ColdFusion 4.0.1 Documentation Updates

Updated April 2, 1999

This document lists corrections and additions to the ColdFusion 4.0.1 documentation. These items apply to the documentation for both ColdFusion Application Server and ColdFusion Studio.

• Corrections
• Additions

See the ColdFusion 4.0 Release Notes for a listing of known issues and upgrade changes.

See the ColdFusion 4.0.1 New Features document for information about new features enabled for this release.

Corrections

The following is a list of corrections to the printed ColdFusion documentation:

• Contacting Allaire Technical Support
• Cross-Reference errors
• Code error in the CFML Language Reference
• AUTHTYPE attribute for CFAUTHENTICATE tag
• TYPE attribute for CFPARAM tag
• Omission in Administering ColdFusion Server
• Error in ColdFusion process names for Solaris

Contacting Allaire Techincal Support

In the preface material to ColdFusion documentation, the primary technical support resource should be the support page of the company web site: http://www.allaire.com/support. For all technical support questions, the best place to start is the Support page on the Allaire Web site.

Cross-Reference errors

In the printed version of the CFML Language Reference the BitNot, BitOr, and BitXor functions contain a cross-reference to the AuthenticatedContext function. This cross-reference should instead be to the BitAnd function.

The CJustify and RJustify function pages in the CFML Language Reference contain cross-references to the ListValueCountNoCase function instead of the LJustify function.

The SetVariable function contains a cross-reference to GetBaseTemplate where it should be a cross-reference to the GetClientVariablesList function.

Code error in the CFML Language Reference

A code error exists in the CFML example for the Year function on page 519 in the CFML Language Reference. In the 14th line of code in the example, a pound sign has been left near the end of the line. If you copy and run this code, that pound sign should be removed.

AUTHTYPE attribute for CFAUTHENTICATE tag

Documentation for the CFAUTHENTICATE tag is missing information about the new AUTHTYPE attribute. Here is that information:

AUTHTYPE

Optional. Valid entries are BASIC and X509. The AUTHTYPE attribute indicates what type of authentication scheme ColdFusion should use. A value of BASIC indicates that authentication will be accomplished using username/password. A value of X509 indicates that authentication will be done using X.509 client certificates that are passed to the web-server from a browser using SSL.

The new AUTHTYPE attribute relates to support for X.509 authentication. For details about X.509 authentication, see Additions.

TYPE attribute for CFPARAM tag

Documentation for the CFPARAM tag is missing information about the new TYPE attribute. Here is that information:

TYPE

Optional. The type of parameter that is required. The default value is "any."

Type Value	Description
any	Any value.
array	Any array value.
boolean	A Boolean value.
date	A date/time value.
numeric	A numeric value.
query	A query object.
string	A string velue or a single character.
struct	A structure.
UUID	A Universally Unique Identifier (UUID) formatted as æXXXXXXXX-XXXX-XXXX-XXXXXXXXXXXXXXXÆ where æXÆ stands for a hexadecimal digit (0-9 or A-F). Refer to the Language Reference pages on the CreateUUID function for more information.
variableName	A valid variable name.

Omission in Administering ColdFusion Server

In Administering ColdFusion Server on page 156, under the heading "Storing security profile information in an LDAP directory," the text of the Note is incomplete. The correct version of the text should read:

To use the Netscape Directory Server on UNIX, you must install it before installing ColdFusion Server. If you have already installed ColdFusion Server and you want to use the Netscape Directory Server to store security profile information, you must reinstall ColdFusion Server after installing Netscape Directory Server.

Error in ColdFusion process names for Solaris

In Administering ColdFusion Server on page 15, under the heading "ColdFusion Processes on Solaris," the list of processes is incorrect. The correct processes are as follows:

• windu_registryd42
• cfserver
• cfexec
• cfrdsservice

These ColdFusion processes are stopped and started using the bin/stop and bin/start scripts. Refer to Administering ColdFusion Server for more information about start and stop scripts on Solaris.

Bright Tiger processes, which provide load-balancing and failover are as follows:

• ipaliasd -- Provides Failover services
• reqmgr -- The Bright Tiger request manager

These processes can be started and stopped separately using the btadmin utility. Refer to Administering ColdFusion Server for details about btadmin.

SiteMinder processes, which provide advanced security, are as follows:

• smservaz -- Provides authorization services
• smservauth -- Provides authentication services

SiteMinder processes can be started and stopped separately using the siteminder/smstop and siteminder/smstart scripts.

Additions

The following list contains links to late-breaking information about ColdFusion 4.0.1:

• Addition to Administrator Verity page
• New IsProtected CFML function
• Using CurrentDate in CFINSERT and CFUPDATE
• Changes to CFLOOP
• Support for X.509 certificates
• Distributed ColdFusion
• ColdFusion Studio features added

Addition to Administrator Verity page

The ColdFusion Administrator Verity page includes a new option that allows you to reference an existing Verity collection by selecting "Map" instead of "Create". Ordinarily, when you create a Verity collection, ColdFusion writes an entry in the system registry, and creates the directory structures necessary for the collection. When you choose the "Map an existing collection," ColdFusion creates the registry entry, but instead of also creating the directory structure necessary for the collection, references the collection you specified in the Path box.

This is a useful option for referencing collections that are maintained on a dedicated server. It allows ColdFusion pages executed on one server to reference Verity collections that actually live on another server.

When you delete a local Verity collection, ColdFusion deletes the registry entry and the directories that constitute the collection. When deleting a mapped collection, ColdFusion deletes only the registry entry for the mapped collection.

New IsProtected CFML function

A new function has been added to ColdFusion: IsProtected, which you can use to determine if a ColdFusion resource is a protected resource. It takes the same arguments as the IsAuthorized function and is meant to be used in combination with ColdFusion Advanced Security.

IsProtected

Returns TRUE if the specified resoruce is protected by a rule in a security context in ColdFusion Advanced Security.

Syntax

IsProtected(resourcetype, resourcename [, action])

resourcetype

String specifying the type of resource:

• Application
• CFML
• File
• DSN
• Component
• Collection
• CustomTag
• UserObject

resourcename

String specifying the name of the resource. The value specified varies depending on the resource type:

Resourcename is the actual resource that is protected, not to be confused with the rule name, which you specify in the ColdFusion Administrator.

action

String specifying the action for which authorization is requested. Do not specify this parameter for COMPONENT and CUSTOMTAG. For all other resource types, this parameter is required.

Using CurrentDate in CFINSERT and CFUPDATE

The CurrentDate function can be used within the CFINSERT and CFUPDATE CFML tags. For example, you can add a date column for when a record is added to the database. You could add a CurrentDate column to the database, then add a hidden form field to the entry form:

<INPUT TYPE="Hidden" NAME="CurrentDate" VALUE="CurrentDate()">

The CurrentDate function differs from the Now function in several ways:

• The Now function needs to be enclosed in # signs.
• The Now function must have <CFOUTPUT></CFOUTPUT> around the form field.
• The Now function adds the date and time to the database, while the CurrentDate function adds only the date.

The comparable Now syntax is:

<CFOUTPUT>
<INPUT TYPE="Hidden" NAME="CurrentDate" VALUE="#Now()#">
</CFOUTPUT> 

Changes to CFLOOP

CFLOOP has been modified to reduce the occurrence of a problem in programming languages that has to do with the internal representation of floating point numbers. Programmers think they are working with decimal numbers, but in fact all floating point numbers are represented in binary notation as some form of binary fractional numbers. Some numbers, e.g., 0.1 do not have an exact representation in binary. Therefore, when some arithmetic operations are performed on them cumulative error is added. The following code in CFML illustrates the problem:

<CFSET result = (1 + 0.1 + 0.1 + 0.1 + 0.1 + 0.1 + 0.1 + 0.1 + 0.1 + 0.1 + 0.1) eq 2>

Support for X.509 certificates

ColdFusion 4.0.1 supports X.509 client certificate authentication. This means that ColdFusion can now work with an SSL-enabled Web server such as Netscape Enterprise 3.5.1 or IIS 4.0 to request client authentication in the form of an X.509 certificate. The ColdFusion Application Server will extract the client information from the X.509 certificate and authenticate it against a user directory such as a Windows NT domain or an LDAP server.

Several steps need to be performed to enable ColdFusion Server 4.0.1 for client certificate authentication:

1. Enable SSL on the Web server for the directory that contains the client authenticating ColdFusion application files (templates) i.e. a file containing CFAUTHENTICATE tags. You will need to get a server certificate for this purpose. Server certificates are available from organizations such as Verisign. Free 14-day trial server certificates are also available there.



2. Configure the Web server you are using (Netscape Enterprise or IIS 4.0) to "require client certificates for authentication."



3. For Netscape Enterprise Server
• From Server Adminstrator make sure that you trust the Certifying Authority (CA) that the browser sends with the client certificate.
• Edit the obj.conf file in the SuiteSpot/https-<servername>/config directory to add the following lines under the <ObjectName="default"> tag after all the PathCheck attributes:

      AuthTrans fn="get-sslid"
      PathCheck fn="get-client-cert" dorequest="1"

This ensures that ColdFusion has access to the encoded client certificate that is passed by the browser. See Chapter 2 (Directives and Built-In SAFs) of the NSAPI Programmer's Guide at http://developer.netscape.com/docs/manuals/enterprise/nsapi/index.htm for more details.

4. Open up the ColdFusion Administrator and either create or modify a security context that you plan to use for X.509 authentication. There is an additional checkbox labeled X509 certificates in the Edit Security Context page. You need to check this and press the Apply button to enable X509 client authentication for the security context. For more details about configuring advanced security in ColdFusion refer to Administering ColdFusion Server.



5. In the ColdFusion Administrator set up a user directory that the security server will use to authenticate the client certificate owner. An entry must exist in the user directory for the client certificate owner for authentication to be successful. For example, if you wish to authenticate the name 'james' in the user directory there should be an entry with uid=james (if the user directory is an LDAP directory) or an entry with the username 'james' (if the user directory is an NT domain).



6. In your ColdFusion application page, use the CFAUTHENTICATE tag to specify when you want X509 client certificate authentication as opposed to basic or username/password authentication. The CFAUTHENTICATE tag now has an optional attribute, AUTHTYPE, with a default value of "BASIC". You can also specify a value of "X509" for the authType parameter. In the latter case ColdFusion will extract client information from the client certificate sent by the browser and attempt to match it against one of the specified user directories in the security context. Refer to the CFML Language Reference for more details about the CFAUTHENTICATE tag. For more details about application security refer to Administering ColdFusion Server.



7. A configuration file, smcertmap.ini, which is in the <installdir>\bin directory on Windows NT and in the <installdir>/siteminder/bin directory on Solaris must be modified to enable ColdFusion to correctly map information extracted from the X.509 client certificate to user information in the specified user directories. Two example mappings are provided in the file with documentation. Modify the mappings as required for your specific configuration.
   
   

Distributed ColdFusion

The cfdist.exe program, which is used in distributed ColdFusion configurations (see Administering ColdFusion Server for details) only works on Windows NT and Solaris. It does not run on Windows 95/98.

ColdFusion Studio

These features were added after the Using ColdFusion Studio book went to press. You can find information on them in the online Help References.