Author: tpryan

Flex 4 and Chromeless AIR applications

I’ve been working on a class for some of our higher education community members. I take the class from an Illustrator comp, through Flash Catalyst, then Flash Builder, and Flex to a Flex Application, then on to an AIR application. Because I’m starting in Catalyst, when I get to the AIR application I don’t really want to use AIR’s chrome. Rather, I’d like to go chromeless and let the UI handle things like closing the application and whatnot.

I found a good tutorial on doing chromeless AIR applications. But no matter what I tried, I couldn’t get rid of this big blank whitespace in my application, despite following the directions to the letter.

After a lot of trial and error it turns out that the old way of making the Application background disappear using CSS (step 6 in the article) doesn’t work with the new component model. Instead you have to use a custom skin on the WindowedApplication tag.

The following skin works for me. I’m by no means an expert at this skinning stuff yet, but it gets the job done.








Now let me make it clear. There may be another way to do this. There may be a better way of doing it. It’s also possible that this is the flat out wrong way to do it. But when I searched for this, I got nothing. So I figured, I could at least help somebody just get the job done, and worry about “the right way” later.

Reporting ColdFusion Security Issues

A couple people have told me they had no idea how to report a security issue in ColdFusion. So I figured I would clear it up.

Normally when you have an enhancement request or a bug report, we direct you to the “Go/Wish” page. This is the page for all Adobe products. You choose ColdFusion from the product list and enter your request, which is then emailed out to the product team. (Soon there will be a more public version of this available for just ColdFusion.)

However, if you have a security issue, it makes more sense to report it to the Product Security Incident Response Team. Then the process is a little different. There is a lot more back and forth communication. The actual process is documented publicly. In any case there are two ways to report it:

Questions about the FCKEditor Vulnerability in ColdFusion

A number of questions have emerged from the ColdFusion community about the recent FCKEditor security vulnerability in ColdFusion. Hopefully this fills in more information for you.

Before I get into it though, let me just say that this isn’t an attempt to excuse the problems you’ve had. We know that you had a crappy week last week (or this week), and regret it. We do need to review what happened, and determine if we could have done this better. Personally, in hindsight, there’s one decision we should have gone another way on: we should have released the workaround sooner.

Is it true that Adobe had a fix for months and sat on it?

No, the issue was reported to us 7 weeks before exploits hit last week.

The workaround was pretty easy, why did it take you six weeks to come up with?

In this case, the issue was reported by a customer. The customer was not satisfied with just a workaround for several reasons including concern that we were not actually fixing the correct problem. (This concern ended up being true.) Additionally, our security people were also not entirely convinced that the workaround was entirely the right solution. (Although, I need to state here that the workaround that is now circulating does close the security hole.)

For those reasons, a hotfix was the preferred solution. A hotfix takes more time to create. We had to create the hotfix, then test it to make sure it didn’t break anything, and then provide it to the customer for their approval. We also had to communicate with the FCKEditor folks, to insure that we were correct in understanding their code. In short in addition to testing there was a lot of communication between many groups, and that burned up the time.

Now let me be clear here, I’m not casting blame on to the customer or any third party. Communication takes time, and in this case it took a fair amount of time. If you want to know more about this process it’s publicly documented on the PSIRT blog.

Why didn’t Adobe say anything at that time – the workaround was found pretty quickly?

If we acknowledged the security vulnerability and released the workaround we’d be leaving the reporting client in a lurch. There would be public knowledge of a vulnerability, but no acceptable solution for our customer (as they required the hotfix solution.) We made the call to make the fixes privately and announce when we had a solution we were confident in.

In this case it ended up biting us and you. We now know we should have released the workaround as soon as we knew about it.

But honestly I’m personally torn. On one hand, we should have told you guys sooner, as evidenced by the public exploits. On the other hand, we weren’t arbitrarily holding it back, or idly sitting around – the security group was trying to get a proper fix out before an attack occurred. I think we just got some bad luck.

I’m sure you have opinions on this. Feel free to let me have it in the comments.

Did the Adobe shutdown exacerbate this issue?

The security response process was already in progress. Our teams that work on patches were not off that week, so the actual fix was not delayed. The Adobe Security team responded within a day of the reported problem. So I’m not sure the shutdown had a large effect on our official responses.

If you have other questions, please feel free to ask them in the comments.

On ColdFusion ORM and DBAs

Two things come up when I talk about the upcoming ORM features in Centaur:

  • DBAs are going to hate it
  • It’s going to put DBAs out of work, which will make them hate it.

Let me just say, 1 may be inevitable, but 2 is quite the opposite.

To start with, there are two ways of working with ColdFusion ORM, your application, and your database:

  • Start with the database and build your objects from it.
  • Start with the objects and have your database built based on them.

When you start from the database and go up, if you have a bad database, there is nothing Hibernate (the underlying ORM technology in Centaur) can do to make it any better. If it is poorly indexed, or improperly normalized, the resulting objects will perform poorly, or be unnecessarily complex.

On the other hand, if you have CF go ahead and create the tables for you, you will only get the basic indices and keys needed to generate relationships: primary keys and foreign keys. You can specify indices and unique constraints, but only if you know where to put them.

In both cases you will need the skills of a DBA (either your own, or a dedicated DBAs) to help you make decisions.

What’s different then? Much like other uses of ColdFusion, it takes the knucklehead rote stuff and makes it easy.

  • No building table creation scripts.
  • No writing rote CRUD scripts
  • DBA time can now be spent doing cool complex SQL and analysis where they really pack on the value.

How do you convince your DBAs of this? I have a few arguments:

  • ColdFusion ORM uses parameterized and prepared SQL much like cfqueryparam.
  • ColdFusion ORM can be configured to output generated SQL
  • ColdFusion ORM is based on Hibernate, which was built keeping most database best practices in mind.

Is this going to convince every DBA? Probably not. But hopefully enough have an open mind to at least give it a shot.

 

CFUG Tour Next Week

Next week I hit the road for my first leg of the Adobe User Group Tour.

I’ll be talking about Flex, Flash Builder, Flash Catalyst, and of course ColdFusion. My content varies depending on the mix of the particular user group, and I try to make each session different.

My schedule is:

I can’t wait to get out there and meet everyone.

Who’s Who of CFUG Tour – Adobe Version

So if you haven’t heard Adobe is having a tour of its ColdFusion User Groups to talk about the next versions of Flex and ColdFusion. In the past we’ve spread it out over something like six weeks. We’re doing it in three weeks. In order to accomplish that we’ve had to expand the speaker list a bit beyond me, Adam and Ben. I thought it might be helpful if I give you all some background on all of them.

One thing I like about this list is that it includes some internal converts, people who didn’t traditionally use ColdFusion, but who have started using ColdFusion over the past year or so and found that they liked it. I’m not going to single out the converts, but I figured that I would mention it, because even here at Adobe, we’re still gaining users.

If you’re an Adobe presenter and I didn’t list you, it’s because I didn’t know you were presenting. Drop me a line and I’ll add you. If I got something wrong in your blurb, let me know.

Josh Adams

As the ColdFusion Sales Engineer, you may have met Josh over the past two years or so. He’s a great resource for deep technical issues with ColdFusion.

Mihai Corlan

Mihai is a fellow Platform Evangelist based out of Bucharest, Hungary. He’s an old hand at ColdFusion, who was also part of the Flex Builder team at one point.

Claude Englebert

Claude, based in Belgium, is the ColdFusion Specialist for Europe, the Middle East, and Africa. Long time community member, he’s been at Adobe for about a year, and wears many hats (many of them quite festive). If you’re in EMEA, and need any help with ColdFusion, Claude’s your go-to-guy.

Ben Forta

Who’s Ben Forta – a riddle, wrapped in an enigma, shrouded in mystery and topped off with a crazy, giant, beard. No one knows where he comes from but it’s been said… c’mon, if you’re reading this you know who Ben is.

Kevin Hoyt

Kevin is a member of the Platform Evangelism team, and my boss. (So say nice things about me if you can.) He’s been around since the Allaire days. He’s worked with ColdFusion from the earliest versions, and many of you have seen him at User group events in the past.

Serge Jespers

Serge is also a member of the Platform Evangelism team. He’s based in Belgium, but insists that he and Claude have nothing in common. He comes to CF with tons of front end experience, and can show you some things about Catalyst that will knock your socks off.

Tomas Krcha

Tomas is surprisingly another member of the Platform Evangelism team. He’s got a ton of experience with Flash, and has a really good designer’s eye. (Check out his site.)

Adam Lehman

Adam’s the former ColdFusion Evangelist, and current Product Manager for ColdFusion. He’s a long member of the community. Like Zoolander he’s plagued by his inability to turn (and look) left.

Andrew Spaulding

Andrew is a Systems Engineer down in Australia. I got a chance to meet him when I was down for webDU. He’s a great ambassador for Adobe, and I think you’ll be in good hands if you get him for a session.

Ryan Stewart

Ryan is yet another member of the Platform Evangelism group. He does a lot of Catalyst and Flex these days, but way back in the day he a was bright eyed and annoyingly enthusiastic ColdFusion developer with me at the Wharton School.

Mark Szulc

Mark is the Technical Director for Australia and New Zealand. I also got a chance to meet with during webDU, and was impressed by his take on CF in relation to other products at Adobe.

Piotr Walczyszyn

Another Platform Evangelist, Piotr is based in Warsaw. He’s got a very strong background in Java, and should have a great take on CF from that perspective.

Greg Wilson

Greg Wilson is a Platform Evangelist. He’s a LiveCycle guy who embraced the power of ColdFusion when he saw how easy it made to talk to Adobe’s internal MS Exchange server.