Avoid those "hidden" features

I’ve said more than once that folks should avoid using hidden, undocumented features in ColdFusion. This warning applies especially to the ServiceFactory. Did you know that in ColdFusion 8 you can restrict access to the factory? In the settings page there is a new option:

Disable access to internal ColdFusion Java components
Disables the ability for CFML code to access and create Java objects that are part of the internal ColdFusion implementation. This prevents an unauthenticated CFML template from reading or modifying administration and configuration information for this server.

So what happens when this is enabled? Consider this simple code:

<cfset monitor = createObject("java", "coldfusion.runtime.RequestMonitor") />

With the above option disabled, it runs fine, but when turned on, you will get:

Permission denied for creating Java object: coldfusion.runtime.RequestMonitor.

Access to Java objects in the ColdFusion package has been disabled by the administrator.

So just keep it in mind when developing. I won’t deny that I’ve used these internal objects myself in the past, but now I avoid them like the plague. Almost anything you need (almost) is available via the Admin API anyway.

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Comments