Lynchpin of Modern, 3-Tiered Web Apps - Dave Gallerizzo
Define the 3-tiered architecture
- also called a layer
- should be able to be constructed separately, possibly by different teams
- each tier should contribute something different to the whole
Why is CF uniquely qualified to support a 3-tier architecture?
- enterprise data connectivity (SQL and Non-SQL)
- native support for implementing RESTful web services
- ease of converting data to/from JSON
Benefits of 3-tiered architecture
- flexibility
- maintainability
- reusability
- scalability
- reliability
- framework
Implementing
By default most legacy CF based applications are built in what we call a 1-tier architecture
1-tier = presentation logic, business logic and data access logic with every single request.
Rules
The browser is a tool, not a tier. Code which runs IN the browser is a tier.
ColdFusion applications using components to separate data access from presentation and business logic is a 2-tier architecture.
You’re still accessing the data access logic directly from the presentation tier.
ColdFusion in a 3-tiered architecture
- delivering mobile data with CF
- creating and invoking RESTful web services
- working with HTML5 websockets
Introduction to Data und Text Mining with Java und CFML - Kai König
What is data mining?
Why do we have so much data nowadays?
- cheap storage and better processing power
- legal and business requirements
- digital hoarding
“Data mining is the extraction of implicit, previously unknown, and potentially useful information from data. The idea is to build computer programs that sift through databases automatically, seeking regularities or patterns. Strong patterns, if found, will likely generalize to make accurate predictions on future data. … Machine learning provides the technical basis for data mining. It is used to extract information from the raw data in databases…” - Ian Witten
Learning
"Things learn when they change their behaviour in a way that makes them perform better in the future"
Types:
- classification learning
- association learning
- clustering
- numerical prediction
Thing we want to learn is the concept.
The output of a learning scheme is the concept description.
Classification learning is sometimes called supervised learning. The outcome is the class.
Examples are called instances.
Discrete attribute values are usually called nominal values, continuous attribute values are called just numeric values.
Weka
Waikato Environment for Knowledge Analysis
Download for Mac OS X, Linux and Windows (any platform that runs Java)
http://www.cs.waikato.ac.nz/ml/weka/downloading.html