ColdFusion: Do we *need* interfaces?

One of the most requested features from the OO CF crowd has been the implementation of interfaces in ColdFusion. Sean Corfield has seems to be on the "don't need them" side of the fence nowadays and has sparked a lot of comments (a *lot*) with his entry on the subject. While I was for them for a while, I switched over last May, and thought it might be a good time to re-run my old blog entry on the subject:

Updated 11:05PM EST, Jan 11: I've shut off comments on this post, as it's becoming the same discussion as is on Corfield.org. Please visit Sean's Post to chime in!

Originally blogged May 16, 2005

Get over it: CF isn't Java

There's a lot of "We want interfaces! Nulls! Method overloading!" going on in some of the CF lists, and I really think it's a misunderstood push to become more "OO." Helping to implement CF solution in an OO manner really has nothing to do with any of the above demands, and a lot to do with shifting how you think.

Adobeflobiemedia (or whatever we'll call it this week) could implement all of the above, and it probably wouldn't make a lot of people's code any more OO. Having the constructs available (interfaces, nulls, overloading) doesn't make a language OO: just look at how much Java, C++, and C# is procedural code hammered into the OO constructs.

First: Formal, compile-time interfaces

Don't need 'em. Don't really want 'em enforced in the language.

My simple solution:

Draw a class diagram showing what the interface is, provide a shell CFC, and kick everyone's rear into following the contract. Let Macrodobe focus on cool features, not something a small percentage of CF developers will use.

Second: Nulls

They're championed because of code like this (ripping off a recent example from CFCDev):

if (person.getSpouse() == null) { write("Person is not married!") }

I really don't like this style of coding (even though it's really, really common in some languages). Instead, if a person doesn't have a spouse, and you ask for one, isn't that an exception?

try (person.getSpouce()) { catch { write("Person is not married") } }

Or, better yet:

if (!person.isMarried()) { write("Person is not married") }

Third: Overloading

He who can successfully implement overloading in a typeless language has a great big brain. Any implementation I can think of is a cheap hack that'd be endlessly debated to the harm of many and benefit of few.

I spent a good deal of my time at my last job chasing overloading hierarchies through a big inheritance tree. I really don't ever want to do it again, so please, look for more elegant ways to get things done.

PS: I'm contradicting myself a bit, as I am one of the votes for interfaces being added to the CF feature set. If possible, I'd like to retract my vote.

13 comments - Posted by Joe Rinehart at 9:03 AM - Categories: ColdFusion MX

Model-Glue "Headstart" Preview (screenshots!)

Model-Glue 1.1, while not a feature release, is including a new application called "Headstart." It's basically a sample application I've wanted to write for a while that's grown into a template that can be used for creating your own applications.

Its features follow:

* MySQL and MS SQL Server support

* Role and Key based security (allows group-level and record-level security)

* User administration

* Configurable (can be turned on/off) User Signup

* Configurable (can be turned on/off) Requirement of login to access the site at all

* Robust exception handling: it'll e-mail errors to you, with error information, form, cgi, and url scope information, and Model-Glue debugging stack

* Built-in e-mail services that allow your Model CFCs to easily create and send e-mail

The code is nearly complete, and I thought I'd share a screenshot of it in action. You can click the below image to see it in full-size.

8 comments - Posted by Joe Rinehart at 3:44 PM - Categories: ColdFusion MX | Model-Glue

Two Job Postings: Work with the Model-Glue guy!

My team's expanding, and I'd like to encourage any interested readers of my blog to apply! We're looking for two ColdFusion developers, able to work onsite in the Washington, DC area, for one of the oldest management and IT consulting firms in the business: Booz | Allen | Hamilton.

Specifically, we're looking for one junior and one senior developer.

Senior Developer - Job Posting

The senior developer needs to have a good command of ColdFusion, and a great command of SQL and MS SQL Server. You'll be maintaining and adding new functionality to a large, existing application and helping with new work as availability allows.

Junior Developer - Job Posting

The ideal junior developer would be someone who's actively using ColdFusion, but may have dabbled in a few other languages. We'd especially like someone with an interest in Object Oriented Programming/Design. Expect to learn and use the Model-Glue and ColdSpring frameworks to do maintenance and new development work.

If you'd like more information about either, please let me know. I can't provide low-level details, but can answer questions about the company, etc.

15 comments - Posted by Joe Rinehart at 9:55 AM - Categories: ColdFusion MX | Model-Glue

Model-Glue 1.1 Preview

Model-Glue 1.1 is nearing a test release. There only new "feature" is ColdSpring integreation; the framework is about as robust as it can be while still obeying the KISS principle.

There are a few things coming, however, that can help you with Model-Glue apps:

A really, really nice application "starter kit".

I've kept one around at work for a little while now, and I'm rewriting it to be more general. This application template will be compatible with MySQL and MSSQL, and will provide a basic site with login/logout, profile management, and user management. You should be able to deploy a copy, then start writing the functionality for your application.

If nothing else, it'll provide many-times-asked-for examples of data access, form validation, and role base security in Model-Glue.

Tight integration with ColdSpring

ChiliBeans will still be the default IoC container for Model-Glue, but to really crank your architecture up a notch, you'll be able to switch to ColdSpring by adding one <setting> tag to the ModelGlue.xml file.

By adding another, ColdSpring will automagically "wire" your controllers to whatever services/components they use; it sounds mystical and abstract, but the examples should show just how cool this is. A number of the BER users have been doing this for a few months, and it's really, really fantastic.

Unnamed (implicit) results can now redirect

This is a fix for a minor issue that a some people brought to my attention. If you had redirect="true" on a unnamed result, the redirect didn't happen.

Results added during "Static" broadcasts (OnRequestStart, etc.) will be obeyed

If you ever tried adding a result during a message-listener for OnRequestStart, you'd notice that the result was simply ignored. In 1.1, it'll now be obeyed. This should make it easier to do things like broad application of requiring a login without using <cflocation> in the controller.

This is really only relevant to OnRequestStart, because for OnQueueComplete and OnRequestEnd, there's really no point to adding results (the event queue is done and over with at that point!).

That is all :)

11 comments - Posted by Joe Rinehart at 7:11 AM - Categories: Model-Glue

Model-Glue Goes Java!!

Chris Scott has be pseudo-quietly working on a Java port of the Model-Glue framework for the past month or so, and he's got an early source release ready to go! For the moment, it's only available via Subversion (not an official release) from the same repository as the Model-Glue BER.

SVN url = svn://clearsoftware.net/clearsoftware.net/ModelGlueJava

Ok, enough typing, I gotta go check this out...

5 comments - Posted by Joe Rinehart at 6:00 AM - Categories: Joe Drinks Java | ColdFusion MX | Model-Glue

Frameworks: Making security auditing easy

I was tasked recently with auditing an application's security, which is always a tedious process. Luckily, I was only reviewing the application code, not the platform or infrastructure running the app.

The application was not written using an MVC framework, so I began by crawling through source code. It took a while, as each .cfm file contained business logic, data access, and display code.

In the end, I've rewritten the application using Model-Glue, and it's shown me another benefit of using application frameworks, especially those that implement MVC such as Model-Glue, Mach-II, and Fusebox: if the rules are followed, the points at which low-level security flaws can be found are isolated, and much less likely to be missed.

Example 1: Finding XSS attack points

Cross-site scripting (XSS) attacks generally occur when developers allow users to enter free-form information and do not escape HTML / Javascript from the information entered. It'd be easy for me to fill in a complaint form that was XSS-vulnerable, embedding Javascript to send me the reader's cookies, and then spoof myself into the session of the customer service rep reading the complaint.

When using an MVC framework, all of this display code should be in one place. In Model-Glue, that'd be your views directory. Going back to my task at hand, when I audited the same application after it was rewritten, I knew that all I had to was examine all of the simple .cfm files in my /views directory, making sure strings were always shown using HTMLEditFormat() and links always used URLEncodedFormat() for their parameters.

Example 2: SQL Injection

SQL Injection occurs when people build "dynamic" queries using user-provided parameters (this includes URL parameters!). It's widely understood, and often ignored. For more, see my earlier post cfQueryparam and Database Security.

The short of it: queries should always be parameterized. An MVC approach insures that part of my Model provides all database access (usually in the form of DAO and Gateway CFCs). When this rule is followed, I again know that there's only a segment of the application I need to examine to insure SQL Injection attacks are prevented.

Conclusion

An approach such as an MVC framework puts code into "compartments." When you need to audit for a specific security vulnerability, this organization of code makes life easier, as you only need to examine the code concerned with that vulnerability.

0 comments - Posted by Joe Rinehart at 9:19 AM - Categories: ColdFusion MX | Model-Glue