We’re happy to announce the discharge of CommandBox 5.6.0, a minor launch of the CFML CLI and bundle supervisor. This launch comprises 25 accomplished tickets together with bug fixes, some huge new options, and library updates! Please get pleasure from the brand new launch, and as at all times, tell us when you’ve got any points or questions!
Get the New Launch
You may obtain CommandBox from our predominant product web page:
https://www.ortussolutions.com/merchandise/commandbox
Or from HomeBrew (Mac customers)
brew set up commandbox
Or from our APT/YUM repos.
https://commandbox.ortusbooks.com/setup/set up#linux-apt-get
Or straight from our S3 obtain buckets:
https://downloads.ortussolutions.com/#/ortussolutions/commandbox/5.6.0/
Learn Concerning the New Options
Our CommandBox docs are totally up to date and obtainable right here:
https://commandbox.ortusbooks.com/v/5.6.0/
And our API command docs are right here:
https://apidocs.ortussolutions.com/commandbox/5.6.0/index.html
What’s New?
What’s new you say? Glad you requested! Hold studying…
Library Updates
We all know these things could seem boring, but it surely’s tremendous vital to make sure you keep protected and safe on the newest variations of our bundled libraries. We up to date the next libs on this launch:
-
org.lucee:lucee5.3.9.141 -> 5.3.9.160 -
io.undertow:undertow-servlet2.2.17.Ultimate -> 2.2.19.Ultimate -
io.undertow:undertow-websockets-jsr2.2.17.Ultimate -> 2.2.19.Ultimate -
web.minidev:json-smart-mini1.0.8 -> 1.3.2 -
commons-cli:commons-cli1.2 -> 1.5.0 -
org.jooq:joox1.2.0 -> 1.6.2 -
org.apache.logging.log4j:log4j-slf4j-impl2.17.1 -> 2.18.0 -
org.apache.logging.log4j:log4j-core2.17.1 -> 2.18.0 -
org.jboss.logging:jboss-logging3.4.1.Ultimate -> 3.4.3.Ultimate
A lot of Bug Fixes
Over half of the tickets on this launch have been bug fixes to maintain the CLI operating easily on all working programs. You may try the complete checklist of ticket beneath to see the screws we tightened.
New Server Safety System
CommandBox servers have an thrilling new weapon of their arsenal, and that could be a new system of safety that means that you can shield sure elements of your website from most of the people. This might be CF admins, non-public dashboards, or a subfolder of delicate recordsdata.
You may discover a new part within the server.json known as internet.safety the place these settings reside. You may leverage the ability of our Server Rule predicates to match no matter requests you wish to safe, primarily based on folder, HTTP methodology, distant IP, HTTP headers and extra.
{
"internet" : {
"safety" : {
"realm" : "My Realm",
"authPredicate" : "path-prefix( /lucee/admin/ ) and never equals('%{REMOTE_IP}', 127.0.0.1)"
}
}
}
That authPredicate would require authorization for any pages within the Lucee admin except you have been on localhost. NOTE: path-prefix is case delicate, so on Home windows you’d wish to use a regex() primarily based verify reminiscent of regex( sample='^/lucee/admin/.*', case-sensitive=false )
When a request is marked as requiring authentication, you’ll be able to allow a number of auth mechanisms to problem the consumer as mentioned beneath.
Learn extra on Server Safety Right here.
https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/safety
Primary Auth Safety
CommandBox has supported fundamental auth for some time, but it surely was a easy all-or-nothing implementation. Primary auth has been revamped and rolled into the brand new safety system. If no authPredicate is outlined, it is going to nonetheless apply to the entire website. However when an authPredicate is asserted in your server.json, it is going to solely kick in for these pages.
We have additionally moved the fundamental auth settings in server.json to right here:
{
"internet":{
"safety" : {
"realm" : "My Realm",
"authPredicate" : "regex( sample='^/lucee/admin/.*', case-sensitive=false )"
"basicAuth":{
"customers":{
"brad":"move",
"luis":"pass2"
},
"allow":"true"
}
}
}
}
Don’t fret, the previous location nonetheless works too for now. We can’t take away assist for it till the subsequent main launch of CommandBox. If each the settings exist (Ex: internet.basicAuth.allow and internet.safety.basicAuth.allow), the brand new location will probably be given priority.
Learn extra on Primary Auth Safety Right here.
Consumer Cert Safety
Including assist for shopper SSL certs was one in every of our largest undertakings and is a really thrilling new characteristic for presidency outlets who use PKI primarily based authentication, usually occasions within the type of DoD CAC (playing cards) that are bodily playing cards containing a non-public PKI cert that identifies the consumer. This characteristic was one of many final causes to wish IIS or Apache in your combine, however now CommandBox can do all of it!
Consumer certs have two part– first is the flexibility of the online server to immediate the consumer’s browser to ask for a shopper cert to ship. This requires configuring a belief retailer or an inventory of trusted CA certs to just accept. When the consumer sends a cert, it routinely makes quite a lot of CGI and request variables obtainable to your CF code. You may configure your SSL connection to just accept or require shopper certs like so:
{
"internet" : {
"ssl" : {
"allow" : true,
"clientCert" : {
"mode" : "Requested",
"CACertFiles" : "rootCA.cer,anotherRootCA.cer",
// OR...
"CACertFiles" : [
"rootCA.cer",
"anotherRootCA.cer"
],
// OR...
"CATrustStoreFile' : "cacerts",
"CATrustStorePass' : "changeit"
}
}
}
}
A few of the CGI variables that are routinely created when a shopper cert is current are
-
CGI.CERT_SUBJECT– The Topic distinguished identify of the shopper cert (CN=foo, O=bar, OU=baz) -
CGI.CERT_SERIALNUMBER– The serial variety of the cert within the format91-7e-5f-a5-b2-20-a1-8b-4c-d0-40-3b-1c-a1-a8-58 -
CGI.CERT_ISSUER– The Issuer distinguished identify of the shopper cert (CN=foo, O=bar, OU=baz) -
CGI.SSL_CLIENT_VERIFY– Matches Apache HTTP. Values will probably be “SUCCESS” or “NONE”
The second a part of shopper certs is the flexibility to make use of that shopper cert data as an authentication mechanism to implement your authPredicate routinely. (When CommandBox’s safety system is unable to authorize a consumer, it stops the request earlier than it ever even reaches CF!)
When authorizing primarily based on shopper certs, you’ll be able to have 4 ranges of checks:
- Any consumer with a cert is allowed. (Keep in mind, the shopper cert should at all times be trusted by one in every of your configured trusted CA certs)
- Topic Distinguished Title (DN) matches a number of full or partial DNs you specify
- Issuer Distinguished Title (DN) matches a number of full or partial DNs you specify
- Or disable the
internet.safety.clientCert.enabledsetting and permit all requests to succeed in CF the place you’ll be able to write your individual checks.
CommandBox additionally helps SSL Renegotiation which lets you not power the shopper cert immediately till the consumer will get to a web page on the positioning that kicks within the authPredicate after which their browser will immediate them then. It is a standard configuration because the consumer can hit your login web page first after which be prompted for his or her cert as soon as they login.
The configuration for all this seems like this:
{
"internet" : {
"safety" : {
"realm" : "My Realm",
"authPredicate" : "path-prefix( /admin )"
"clientCert" : {
"allow" : true,
"SSLRenegotiationEnable":true,
"subjectDNs" : "O=Ortus, OU=Advertising",
"issuerDNs" : [
"O=Verisign",
"CN=Bob, O=Walmart",
"CN=GeoTrust TLS RSA CA G1, O=DigiCert Inc, OU=www.digicert.com"
]
}
}
}
}
Learn extra on Consumer Cert Auth safety Right here.
Process Runner loadModules()
As Process Runners grow to be extra standard and other people mix them with extra modules to carry out their operations, you run into the necessity to load an inventory of modules all on the identical time which can have interdependencies. There’s now a brand new loadModules() methodology obtainable to Process Runners which accepts an array of module paths. Every module is first registered, after which every module is activated.
loadModules(
directoryList( path=resolvePath( 'modules/' ), sort="dir" )
);
Learn extra right here:
https://commandbox.ortusbooks.com/task-runners/loading-ad-hoc-modules#loading-multiple-modules
