This past weekend I had the privilege of attending Ortus Solution's Coldbox 101 training class in Grapevine, Texas. It is true that I did pay for the opportunity, but the price was obscured and more than justified by the quantity, quality, and cohesiveness of the knowledge that was shared. Coldbox's master architect himself, Luis Majano, was the instructor, and it was with the same level of zeal and attention to detail that he puts into his framework that he also enlightened and empowered his students on Coldbox. In this case, the "no student left behind" policy was absolutely successful. With a student body composed of everyone from absolute CF beginner to CF expert, and from designer to "design-blind", Luis ensured that the content was both palatable and applicable to one and all.

I came to the class being what I would best describe as semi-proficient in Coldbox. I've written a large Coldbox app, done a few Coldbox presentations, blogged about some aspects of Coldbox, and was even hired recently to present a full day instructional course on Coldbox to a local group of San Antonio developers. But, as with any subject that one teaches themselves, there are always gaps in the knowledge you glean from reading docs and your own experiences. It was these gaps I came to the training hoping to fill, and fill them I did. I was given solid insight into how the framework itself is architected, allowing me to fully visualize the request lifecycle and the framework components that interact with and manipulate it; I honed my knowledge of ALL of Coldbox's core concepts, such as interceptors, views,layouts, viewlets, and plugins; I gained insight into the workflow and approaches that Luis himself uses on a daily basis; and my mind was opened up to a whole new facet of the development lifecycle that I personally have always avoided: unit testing.

Coldbox is SO keen on the idea of unit/integration testing that it has the built in ability to simulate itself! In a nutshell, Coldbox makes it VERY simple and easy to test entire events (the equivalent of fuseactions, if that's a more relevant term for you) without the need for the developer to write any additional code. It was truly beautiful to see integration and unit tests run, and just as easy to write them.

I also had an opportunity to flip through the pre-copy of the official Coldbox book, and I must say I had a hard time handing it off to the next student. The Table of Contents was lengthy and robust, and the associated content was clear, concise, and easy to read. Oh, and it is in color! The plethora of code snippets really jump out at you, and  highlighted items are truly highlighted. I would say that the book is definitely one that you will want to have on your desk as a reference. If I understood correctly, we should be seeing it released into the wild in short order. :)

The excitement that new knowledge brings is great to those of us who love it and derive our livelihood from it, and I could easily spend a day sharing all of the very useful information and understandings I received from attending this class. I wasn't asked not to, nor was I asked to sign any NDAs; but for the sake of honoring the information that Luis earns some of his sustenance from, I'll refrain from divulging any more details of the class. I will, however, leave you with this thought...

If you are doing Coldbox development and you have not attended Luis' Coldbox 101 training class, I guarantee you that what you are writing is not all that it could be. It won't be architected as well as it could be, it won't be leveraging all of the shortcuts and features that it could be, and it won't be top of the line. That isn't to say that you aren't capable of writing a good Coldbox app, but without the in-depth understandings that this class offers, your app will very likely not be a great Coldbox app.

It's challenging to get department heads to budget in training sometimes, but my fellow developers, if your shop is or is considering being a Coldbox shop, then it is worth the effort to justify this training to them. I typically ask myself the question, "if it was my  money, would I spend it on this?", and regarding this class the answer is an unequivocable YES! If you would like any additional input to help justify the training, I and I'm sure anybody else who attended this training class would be more than happy to provide our own personal feedback and testimonial.

If you are serious about writing solid, load-bearing apps in Coldbox, do this for yourself: attend Coldbox 101 training.

Doug out.

Yesterday I had the privilege of providing my first consultation job as an instructor on the subject of Coldbox. The team that hired me are at the stage in their project where they're ready to start writing code (database is designed, UML and usecase diagrams are complete, mockups have been created), and they wanted to "experience" my thought processes, the questions I ask myself, my approaches to implementing functionality, and how I troubleshoot as I make my way from an idea to a working app in Coldbox. So, we spent the entire day together building an app from scratch, using Coldbox.

In preparation for the task, I spent the past week investing a LOT of time re-reading the Coldbox docs, experimenting, building out a small sample application that the team and I scoped out beforehand, and making notes about my thought/decision-making processes along the way.

Taking notes about your own personal development process is actually quite interesting and insightful, and since my audience found it useful and enlightening, I thought I'd share a high level view of it with the rest of the community as well. What follows is a bullet point list of how I personally generally go from idea to app.

Let's take a walk in my head, shall we? Don't be afraid....

1. let's get the current version of the coldbox framework (www.coldboxframework.com)

6. Okay, now I'll take a first pass through my config.xml.cfm file and alter the settings I know about at this point.

7. At this point, I feel the need to go ahead and create my database table structure and get that to a solid starting point.

8. Let's tweek the default layout and make placeholders for the different components it must organize (header, footer, nav, content, messages, dynamic content area, etc.).

In a nutshell, this is my general thought process as I build an app, with emphasis on building a Coldbox app. How does my "to do" list match up with everybody else's? I'd be interested to know!

In case anybody wanted to attend but was unable, I just wanted to make it known that I did present at the Alamo Area ColdFusion Usergroup meeting tonight on the topic of the ColdBox framework. I was given 45 minutes, and finished precisely within my time limits, except for a few questions at the end that I had to field.

A link to the recorded presentation can be found at UG TV ( http://www.carehart.org/ugtv/ ), and is titled "A 45 Minute Discourse on the Subject of ColdBox". You'll have to try and overlook the slightly skewed sound and video tracks...just something we seem to have to live with when using Connect.

I am very interested to know what people think of the content, and any critiques that might help me improve my presentations in the future. With broad topics and limited time, it's hard to know where to focus sometimes.

Thanks!

Doug  :0)

My most recent project has caused me to have to be "unicode aware" at times (something I've never had to do before), and so I am learning a lot about encoding and display of special characters as I go along. My latest challenge related to this topic involved a User Manager section I created, wherein the users could very well have names that contain special characters (foreign names). This particular section performs its updates, deletes, and inserts via Ajax calls and client-side JS manipulation of a JSON data set. My Ajax is performed via the Prototype library, my code is all ColdFusion living within the Coldbox framework, I'm using Coldspring to manage my object relationships, Transfer is my ORM, and my backend database is MSSQL 2005.

The Challenge: Data that contained special characters was being successfully inserted/updated via my Ajax calls, but the JSON data set returned via those calls did NOT contain those special characters (or contained an incorrect interpretation of them, like numbers, question marks, etc.). A quick check of the database verified that the data was indeed stored in the tables properly.

Setting the Stage
At this stage in the game for me, the smorgasbord of terms, acronyms, and concepts revolving around properly handling unicode is a bit foggy for me. (On a side note, I WISH someone who has the full understanding would put together a simple "checklist" of "Things you need to do in order to handle special characters in ColdFusion"!) From what I currently understand, the physical template you write has to be "encoded" properly (set within the IDE you are using); The database you are using has to have the proper encoding(called Collation in MSSQL 2005); The fields in your table have to be of the proper type to store unicode text(ie: 'nVarchar' instead of 'Varchar', etc.); your browser has to have the proper languages associated in order to display certain sets of special characters(Tools/Internet Options/Languages in IE); your JS functions, if living in a separate file, must have the page encoded properly(again, via your IDE); your ColdFusion datasource has to have the checkbox for "Enable High ASCII characters and Unicode for data sources configured for non-Latin characters " checked; and to top it all off, after having handled all of that, your JS functionality still yet needs to have ITS encoding types set in the proper place.

That sounds like a LOT of fiery hoops just to be able to deal with special characters, right? Well I'm with ya...it's on the verge of being a nightmare for someone who's never had to deal with it. And I do realize that for some of you reading this, the first time YOU tried to deal with special characters, everything just frickin "worked right out of the box" and you probably didn't have to do but one or two of those things, at the most. I say that you got lucky that things were configured just so for the particular character set you were dealing with, and even though from your perspective it didn't seem like that big of a deal, the fact is having an understanding of what's going on behind the scenes can be pretty doggone important anyway, just in case you suddenly get the directive to start storing characters from some other encoding scheme that you AREN'T prepared for out of the box.

Okay, so back to my challenge. Here's the nutshell of how my process flows:

My initial page load is provided with a query of all of the users in the system. That query is then translated to a JS object using a line in my template like the following:

Bear in mind that the "getAllUsers" method call you see is the exact same method call being used during the initial page load to retrieve the data, which DOES contain the special characters as it should.

So here is where the problem manifests itself. The JSON string that the "postSave" method is provided with has the special characters stripped out! Poof, they are just gone. Okay, so let me go and investigate some of the optional parameters that Prototype provides for its Ajax.Request method and see if any of them might apply in this situation....  Ah, here are a few! 'encoding', 'evalJSON', 'sanitizeJSON'. Well, playing with all three of these resulted in zero changes to the symptoms. Sheesh, I've encoded everything I can possibly think to encode...what else is there? After a lot of google time, skimming page after page of semi-related (but not directly relevant) info, I came across a tiny little tweek to the contentType being returned that I tried, and lo and behold it frickin worked! Here is the new line that returns a CORRECT data set to my Ajax call:

I hope this helps someone else avoid a huge loss of time. And again, for those of you out there who know this stuff inside and out and can actually visualize how it all works in your head, it sure would be an assett to the community if you could put that info into a kind of "checklist" a person could use to make sure they have all of their Unicode ducks in a row when trying to deal with special characters! Pretty please?

Doug out.

The Scenario: My Coldbox/Coldspring/Transfer application has settings that I want to make maintainable via a user interface. Now, the Coldbox.xml.cfm file does make provision for me to add as many custom settings as I want to my app, but I don't want to require the end user to know how to edit this xml file (nor would I trust them to). I came up with a solution to this challenge that I'm really happy with, so I thought I'd share some snippets in case it proves useful to others.

Step 1 is to ensure that you have a table designed to hold these configuration settings. My database has a table named "configuration", with the fields ID, settingName, and settingValue.

The last item of business is to let Coldbox know that our interceptor exists. We do this by registering it in the <Interceptors> section of Coldbox.xml.cfm, like so:

Although ANYTHING you could ever want to know about coldbox is definitely in its documentation, I find that it is still necessary sometimes to have to piece things together bit by bit..."...line upon line, line upon line; here a little, and there a little:...." as the prophet Isaiah said... in order to fully comprehend them. In this post I'd like to share what I have distilled from the docs regarding the subject of using interceptors and custom interception points in Coldbox.

The Scenario:  you are building your first Coldbox app and you decide that you want to generate your navigation from your database only after the user has authenticated (before that, they get no nav). How we retrieve and/or create our navigation isn't relevant to this post (I'll likely be sharing my navigation interceptor in another post), but WHEN and WHERE creation occurs IS, so allow me to break it on down as I have come to understand it.

If you weren't already aware, an interceptor in Coldbox is simply a CFC with methods that can be executed anywhere in the Coldbox request lifecycle, independent of the logic you already have "hard coded" to run for that event. In terms that we can all probably relate to, think of interceptors in EXACTLY the same way that you think of application.cfc. You know that code within that CFC will run "just because the file exists" and you don't have to explicitly call it in your app. Methods like  "onRequestStart" or "onRequestEnd"...their code automatically gets executed at specifically defined moments in the request's lifecycle simply by virtue of their name and the CFC they happen to live in. Same with a Coldbox Interceptor, except unlike application.cfc, you have to tell Coldbox that your interceptor exists first.

It's important at this point that we briefly talk about interception points in Coldbox. You know what "onSessionStart" is, you know what "onRequestEnd" is, you know what "onError" is, etc. ... well take a gander at "preRender". This is an interception point built in to Coldbox that "happens", or is announced, before content is rendered as viewable. (On a side note, there are a whole lot of OTHER interception points that exist natively in Coldbox; you should take the time to read through the list of them in the docs before you start developing.) In order to take advantage of "preRender" then and make something happen at that point, I have to do three things:

1. Create an interceptor CFC and drop it into my "interceptors" folder in my Coldbox app;
2. Create a method in that interceptor called "preRender";
3. Register my interceptor in Coldbox's "coldbox.xml.cfm" file so that the framework knows it exists.
how to register a custom interceptor...

Okay, I said in my scenario description that I only wanted my navigation created IF the user was authenticated. Of course you can guess that my "preRender" method does a check to see if that has occurred or not, and acts accordingly. But, what about the actual login event itself? If you trace the process, the user will be authenticated AFTER the preRender event, and so even though they have successfully logged in, will NOT see the navigation! Not kosher.

I dealt with this by using one of Coldbox's "Custom Interception Points". At first, it seemed like such a  foreign idea that little ol' me would have the power to add an interception point within the request lifecycle. After all, weren't things such as "onRequestStart" items that only the framework or the CF Server itself had the privilege of manipulating? But here's where the mystique of interception points, even those used in application.cfc, went away for me. (Hopefully you are familiar with the children's game "Red Light/Green Light", because my understanding and explanation of an interception point is based on it). An interception point is nothing more than a framework or CF Server playing a game of "red light/green light" with our app. The call to the app (http://myapp/?event=index) is the little kid, running forward like he was told to do. At certain points, though, the framework calls out "greenlight!", and any bit of your code that you had set up listening for "greenlight" (containing a method called "greenLight()") executes, right there and then, independent of the code associated with the event being called, and even before the request itself has completed. In my case, then, all I did was write a bit of code in my login process that called out "onLogin!" as soon as authentication occurred. I then added a method to my navigation interceptor called...what do you think? Yep, "onLogin", that made sure the navigation was available for the user at the end of the request. Here, then, are the steps to adding and using your own custom interception points in Coldbox:

1. Tell Coldbox that you would like to use an interception point called "onLogin", or "onLogout", or whatever you want to call it;
2. Add a line anywhere in any of your handlers (controllers) that ANNOUNCES your custom interception point;
3. Create one or more methods in any of your interceptors named the same as your custom interception point.

That's it! Here are some code snippets of where and how to do each of the three steps above:

1. In coldbox.xml.cfm, in the "Interceptors" section, add a line like the following:

3. In your interceptor(s), create a method like so:

Doug out

I had my first successful forray using Ajax in Coldbox today! After reading a LOT, checking out some examples, and then letting my natural developer's instinct take its course, I ended up with a design that left me really wondering if I had taken a wrong turn or had a moment of brilliance . As I said, it works great, but is it an ideal pattern to use or did I cross one of those invisible "development ethics" lines with my approach? I'll let you be the judge. Before I share the details, I am assuming that the reader already has at least a basic working knowledge of Coldbox views, viewlets, handlers, and Ajax. That said, here be the details...

The Scenario

Upon arriving at my Coldbox app, the visitor will be dropped off at my default layout. Here's how it's organized:

We'll be focusing on the "login/logout" area since that is the portion I applied Ajax to. As you can see, in that area of the layout I am rendering by name the view named "login". My login.cfm view is actually a Coldbox "viewlet", meaning that it performs a private Coldbox call whenever it is loaded. Here's the pseudo-code of my login viewlet:

The execution of the private call to "authentication.login" (as seen in the pseudo code) is for the sole purpose of gathering current user status so we can control the flow and output of the login viewlet. Here's the actual handler method being called that accomplishes this:

Okay, I have two more relevant methods in my Authentication handler: doLogin and doLogout. Here is the pseudo-code for 'doLogin':

'doLogout' performs almost identical actions...setting the session variables appropriately and then returning the HTML results of rendering 'authentication/login' inline.

As I said, it works great. But I am very interested in the opinion of others as to how they feel about the appropriateness of this approach. Any thoughts?

As you can tell from  my last two posts, I am getting pretty deep into Coldbox used in conjunction with Coldspring. One of the things that Coldbox does for us is pass in our configuration settings to the Coldspring bean factory when it initially loads our beans (from Coldspring.xml), thus allowing us to use configuration variables, like so:

After a couple hours of tinkering around, AND having to make a minor modification to DynamicXMLBeanFactory.cfc to account for it being used in the Coldbox environment, here are the steps:

1. Place a copy of the modified version of DynamicXMLBeanFactory.cfc in the Coldbox/System/Extras/Coldspring folder. The Coldspring folder won't exist, so go ahead and create it;

2. Add a setting to your Coldbox.xml.cfm file like so:

Hope this helps someone.  :0)

P.S.
If anybody is interested in the changes I made to DynamicXMLBeanFactory and why, they are as follows:

1. Since DynamicXMLBeanFactory extends Coldspring's DefaultXmlBeanFactory, and since Coldbox is hardwired in its "ioc" plugin to interact with DefaultXmlBeanFactory's interface (specifically calling the method "loadBeansFromXmlFile", which does not exist within DynamicXMLBeanFactory), I had to overload that method in DynamicXMLBeanFactory like so:

Perhaps there was a more elegant method for implementing Brian's CFC, but the only two choices I saw was to either modify the framework (NO! BAD MAN! NO!), or the CFC. I opted for the CFC. What I was thinking, though, is that perhaps it would be good if Coldbox allowed not only the path to the IOC's beanfactory class to be a setting, but also the name of the bean loader method that should be called (after init)? Just a thought.

Doug out

In the first post on this subject, I shared my 10,000 foot view of what pieces needed to go where in a Coldbox app in order to implement security. A lot of the code in that post was probably unfamiliar looking to many people (I know it would have been to me a couple of days ago!). So in this post I want to share how I implemented Transfer and Coldspring in the security process, clarify what some of that code was doing, and whatever other details about it I may have also come to know.

I'm assuming that you already know what Coldspring is, what Transfer is, and the basics of an event-driven framework. For example, Coldspring is a framework that allows you to manage the relationships between your CFCs (CFC A needs a configuration bean injected into it, the configuration bean needs to be initialized with parameter X, etc.); Transfer is an ORM framework that stands between you and your database (in a good way) and lets you write your code "sans SQL"; and the basics of event-driven frameworks is that they have core components built into them that allow you (via the methods they expose to you) to reach into their very soul and leverage "core functionality", like retrieving global configuration settings, retrieve system beans, etc. Okay, all that having been said, here's the dialogue I had with my frameworks in order to get them all on the same page of the workbook (Personification to be followed up with real code snippets, don't worry. It just helps me simplify things when I animate the inanimate.  ):

1. "Hey, Coldbox;(via Coldbox.xml.cfm...) I'm using Coldspring to manage my components for me. What's that? You'll make your configuration settings available to Coldspring to use in its XML configuration file? When you fire up Coldspring you'll go through its configuration XML and replace any curly-braced variables with matching values from your own configuration BEFORE you initialize Coldspring? Aw, that's sweet. Thanks!"

2. "Hey Coldspring;(via Coldspring.xml.cfm...) I'm gonna need you to produce a few objects from our host MVC framework's core, Okay? What objects would those be? Oh, well, I'll be needing the Coldbox factory object since that's how you'll need to retrieve the rest of the framework's objects for me. I'll need you to ask the Coldbox Factory for an instance of the Coldbox framework itself since it has all the core methods that many of my model object will need; and I'll want a discrete instance of the Coldbox SessionStorage plugin as well so that my model objects can access my app's persistent scope. Let's see, what else...oh yes, I'll be using an ORM, so i'll need you to produce an instance of Transfer via its own factory. And then I'll just tell you about my model objects as I get them added to the app. Thanks, Coldspring! You're a real bud."

3. "Hey Transfer,(via Transfer.xml.cfm...)  I got a whole BOATLOAD of database objects I need you to make available to me. It's a very, very long list, so just read through it at your leisure."

My frameworks are very good listeners and so once I figured out exactly how to say what I wanted to say, they complied fully with my desires. So let's look at how I made them understand, shall we?

Dialogue 1
Within the Coldbox.xml.cfm file, in the <Settings> section, I made sure the following settings were like so:

Dialogue 2
We informed Coldspring of several different things, so let's look at them a chunk at a time.
"...produce a few objects from our host MVC framework's core...Coldbox factory object...Coldbox framework itself...a discrete instance of the Coldbox SessionStorage plugin...." Here is the XML to accomplish the previous:

 As far as the model, so far I have only one bean defined, and that is my "authenticationService" bean. Here's that Coldspring.xml:

 Dialogue 3
Transfer relies on an XML file to get its information about your database entities (tables) and their relationships to one another. I won't share the entire Transfer.xml.cfm file here since I've already got most of my entities defined for my app (long list), but here are the tables relevant to security:

 authentication handler

Okay, so our doLogin event is calling the authenticationService's 'login' method, passing in the username and password supplied; Let's look at authenticationService now.

 So, Transfer will create the requested bean and, if it matched the criteria passed in, the bean will be populated; otherwise it'll be empty, with a zero value for the primary numeric key ("ID"). After Transfer gives it back, I check the primary key. If it's zero, login obviously failed. If it's not, success! Stuff the user bean into session and return a boolean to the handler (controller).

I do hope you were able to follow this okay. I can't tell you how long I had to bang my head against it for it to sink in and gel, so I hope it saves someone else a few hours of digging through docs.

Doug out.

There's no denying it: the plethora of documentation and examples that exist for the Coldbox framework is invaluable and undoubtedly covers every possible scenario to one degree or another. As I press on into a project where the use of Coldbox, Coldspring, and Transfer has been mandated to me, I'm finding that, despite the documentation and tutorials, I'm still having to search around and piece together for myself some of the information I seek. So, to complement the existing volumes of Coldbox-centric information and for my own personal reference purposes, I'm going to post some of what I'm learning as it becomes coherent to me.  Tonight's post is focused on an overview of how to implement basic security in Coldbox using Transfer and Coldspring. I won't delve much into Transfer or Coldspring with this one (that post will follow soon) so that we can focus on the 10,000 foot view first.

As I mentioned, the first "block of functionality" I tackled was the implementation of security, so let's use that as our illustration. There is a lot of documentation on the subject and even a few example apps I found. But, the documentation left me with too much gray area as I attempted to relate what I read with my current level of understanding of the framework, and the example apps, though they worked wonderfully, didn't explain to me HOW they were working. I had to dissect the apps using my limited knowledge of Coldbox and painstakingly trace the event flow from one area of the framework and application to the next, referring to the documentation and even examining some of the framework's CFCs internally. The end result for me was the foundation for my own "flavor" of basic security implementation, and it this that I share.

First, my own visualization of the Coldbox event lifecycle. I realize that the true lifecycle in all its detail could consume many a diagram page, but for the purposes of someone simply desiring to add in a bit of functionality, I do believe I've illustrated all that is required.

A request comes in and right away Coldbox executes the interceptors it knows about. Interceptors are very aptly named, as they do just that: intercept the request before it gets too far and executes whatever methods are appropriate. In our case, we're interested in knowing right up front if the user attempting to fulfill an http request is authenticated or not. Intercept them, then, we shall.

Coldbox comes out of the box with a pre-built security interceptor (a CFC that is executed at what we typically know as the "onRequestStart" point), but being at the newbie point I am, I found it a bit too deep to assimilate. In order to understand how things really work, therefore, I created my own. I called it "security.cfc" and dropped it into my app's "interceptor" directory. The next step was to tell Coldbox that I have an interceptor in place. This is done in config/coldbox.xml.cfm, in the <Interceptors> section. Mine looks like this:

Let's assume the user is NOT logged in. My interceptor resets the current event to my login event, "authentication.login", and processes it. POP QUIZ: Based on the event name "authentication.login", what CFC and method within that CFC do you suppose Coldbox will be executing? I'm sure you guessed right, so let's go look at the 'Login' method within my 'authentication.cfc'.

Hmmm, where IS my authentication.cfc? It's not an interceptor...where is it? Ah, it's where Coldbox ASSUMES it will be (there's that "convention" thing again!): sitting in the "handlers" directory. We Model-Gluers and other MVC framework people might think of it more commonly as "controllers", but the Coldbox vernacular is "handlers", as in "event handlers". Here is the Login method:

Being the good controller/handler that it is, it's doing next to nothing except setting a few values in the event bucket and tossing some views into the view collection so that we can properly give the user a login form.

Now we see the login form, nothing fancy, just a prompt for a username and password. The user enters it, hits the submit button, and off we go to our form's action: authentication.doLogin .

Wanna see the "login" method in the model?

That's it in a nutshell! If I were me looking at this post two days ago, however, I would be very hungry to know the details of how I set up Coldspring and Transfer to play together, and how it is I am accessing my session scope and Transfer from within my model. In order to encapsulate the purpose of this post (give an overview of basic application flow for the purpose of implementing security), however, I shall end it here. But my next post will be the nitty gritty of how I wired all these pieces together.

Hope this helps someone, and do feel free to contribute your own wisdom to the comments!