Friday, September 19, 2008

Fusebox Status

The last 2 weeks I have sat down every evening and [re]read through parts of Fusebox's core files, I also had a very energetic discussion with Team Fusebox (more on that some other time). First I have to say Sean put together on hell of a beast in Fusebox 5.5. In some aspects Sean and I have a different coding style so I feel like I would have done a couple of nit picky things differently but overall Fusebox looks to have been very well thought out and put together nicely. My main gripe is the abundant [ab]use of public parameters on the CFCs which sometimes makes it hard for me to track something down, especially since most of the time they are defined for the first time inside one of the methods of an object. Sometimes I get lost in all the parameters that are set but that's just the amount of data Fusebox is dealing with at times. The one thing that I was left without that disappointed me was unit tests. To that point I am working on some unit tests for the core files but I still do not have a good enough handle on all things Fusebox to begin to write good unit tests. The tests I have are mostly checking the skeleton right now (which works ok but I am on my TDD kick right now ;) ). With the small bad I have to say Sean left me with one of the most solid code bases I have ever seen. Some of the stuff he does in Application.cfc are pretty cool and thanks to its nicely done design I've been able to get in and make some additions already. The features I am talking about here are implemented and will be available in the BER I publish this weekend. I want to hear feedback on them, please please please let your voice be heard!

I've not tried to hide my disdain for circuit XML in Fusebox (have no fear it is going no where and will get lovin' when it needs lovin', too many of you people are masochists and like the XML). As a sign of good faith I added a feature to the XML fusebox that had always really bugged me (I'd like feedback on the good/bad side of this change). I've always hated having 15 circuit.xml files open in the editor which lead to the addition to the circuit.xml finding algorithm. Fusebox (in the BER that I plan to push sometime this weekend) will now find alias.xml or alias.xml.cfm in the path specified in Fusebox.xml.

The second feature that I added was something I really wanted to see, and I wanted it at Kroger. Fusebox now supports defining No XML circuits in fusebox.xml. What this means is you do not have to rely on Fusebox's location conventions to leverage No XML circuits. In Kroger our application layout does not match the conventions that Fusebox wanted to impose. I had a long discussion with some friends and colleagues about changing Kroger's application layout vs adding some functionality to Fusebox. In the end I felt it was a feature that would give Fusebox users a nice mesh between configuration and convention.

Like I said I plan to get this stuff into SVN this weekend so anyone interested can start playing with it. I've turned off comments on this entry so as to drive all comments to the Fusebox Group on yahoo, I am doing my best to keep the discussion in one main place.

Saturday, September 13, 2008

SQL Injection Nonsense

I know a whole gobs of blogs have been talking about the SQL injection issues and all the fun stuff recently. I don't generally get into these security discussions as they're really not my focus. Don't get me wrong it's an important subject but I feel like there are plenty of other people out there tooting this horn and presumably know a crap some more than I on the subject. I'll be honest for the last 4+ years I have worked completely inside our firewall on the intranet so security is a bit different for us. One thing I keep finding myself questioning though is how many of us are putting ourselves at risk unnecessarily? I'm not talking about not using cfqueryparam here I am talking about the datasource and the database itself. Is your CF server using an account with the appropriate security level? Lets be honest here 80% of us are using sa or some account with entirely too high of privileges for what it is being used, what a dead brained move. If you are using sa or some other admin level account stop it and you stop half the threat. You don't even need to change code just the data source in the Admin. Even if for some reason your web app needs to control the database at some crazy level create specialized datasources for that section of the application. Datasources that are used on a publicly accessible portions of a website should be restricted as much as possible.

Friday, September 12, 2008

MVCFUG gets to listen to me Rant

With the successful launch of the MVCFUG I am excited to be able to provide content for a local UG. They've asked me to present there next month about Improving Code Quality. Some of you may remember I did a BOF at cfUnited that had a great turn out and this is the presentation that I was going to present at cfDevCon. Unfortunately, cfDevCon had to be canceled but I am excited to share the content stateside with a great group of developers. As an aside this one I think is planned for the evening so folks in Cincinnati should make a trip up, it's just Miamisburg. I am not sure that they are setup to do connect so please don't expect a connect presentation out of it. As with most of my presentations this one really focuses on how we can work together and produce high quality code. We'll most likely focus on peer design and peer reviews. When I say code quality I am not talking about using a structure or queryparam (that is not what a code review is for people!). Really I am not even talking about using CFCs (correctly or otherwise), though they can play into quality. I am talking about how we can work together to create maintainable software that has high fidelity. Talking about code quality is a very passionate subject and I can't wait to share my experiences with the Miami Valley folks!

Monday, September 08, 2008

Fusebox 5.5 Documentation

I know a lot of folks have asked for more documentation for Fusebox 5.5. This morning it occurred to me that maybe, like myself at one point many months ago, folks are not aware of Sean's excellent release notes. I have to say Sean did a great job with his release notes for 5.5 and 5.5.1 (missing). These 2 PDFs that may not be indexed by google which may be why not many people are aware if them. I will try to get some of this content copied out and into the wiki over the upcoming weeks but if you have not read these docs please do so. I really think they do a good job covering Fusebox 5.5 functionality. Also please remember Jeff has now released a new book for Fusebox!

Wednesday, September 03, 2008

bFusion Marterials

I've spent a lot of time working through the hands on work for my TDD presentation at bFusion. Though the result may not seem like it as there are no materials (files) that you will need for the presentation. You will still want everything installed and running (coldfusion, eclipse, mxUnit) but you will need no additional files from me. You see I wanted a nontrivial example to work through but the problem with this is even if I did not speak at all 1.5 hours is not enough time to do a non trivial example. Besides TDD is much less about writing a test (anyone can do that) and much more the thought process. So inside of throwing you to the wolves to work hands on I will present and answer questions for around 30-40 (depends on ???s) minutes and the remainder of the time we work together to solve as much of the non trivial problem as we can. This will everyone understand what types of things we should think about when writing tests and how to work TDD into a real project. The reason the presentation jumped in amount of time is during the presentation we'll be dropping into the IDE a quite a few times to work through things together. I hope everyone will work along with me as you will get much more out of the session if you work along with me, as well as provide feedback!

Tuesday, September 02, 2008

Fusebox in Java??

A couple of weekends ago I stepped into my Java developer shoes and attended No Fluff Just Stuff, think cf.Objective() in attendance size, cfUnited Express in local feeling, and cfUnited (or SOTR) for quality of speakers. I wrote up the majority of the entry during that conference. Instead of publishing it at that time I decided to sit on it for a bit before rereading my thoughts and posting this entry. At NFJS Neil Ford talked about polyglot programming, something I myself have joined in about in the past. If you will recall polyglot programming has morphed into this thought process of using the appropriate language to complete a task. The JVM has become a very powerful platform, now supporting some 200+ languages. Most of these languages can interact with one another at some level, if not directly then they can use the the Java level. While CFML happens to be my preferred language to write most of my applications in I have to wonder should frameworks be written in CFML?

Historically we were bound to strictly CFML, putting any part of a framework for CFML apps in Java would require putting the class on the classpath, not so shared hosting friendly. Well we have all progressed and learned a thing or 2 about Java and this traditional thought process needs to evolve some. Thanks to Mark Mandel and some of his crazy cool java class loader work, even if you don't know much about class loaders, we are not bound to our traditional thoughts about how we can load java classes. We can now easily load java classes after server start up from places other than the predefined classpaths. Armed with this knowledge I can now objectively ask, should Fusebox be written in CFML or should it be written in Java (or groovy or anything else that I could consume from CFML)? Even weeks later, presumably after all the Java Kool Aid has left me system, I still am leaning towards Fuseox should be written in Java. Maybe should is a bit too string of a word there, Fusebox could benefit from being implemented, at least in part, in Java. This is not a proclamation that I am going to rewrite Fusebox into Java, remember I said I was going to think out loud when it came to Fusebox development, but I really am leaning towards writing parts of Fusebox in Java.

New CF UG in Ohio!

I was utlra stoked to see Lance tweet about his latest blog entry detailing the launch of the Miami Valley CF Usergroup. Congrats to Aaron and Lance for this accomplishment. The Greater Dayton area has some extraordinary talent and will be well served to have a proper usegroup up there. Being a Dayton native I am glad to see that market continue to grow and prosper, hell may someday I will get to move back up into that market. Until that happens I need to get off my ass and follow suite and get the Cincinnati UG up and running, Kroger has one but I've never committed to doing an external one. Congrats again gentlemen, you know I am always happy to come up and present and I will certainly make an effort to attend as much as possible, O'neil's office isn't too terribly far away from me.