Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Bug
COMMANDBOX-1374 Some installs unnecessarily write to the box.json
COMMANDBOX-1370 ConfigService::settingExists() fails in race conditions due to non-varscoped variables in JSONService
COMMANDBOX-1372 Support excludePaths in watcher DSL and watch command
COMMANDBOX-1369 Ensure Adobe wars have a seeds.properties file
COMMANDBOX-1368 Add tab complete for "env clear" command
COMMANDBOX-1367 Ignore empty startScript on server start
In this section you will find the release notes for the 5.x version of CommandBox.
Version 5.4.2 - October 2021
Version 5.4.1 - September 2021
Version 5.4.0 - August 2021
Version 5.3.0 - May 2021
Version 5.2.1 - Dec 2020
Version 5.2.0 - Nov 2020
Version 5.1.1 - June 2020
Version 5.1.0 - May 2020
Version 5.0.0 - Mar 2020
When you start an Adobe or Lucee CF Engine, the WAR CommandBox uses has a stock web.xml baked into it. Sometimes you may want to add custom servlets, servlet mappings, etc into your server. You can override the stock web.xml in part or in total with a file of your own which you specify in the server.json like so:
More info here:
In addition to quoting parameter values, parameter names can also be quoted. This is useful when setting keys into settings or JSON files that have spaces, hyphens or special characters. Each of these examples are now supported:
More info here:
Lucee Server has been updated to 5.3.8.201 and JBoss Undertow has been updated to 2.2.10.Final. The Lucee update, as usual, applies to the CLI as well as the default server you get when you run server start.
When you install a Jar via HTTP URL and the version number is baked into the URL, the jar endpoint now makes more assumptions about what the version of the package is that allows it to optimize the update checks and eliminate unnecessary downloads.
More info here:
Here are some fun commands for user interactivity in the shell. You can use these as part of a recipe or a nice "one-liner".
The ask command is similar to the ask() method in Task Runners. It requires an interactive terminal and will ask the user a question and return their answer. It is meant to be changed with other commands.
or with default values
or with masked input
Or fun stuff like this
The confirm command will ask the user a yes/no question and return a passing or failing exit code from the command based on the answer.
Remember the && operator will only execute the second command if the first command returns an exit code of 0.
More info here:
You can easily forget all servers which have not been started for a certain period of time with the server prune command. It accepts the number of days that need to have passed since a server was last started in order to prune it.
More info here:
Here are the full release notes for CommandBox 5.4.0
Cancelling a prompt with active job doesn't clear job logs
Param tab completion is off-by-one when piping
Can't list files in directory with brackets ( [ or ] ) in the name
forgebox timeout is too small when publishing packages
dir command returns no results in drive root
Summary over 200 chars in box.json causes error when publishing
Addition of Apache logging classes breaks 3rd party libs using it
Installing a system module as one-off command doesn't clear wirebox metadata cache
Commenting server rules doesn't work correctly in text files
CommandDSL doesn't handle struct args
create a server prune command
Server start can hang when CF engine blows up
Tab complete doesn't work after a pipe
Working dir of server custom menu items doesn't default properly
Error when setting failing exist code in Task Runner
updating commandbox to 5.3.1 via Homebrew breaks with a java error
Rewrite rule with query string doubles up question mark
printTable column validation breaks with spaces in list
Directory listing not showing folders properly when names are numeric
Certain Java installs fail version check
ask and confirm command to capture user input from shell
Improve version handling in JAR endpoint
Update to Lucee 5.3.8
Support dots in struct keys with set/show/clear commands
printTable custom header names for non-array input
Add printTable check for data with no columns
Sort column names in printTable --debug
Set env vars directly in server.json for local one-off overrides
Support web.xml Overrides
Update to Undertow 2.2.10.Final
There is a fix for a regression introduced in 5.4.0 where updating the version of a CF engine doesn't work without forgetting the server first.
There is also an important security improvement to CommandBox servers. Thanks to Abram Adams for reporting this to Ortus so we could address it.
Note, the details of the security improvement have been tracked privately.
COMMANDBOX-1382 Java path shows up twice in "server info --verbose"
COMMANDBOX-1381 Updating server in-place keeps old web.xml path
COMMANDBOX-1375 recipe with multiple "install" instructions fails
COMMANDBOX-1380 Add additional interceptData to server interceptors
COMMANDBOX-1379 Update to WireBox 6.5.2
COMMANDBOX-1376 Immediately activate modules after installation
COMMANDBOX-1349 Improve multiselect DSL
COMMANDBOX-1120 Add JSON and Properties output for info command
JLine - 3.19.0
jGit - 5.11.0.202103091610-r
Launch4j - 3.14
JANSI - 2.3.2
When you configure libDirs for a server, CommandBox used to only load jar files found in the root. Now it will include sub directories which gives you more flexibility around how to install your jars.
In the previous release, we introduced a new helper for printing ASCII Art tables in your custom commands and task runners. We've taken this a step further and wrapped the table printer utiilty in a new command so you can use it from the CLI directly. We've also expanded its functionality to accept ANY data in as JSON and it will marshall it into a query for you. This means it can be a query, an array of structs, an array or arrays, and more. You can now get quick and easy visualization of any data right from the CLI or in builds.
As if the previous command isn't cool enough, we've also added a new "sql" command which will also accept any sort of data as JSON, marshall it into a query object and allow you to alias, filter, order, and limit the rows on the fly using CFML's query of queries!
The sql command works very nicely with the new tablePrinter command, and truly makes JSON a first class citizen of the CommandBox CLI.
We've made a small adjustment to the print.table() helper that was introduced in CommandBox 5.3.1 as follows. The old method signature is
And the new method signature is:
The parameters to the new printTable command matches the NEW method signature of the print.table() helper as well.
When working with XML in the REPL, formatting is now applied when the XML is printed out to the console, making it easier to read (same as JSON)
COMMANDBOX-1320 Server stop doesn't message user when it fails
COMMANDBOX-1319 Stop loading cfusion/lib in system class loader
COMMANDBOX-1318 5.3.0 errors with commandbox-dotenv 1.x versions due to WireBox change
COMMANDBOX-1314 When building Lucee war from local jars, seeded web.xml file is ignored
COMMANDBOX-1311 Table printer error with no rows
COMMANDBOX-1310 update '{slug}' fails as it is trying to print the package version and its dependencies.
COMMANDBOX-1308 Relative Web Alias Behavior (regression)
COMMANDBOX-1307 jq doesn't resolve file paths to current working directory
COMMANDBOX-1303 CFEngine adobe - Could not initialize class coldfusion.vfs.VFile when using s3 protocol
COMMANDBOX-1328 Improve performance of piping large strings to "cfml" command
COMMANDBOX-1317 Format XML in REPL
COMMANDBOX-1316 Change default CLI JSON representation of query to array of structs
COMMANDBOX-1306 Allow upgrade command to pull stable versions when CLI is a prerelease version
COMMANDBOX-1305 Update bundled java libraries
COMMANDBOX-1302 app.libDirs does not load jars/classes recursively from sub folders
COMMANDBOX-1210 Allow for relative URLs when defining trayoption elements
COMMANDBOX-1194 Add Libraries To Runwar Necessary For URLRewrite Proxy
COMMANDBOX-1324 New "printTable" command to add CLI usage of table printer
COMMANDBOX-1323 New "sql" command to filter tabular data with SQL
COMMANDBOX-1321 Add --verbose to 'server stop' to see raw output
COMMANDBOX-1309 Add printTable command that proxies to print.table() helper
Every Config Setting can be overridden by convention by creating environment variables in the shell where you run box
. This is ideal for CI builds where you want to easily set ForgeBox API keys, or tweak settings for your build.
More Info: https://commandbox.ortusbooks.com/config-settings/env-var-overrides
Every server setting can be overridden by convention by creating environment variables in the shell where you run box
. This is ideal for CI builds where you want to easily set ports, or tweak settings for your build.
More Info: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/env-var-overrides
CommandBox now has out-of-the-box support for the HTTP/2 protocol. It is always enabled by default and browsers will use it when you're serving over HTTPS.
Thanks to a massive effort from Scott Steinbeck, the CFML world has a new CF implementation of the JMES spec, which is what powers the popular "jq" (or JSON Query) bash command. We've plugged this new library into CommandBox and exposed it in the following ways.
We've added a new jq command which behaves roughly like the bash counterpart. You can pipe in JSON, or read the JSON from a file and apply a JSON query against it which can be used to filter, massage, rewrite, map, or filter the JSON into a new JSON object.
We've also added the ability to specify powerful jq filters to the "package show", "server show", and "config show" commands directly. Just prefix your filter with the text "jq:" like so:
The jq command and JMES spec are very powerful and probably do much more than you realize! Make sure you check out the docs for more ideas.
More Info: https://commandbox.ortusbooks.com/usage/jq-command
CommandBox's AJP listener (provided by Undertow) is already protected against the Ghostcat vulnerability. However, if you would like to set up an AJP secret as well to ensure all requests coming into the AJP listener are from a trusted source, you can do this by setting the web.ajp.secret
property.
For this to work, you must also configure your AJP proxy in your web server to send the same secret!
We've updated the version of WireBox inside the CLI and now have access to the AsyncManager for sweet threading and scheduled task support.
CommandBox is using an AsyncManager scheduled task thread now to redraw interactive jobs and progress bars. Look out for some new eye candy hiding in your server starts and package installs!
More Info: https://commandbox.ortusbooks.com/task-runners/threading-async#asyncmanager
The print helper in commands and Task Runners has a new toy that will print ASCII representations of tabular data thanks to a pull request from Eric Peterson. You can see it in the output of the outdated command.
And you can use it in your Task Runners like so:
When scaffolding ColdBox handlers, we have support for ColdBox 6.x REST Handlers now.
You can enable extra Resource Manager Logging when troubleshooting file system issues:
You can force case sensitivity on a Windows server:
You can force case Insensitivity on a Linux server:
You can enable a cache of file system lookups of servlet paths. This is only for production and will eliminate repeated file system hits by your CF engine, such as checking for an Application.cfc file on every request, or testing where the servlet context root is. Standard Adobe ColdFusion installations have a similar cache of "real" paths from the servlet context that is tied to a setting in the administrator called "Cache Webserver paths" but that setting is not available and does not work on CommandBox servers for some reason. This setting would apply to any CF engine.
More Info: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/experimental-features
When using a CommandBox web server in production, you may wish to force your users to visit your site over HTTPS for security (and for HTTP/2 to work). However, it is desirable to still have your web server listening on HTTP so a user just typing your address in his browser can still connect to HTTP and then redirect. CommandBox can be configured to redirect all HTTP traffic over to HTTPS with the following setting.
If you want to go one step further, you can add a Strict-Transport-Security
header to your site. This instructs the browser to automatically use HTTPS every time the user visits your site again.
More Info: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/https-redirect-hsts
CommandBox won't use ANSI color formatting when running inside of a non-interactive terminal. However, build servers such as Gitlab or Jenkins (via a plugin) support ANSI color sequences. You can force CommandBox to use colored text output with this new setting:
One of the common hangups for people dealing with Lucee Server and Adobe ColdFusion CF Engines versions, is that CommandBox follows the npm-flavor of the semantic version spec and expects
instead of
So we've loosened our sem ver library to treat the 4th number as a build ID if there is no plus sign in the version (instead of just discarding the 4th digit as the spec requires)
Most modern browsers allow you to make up any subdomain you want before localhost such as mySite.localhost and will simply resolve them to localhost (127.0.0.1) even without a hosts file entry. CommandBox now supports using these domains and will bind your server's ports to localhost even without using the commandbox-hostupdater module.
You can customize where CommandBox lives by placing a commandbox.properties file next to the box binary. We have better support for relative paths now so you can have portable CommandBox installations such as a thumb drive.
More Info: https://commandbox.ortusbooks.com/setup/installation
The only known breaking change in this release is if you try to start two servers on the same HTTP port. Previously, CommandBox would just ignore the port on the second server and choose a random port. Due to the confusion that can cause, CommandBox will now throw an error. If you want to override an explicit port locally, set the port to an empty string or a 0 and CommandBox will choose a random port for you. For example, if you are using the commandbox-dotenv module, you can put this line in your project's .env file to override the port in your server.json
If you have a server with the server.json outside of the web root and at least one relative web alias, the alias will not work on the first start of the server. The workaround is to change the web aliases to be relative to the folder that the server.json lives in.
Some users receive the following error when starting CommandBox after updating:
If you see this, it means you have an older version of the commandbox-dotenv module installed that is not compatible with the new version of WireBox inside CommandBox. To fix, delete this folder out of your CommandBox home:
Now the CLI will start and you can install the latest version of dotenv.
Here is the list of all tickets included in the 5.3.0 release.
COMMANDBOX-1301 web server aliases in server.json should be relative to the folder of the server.json
COMMANDBOX-1300 ${Setting: serverinfo.foo not found} expansions don't work in a folder that's not the web root
COMMANDBOX-1291 Re-using same server.json with two names doesn't work
COMMANDBOX-1276 Corrupted WireBox metadata cache file will prevent CommandBox from starting
COMMANDBOX-1275 HTTP2 Additional Port Handling and Flexibility
COMMANDBOX-1271 REPL & Command highlighters don't handle square brackets [] well
COMMANDBOX-1270 JVM arg ending in backslash doesn't work
COMMANDBOX-1268 Coldbox Watch-Reinit Watches Unwanted Folders
COMMANDBOX-1263 Package installation doesn't always optimize duplicate packages
COMMANDBOX-1261 Globber.count() bombs if run after .asQuery()
COMMANDBOX-1259 Starting lucee@1.2.3 will use light-light when using CommandBox Light
COMMANDBOX-1255 Loading class files in task runner doesn't work
COMMANDBOX-1253 variables scope doesn't persist between task dependencies
COMMANDBOX-1250 tokenreplace removes BOM from files
COMMANDBOX-1212 trayOptions.json not respecting serverHomeDirectory
COMMANDBOX-664 Server status not always correct.
COMMANDBOX-1297 Add singleServerHome option to not auto-deploy different versions of servers
COMMANDBOX-1296 Improve error message if version isn't found in ForgeBox
COMMANDBOX-1295 Loosen parsing of build ID in semver
COMMANDBOX-1292 Treat empty HTTP port the same as 0 (chooses random port)
COMMANDBOX-1290 Remove runwar hack that sets java vesrion
COMMANDBOX-1288 Runwar timesout when Lucee's new warmup flag is used
COMMANDBOX-1287 Add option for PID file
COMMANDBOX-1285 Allow generic override of server start settings via env vars or java sys props
COMMANDBOX-1284 Have parser ignore quotes inside a token
COMMANDBOX-1269 Cache "/" path lookup in Runwar's mapped resource manager
COMMANDBOX-1267 Add setters for run() arguments in CommandDSL
COMMANDBOX-1258 Default embedded server only needs to copy lucee.jar
COMMANDBOX-1256 Have outdated
also show latest version of a package
COMMANDBOX-1252 Integrate AsyncManager into CommandBox
COMMANDBOX-1251 Upgrade to latest WireBox 6.x
COMMANDBOX-1249 Bundle testbox in testbox module to prevent auto download
COMMANDBOX-1248 Halt server start if asked for port is in use
COMMANDBOX-1246 the git bullet train car disappears while current working directory is not the root project folder
COMMANDBOX-1216 Support AJP secret in Undertow
COMMANDBOX-1169 Rethink the way the screen is redrawn upon extensive installs so it can be fluent on all screen sizes
COMMANDBOX-1136 Can't link package if no modules are installed
COMMANDBOX-1117 New first-class setting to enable HTTP2
COMMANDBOX-1108 Comment out the default environment vars in .env when createing a new coldbox app
COMMANDBOX-1294 Allow server rules to be commented out with #
COMMANDBOX-1293 Allow servers to use random.localhost domains
COMMANDBOX-1289 Integrate JMES JSON filtering
COMMANDBOX-1282 Debug when lucee-extensions don't find Lucee server
COMMANDBOX-1281 Allow JSON service to create implicit arrays
COMMANDBOX-1280 Add config setting to enable ANSI colors in dumb terminals
COMMANDBOX-1279 Allow generic override of config settings via env vars or java sys props
COMMANDBOX-1278 Add --json flag to server list
COMMANDBOX-1277 Add HTTP redirect options
COMMANDBOX-1273 Add optional servlet path cache in Runwar
COMMANDBOX-1262 Allow caching of task runners
COMMANDBOX-1260 Support for generating ColdBox RESTHandlers
COMMANDBOX-1245 Support default module export as @moduleName,
COMMANDBOX-676 Allow commandbox_home to be relative
This release was primarily to address a regression in 5.1.0 affecting Mac OS users who tried to start Lucee servers. If you see an error similar to this on a Lucee server and you're running a Mac and CommandBox 5.1.0, then this release will fix it for you.
If you are upgrading from CommandBox 5.1.0, there are only a handful of tickets which are listed below. If you are updating from an earlier version of CommandBox, please check out our and release blogs.
[] - Overzealous gitignore matching of parent directories when zipping up for ForgeBox storage
[] - Enabling SSL results in some CFHTTP requests to fail.
[] - writedump failing in Lucee
[] - File globbing matching partial file names
[] - Allow for verbose startup without debug logging of requests
There is now a new "forgebox logout" command you can use for testing or just to remove your API token from the local CLI.
You can change CommandBox's default tab completion to be an inline list that follows your cursor. This setting requires you to close and re-open the shell to take affect.
Read more here:
We've added better debugging information for Server Profiles. If you add the --verbose flag to your server start, you'll be able to see what profile was detected for your server, and what baked-in rules have been turned on as a result.
We've added a new Single Server Mode you can enable in the CLI to make using CommandBox in Docker images easier.
Read more here:
Here are the release notes for the 5.2.1 release.
Java 14 is now supported in CommandBox 5.1.0. In order to support Java 14, we had to stop using Pack200 which means the binary sizes have grown a little. The good news is CommandBox will start up a little faster on its first run since there's less to unpack now.
You can start up a lightweight server that only serves static files now with CommandBox.
In pursuit of the smallest possible Docker images, we have CommandBox light which is built on Lucee Light. We also have a box "thin" binary you can swap out with the full self-extracting binary when using CommandBox in custom docker images. Check out Pete Freitag's to see both of these in use in a super tiny 78 Meg docker image. More docs here:
If you're using box in an integration where you want it to start up in a specific working directory, there is a new bootstrap CLI arg for that.
You've always been able to specify custom menu items in your server.json or global config settings, but we've kicked it up a notch. Not only can you contribute to existing sub menus now, you can execute arbitrary native commands synchronously or async.
Here's the full list of tickets closed down in the 5.1.0 release.
Even though this is a new major version, it should be very backwards compatible. CommandBox proper has no known backwards compatibility issues we're aware of, but note we've bumped libraries like Lucee Server, Undertow, and Java support, so you may notice differences due to these 3rd party lib updates. For example, one in Lucee 5.3 (which now powers your default server) is how page output buffer is handled.
You should be able to simply replace your box.exe binary and run it to get the same in-place upgrade you're used to. If you run into issue, you can try removing the "engine" folder in your ~/.CommandBox folder and try again. If you need to downgrade for any reason, replace the box binary with the old version, remove the "engine", "cfml", and "lib" folders in your CommandBox home and they will get re-created on the next run.
You may also notice the box binary is larger now. From 44 Megs up to 77 Megs. This is a regrettable byproduct of us turning off the Pack200 process we used to run against the Lucee jar. Lucee seems to have some bugs that causes it to re-download a bunch of OSGI bundles when we compress them and we can't figure it out, or get support on the matter, so for now we're just not compressing as much stuff. This was a huge blocker for anyone needing to run CommandBox on a PC with no external internet access as Lucee provides no mechanism to turn off it's auto-download behavior.
And finally, if you have installed any custom OSGI bundles into your CLI, they will be wiped by the upgrade process now. We didn't want to have to to do this, but Lucee has bugs that cause errors when doing in-place upgrades with the old OSGI bundles left in place and we couldn't get it fixed, so this was the only way to ensure in-place upgrades would "just work" without errors. We are leaving the Lucee engine folder, so any settings you may have put into your CLI should remain in place.
There's a lot of new stuff in CommandBox 5.0.0. Here's an overview. One of the biggest new "features" is you can finally use CommandBox on Java 11+. This was not possible in CommandBox 4.x due to the version of Lucee not fully supporting newer versions of Java. Now that Lucee has been bumped to 5.3 (see below) you are free to leave java 8 behind for the CLI. Note if you're using CommandBox to start up older versions of Adobe CF or Lucee/Railo, you may still need to use java 8 specifically for your servers.
Let's start with the library updates. For the most part, all the jars we bundle are a "black box" but in reality, every update is usually for new features, fixes, or security patches. Here's an overview of the new libs:
WireBox 5.6.2
JLine 3.13.0
Runwar 4.0.3 (major bump from 3.x)
JBoss Undertow 2.0.27.Final (major bump from 1.x)
JGit 5.5.1.201910021850-r
Lucee 5.3.4.77("major" bump from 5.2)
AdoptOpenJDK jdk-11.0.6+10 (In the JRE-included download) (major bump from 8.x)
You can now use user/pass or personal access token authentication when cloning Git repos over HTTPS. This has been tested with Github and Gitlab and is an alternative to SSH keys. Please check the docs, as Github and Gitlab both expect slightly different inputs.
There is a new Lex installation endpoint to help you acquire Lucee Extensions your app needs via the "install" command or a dependency in your box.json file. If the current directory has a Lucee server in it, CommandBox will install the extension file directly into your server's "deploy" folder (server context)
The auto-install feature into your server will work on any Lex package, even one coming from ForgeBox:
Tuning your server is easier now. You can configure your Undertow worker-threads setting with first-class server.json property
Which gives you this in your server.json
We've also unlocked a method for you to set ANY valid Undertow option or XNIO option. So if Undertow supports it, you can configure it!
We've added a new experimental feature that lets you create a batch file, powershell script, or bash shell script that directly starts a server with the exact settings that you get from "server start". This is for you to create super-optimzed startups in Docker or Service that bypass the CLI steps and "lock in" the settings. No server.json or CFConfig, or dotenv code will be processed, but you will have a fast streamlined start that is the same every time. Couple this with our new "dryRun" flag on server start that will unpack the CF engine, but not actually start the server, and you can create your customs start script like so:
The Globber helper can now take more than one globbing pattern. This also means every built-in command in CommandBox that takes a globbing pattern, can now take a comma delimited list of patterns. We've also added an exclude list of globbing patterns to the dir command as well.
We've got a couple new handy commands to help you from the command line, "unique" (modeled after the Bash "uniq" command)
And "sort" (modeled after the Bash "sort" command)
The "grep" command has received a "count" parameter if you just want the count of lines that match the regex (or no regex will count all lines)
The tray icon for your servers now has a new option under the "Open" menu that will open up the file system folder where the server home lives. This is nice for finding your CF Engine's log files.
There are a lot of bug fixes and even more enhancements I didn't cover above. You can read the full release notes here:
There are a number of pretty exciting new features and a pile of bug fixes. And as usual, input from the community via Pull Requests. Huge thanks to Pete Freitag, Kai Koenig, Matthew Clemente, Bobby Hartsfield, Scott Steinbeck, Daniel Mejia, and Miguel Mathus! Here's an overview of the new stuff in 5.2.0
We know library updates are boring, but they are important and we want you to know we take them seriously. Keeping up-to-date ensure you have the latest fixes and security updates from all the third-party libs we bundle in CommandBox.
Here's an overview of what we updated in CommandBox 5.2.0.
Upgraded Runwar from 4.1.2 to 4.3.8
Upgraded JBoss Undertow from 2.0.27.Final to 2.2.0
Upgraded UrlRewritesFilter to Ortus fork 5.0.1 with custom fixes
Upgraded jboss-logging from 3.2.1.Final to 3.4.1.Final
Upgraded jboss-logging-annotations from 2.1.0 to 2.2.1.Final
Upgraded JCabi Log from 0.18 to 0.18.1
Upgraded Apache HttpClient from 4.2.6 to 4.5.12
Upgraded Apache httpmime from 4.2.6 to 4.5.12
Removed unused JOpt Simple 5.0-beta-1
Removed unused Gson 1.2.3
The Undertow bump is a minor update, but a pretty big deal. Ortus sent three pull requests to the core Undertow project fixing bugs and adding predicate logging. All of our pulls were accepted and merged into the core Undertow project and released in the 2.2 release.
Read more about library updates here:
This is a feature that we expect to grow in the future. We've started it out simple, yet powerful but left a lot of room to build on it. The two main goals here are
Make CommandBox secure-by-default so a server shoved in production comes nice and locked down
Makes it very easy for you to toggle off all the security stuff for development
CommandBox now has profiles you can assign to a server when you start it to configure the default settings. This is to provide easy secure-by-default setups for your production servers, and to make it easier to switch between a development mode and production mode.
There are 3 currently supported profiles. Custom profiles will be added as a future feature.
Production - Locked down for production hosting
Development - Lax security for local development
None - For backwards compat and custom setups. Doesn't apply any web server rules
In production mode, CommandBox will block access to your CF admin to all external traffic, will block all common config files such as box.json or .env and will block, the "TRACK" and "TRACE" HTTP verbs
You can set the profile for your server in your server.json
Or you can specify it when starting the server like so:
If a profile is not set, CommandBox looks for an environment variable called "environment" or it checks to see if the site is bound on localhost to try and guess the correct profile for you.
We've also added some new flags in your server.json to fully customize how your profile behaves.
Read more about Server Profiles here:
This is huge-- probably the biggest chunk of work, and it's actually what makes the server profiles above even possible! It's always been possible to perform basic lock downs with a custom rewrite file, but we've exposed an amazing built-in functionality of Undertow called the Predicate language. It allows you to create ad-hoc rules that apply to your server to provide any of the following:
Security - Block paths, IPs, or users
URL rewrites - Rewrite incoming URLs to something different
Modifying HTTP requests on the fly - Set headers, cookies, or response codes
An example of a server rule using Undertow's predicate language to block access to any box.json files looks like this:
One of the best things about these rules, is they don't have to be in a single monolithic XML file. Instead they can come from
An array of ad-hoc definitions in your server.json file or config server defaults
one or more external JSON or text file specified in your server.json or config server defaults
Built in CommandBox server profiles (see above)
Custom 3rd party CommandBox modules that contribute rules on-the-fly (time to get creative!)
Here's some examples of what can be in your server.json
CommandBox also registers some custom rules in Undertow you can use for your CF apps:
There are lots of new docs on this. Read more about Server Rules here:
The more we use Task Runners for builds, scheduled tasks, and utilities, we've seen the need to have lifecyle events in the same manner as the preHandler and postHandler sort of stuff in ColdBox MVC. Now if a task runner has methods of this name, they will be executed automatically.
preTask - Before any target in the task
postTask - After any target in the task
aroundTask - Wraps execution of any target in the task
pre- Before a specific target
post- After a specific target
around - Wraps execution of a specific target
onComplete - Fires regardless of exit status
onSuccess - Fires when task runs without failing exit code or exception
onFail - Fires if exit code is failing after the action is done (always fires along with onError, but does not receive an exception object). Use this to respond generally to failures of the job.
onError - fires only if an unhandled exception is thrown and receives exception object. Use this to respond to errors in the task. Does not fire for interrupted exceptions
onCancel - Fires when the task is interrupted with Ctrl-C
The lifecycle methods are very powerful and can be controlled via whitelist and blacklists to control what targets they execute for. "Around" events are very easy to use thanks to the use of closure. There's a lot more details in the docs.
Read more about Task Runner Lifecyle events here:
The default namespace when using the $ {foo}
system setting expansion syntax is box environment variable, Java system properties, and OS environment variables.
It is also possible to leverage built-in namespaces to allow expansions that reference:
server.json properties
box.json properties
arbitrary JSON file properties
Config settings (like the config show command)
Server info properties (like the server info property=name command)
Other properties in the same JSON file
This gives you a lot more power now to be able to create dynamic configuration in your JSON files and even from the command line. Here are some examples:
And one of the coolest things is this implementation is driven by a new onSystemSettingExpansion interception point and completely extendable! That means you can write a module that powers something hypothetical like this:
Read more about System Setting namespaces here:
CommandBox has had the ability to enable/disable GZip compression in Undertow for a while. Now you can fully control when it activates based on the type or size of file, etc. This feature utilizes the same Undertow predicate language that we introduced above.
Read more about GZip Compression Control here:
This is a fun one. There are some specific commands that make use of the Watcher library in CommandBox such as testbox watch and coldbox watch-reinit. However, there is also now a generic watch command that will run any arbitrary command of your choosing when a path matching your file globbing pattern is added/updated/deleted. Use this to build custom watchers on-the-fly without needing to touch any CFML code to write a Task Runner.
That command will echo out "config files updated!" every time a JSON file gets changed in the current directory. Here's a more complex one:
That one will list every new file that's added in this directory and all sub directories.
Read more about the generic watch command here:
There are a handful of features in CommandBox that will open URLs for you in your default browser. We've had requests to allow the browser in use to be customized, so we've reworked all of that logic, consolidating it in some places and now you can control what browser CommandBox uses. To change the default browser for all URL opening functions use this:
Supported browsers are:
firefox
chrome
opera
edge (Windows and Mac only)
ie (Windows only)
safari (Mac only)
konqueror (Linux only)
epiphany (Linux only)
And you can even dial in a browser on demand for the browse and server open commands.
Read more about setting the default browser here:
Here are some honorable mentions.
The CommandBox Tuckey rewrites allow an .htaccess file that uses the mod_rewrite style syntax of rewrites. Previously, use of flags such as these didn't work:L
We've added a "restart" option to the tray icon that does exactly what you think it does.
There's a new trick supported in CommandBox's shell that we've borrowed that allows you to change directories and go "up" more than one directory with less typing:
You can now pipe the output of a previous command in CommandBox directly to a native binary like so:
In this case, clip
is a Windows binary that will read the standard input and place that text on the clipboard.
We work hard to make every CommandBox upgrade backwards compatible. There's a couple things that you may notice different in this release. They're both done to put security first and can be modified to get your original behavior back.
Since the CF Administrator is now blocked for traffic not coming from localhost when in production mode, you may need to explicitly open up the CF admin to make it accessible again if you needed it open to the public on a production server. Even with the profile set to production, you can activate just the CF admin like so:
The web server built into CommandBox will now only serve static files if their extension is found in a whitelist of acceptable files. This is to prevent prying eyes from hitting files they shouldn't be able to access on your server. The current list of valid extensions is:
If you have a common static file you need to serve, you can add your own custom extensions to the list like so:
And if you think we've missed an obvious one that deserves to be added to the default list, please let us know.
Here's the full list of tickets in the 5.2.0-RC.1 release.
[] - Installing via lex endpoint uses incorrect file extension
[] - Location of predicate file is in a folder that the Docker finalization script deletes
[] - Command alas for run command doesn't expand properly
[] - Add config setting to activate JLine's AUTO_MENU_LIST
[] - forgebox logout command
[] - verbose server start output for profile and security settings
[] - Extend ${} scopes to apply to any getSetting() call or "env show" command
[] - Modules aren't unloaded on reload or shutdown
[] - Add debug output that shows location of commandbox.properties file on start
[] - Add single server mode for CommandBox in a Docker container
[] - Add Testbox runner to sensitive paths in production profile
[] - Use UTF-8 when reading files with "cat" command
[] - Runwar deadlocks when using Lucee server warmup flag
[] - Server start console output isn't always formatted correctly
[] - Boolean env var causes error on server start
[] - Output of foreach can't be piped
[] - Lucee Extension install doesn't recognize Lucee Light
[] - Package unlink command misspelled parameter moduleDirectory as moduleDrectory
[] - Package link command misspelled parameter moduleDirectory as moduleDrectory
[] - Tab complete doesn't work on Windows paths with backslashes
[] - CommandBox Watcher shows error on Ctrl-C
[] - Extension management doesn't "recognize" a Lucee server started with --dryRun
[] - Downgrading a package with install doesn't work without --force
[] - The run command doesn't always seem to kill interactive binaries
[] - Relative paths incorrect in drive root on *nix
[] - Using a warPath of ./ gets normalized to "" and then ignored in subsequent starts
[] - native commands with * can fail due to missing regex escape
[] - Incorrect serverInfo for a server that hasn't started
[] - Allow arbitrary actions for menu items
[] - Allow to start a pure HTML server
[] - Update ColdBox Templates to new standards
[] - Allow default working dir of box to be overridden
[] - Create box-thin binaries that don't bundle any libs
[] - Create CommandBox Light built that uses Lucee Light jar
[] - Add two new methods to commands for working with async futures: getCurrentThread() getThreadName()
[] - TestBox run commands now support the outputFormats argument to allow you to output post-test reports in many formats
[] - TestBox revamped UI for the CLI reporter
[] - Add Java info debug to box binary
[] - Add Java version as info log
[] - Provide way to disable server instance icon in MacOS dock
[] - Add --full flag to dir command to output full path
[] - Rework the server list command so it is more performant
[] - Bump to Lucee 5.3.6.61
[] - Tab complete for sort options in dir command
[] - Have the ProgressableDownloader send an Accept header
[] - Don't overwrite lucee-server.xml file when updating libs
[] - Auto-detect *unix distros with non-bash shells
[] - Copy lco files so Lucee server can start on CommandBox Light
[] - Reset console window title after `run` executes a process
[] - Remove extra stashes on url paths when servlet init params starts with WEB-INF
[] - Tray Icon not displaying on Debian8
[] - X Window Errors
[] - "Coldbox create resource" uses wrong paths on Windows
[] - urlrewrite.xml has file size of 0 on docker restart but not regular start
[] - CommandBox instances crashing because of TrayIcon rendering
[] - CommandBox always reads STDIN even when in non-interactive mode
[] - Using zsh exits out of CommandBox when running a binary command
[] - Shebang scripts no longer work without .cfm extension
[] - If custom rewrite file is already in correct destination, runwar overwrites it as 0 bytes
[] - worker-threads setting no longer has any affect
[] - Tray icon not showing in Ubuntu 18.04
[] - Undertow error output when starting server
[] - [RUNWAR] Tray menu placeholders such as ${Setting: runwar.port not found} are not replaced in sub menus
[] - regex string index out of bounds exception
[] - URL Rewrites fire incorrect on URL containing a space
[] - Browser doesn't open when server start
[] - Host updater does not work
[] - Server doesn't stop on Windows
[] - ConcurrentModificationException with undertow?
[] - Restrict /dumprunwarrequest to be used only on Unit Testing
[] - Remove trailing slash from Adobe updates path
[] - Default command parameters don't work on commands in namespaces
[] - Command DSL has unexpected behavior with equals sign in positional tokens
[] - Tab complete for negated flags isn't complete
[] - box fails to open in vSphere Web Client console due to outdated JLine jar
[] - Server start doesn't correctly expand relative Java Home directory
[] - slashes into the servlet init param paths
[] - Tray icon doesn't disappear on Windows when server stops from CLI
[] - Install dependency from box.json with env var placeholder gets overwritten with actual value
[] - coldbox create resource command ignores specsDirectory argument
[] - foreach cannot be interrupted with Ctrl-C
[] - validate non-numeric exit codes from the "exit" command
[] - Task Runner's loadModule() fails on path with period
[] - Tasks don't treat return 1 and setExitCode( 1 ) the same
[] - When a task sets a failing exit code, no output is sent to console
[] - Commands that set a failing exit code don't raise proper exception
[] - foreach, grep, and sed only break on chr(10)
[] - Ability to install/uninstall box server services
[] - Server command to explode server war but not start it
[] - Set any valid XNIO option
[] - Add generic feature to set any valid Undertow option
[] - Allow no rest mappings to be supplied
[] - Tab completion for task targets
[] - New TestBox commands: generate visualizer and generate browser
[] - Update ColdBox module templates for 5.0 standards
[] - Expose Undertow worker-threads setting with first-class server.json property
[] - Support HTTPS username/password auth
[] - Option for server start to write file with full start args for direct Runwar call
[] - Add lex endpoint for installing Lucee extensions
[] - Add unique command to filter out duplicates rows of input
[] - Add sort command to sort rows of input
[] - Make sure the build works
[] - Document Setup in the Repo
[] - Vet all changes on Runwar since April 25, 2018.
[] - Enhance Globber to take more than one pattern
[] - Enhance Globber to have exclude patterns
[] - Update CLI to Lucee 5.3 and test Java 11
[] - Change CommandBox build to pull Ortus build of Runwar
[] - Output Runwar version and jar path in "info" command output
[] - Need Config for Max Thread Request at runwar
[] - Enhance dir command with new Globber features
[] - Optimize installation of packages with createPackageDirectory set to false
[] - Improve performance of print buffer by using String Builder internally
[] - Add --count flag to grep command
[] - Update CommandBox to Runwar 4.0.0
[] - Upgrade to JGit 5.5
[] - Tie into FusionReactor to report transactions for tasks, commands, etc.
[] - Default location to forgeboxStorage for package init command
[] - Improve default package naming of jar endpoint
[] - Add option to tray menu to open server home directory
[] - Update to latest WireBox
[] - Stop outputting extra line break for commands with no output
There are TON of built in predicates and handlers your rules can use. We've documented some of them :
[] - Tuckey UrlRewrite DTD version issues
[] - when installing a package which doesn't exist, commandbox claims forgebox is unreachable
[] - Remove mail-4.1.1.jar from runwar's lib dir
[] - "testbox run" output garbled on Windows (wrong encoding)
[] - UndertowOptions and XNIOOptions don't work for Long type
[] - HTTP endpoint leaves a zip file in the CommandBox temp folder
[] - url rewrite no longer works
[] - Piping a command into run does not execute interactivley
[] - Support flags on .htaccess file for Tuckey rewrites
[] - Restart server via tray icon
[] - Stop expanding /WEB-INF paths in servlet init params
[] - Allow configuring default browser to use when opening a URL
[] - Add a preInstallAll and postInstallAll interception points when running an `install` command
[] - Add Task Runner lifecycle events
[] - Generic watch command
[] - When starting an already-started server, offer to open the existing one instead
[] - Add directory expansion command for going back multiple directories
[] - Add built-in predicates and handlers for undertow for easier lockdown
[] - Add "profile" setting to help default security settings
[] - Allow standard input to be piped to native binaries
[] - review all the runwar dependencies and check for outdated ones
[] - Block TRACE HTTP Verb by default
[] - Implement web server rules in Undertow
[] - Add an option to console log output without ANSI codes
[] - Migrate to AdoptOpenJDK API v3
[] - Move ANSI logging format from Runwar to CommandBox
[] - Automated flag negation hint is the same as the hint for the flag itself
[] - Default server menu actions working directory to web root
[] - Expand working directory when specified for a menu item
[] - Validate incoming version for bump command
[] - Programmatic skipping of package install via interceptor
[] - Adding support for installing lex files from file or unc paths
[] - Add File Filtering For GZIP Compression
[] - Allow default server java version to be cleared
[] - Add setSystemSetting() to BaseCommand
[] - "testbox run" command - show tag context for global bundle exceptions
[] - Add --trayEnable flag to server start
[] - Allow ${} system setting expansions to have extendable namespaces
[] - Improve verbose output of JVM args if args contain " - " in them
[] - forgeboxstorage default ignores are over-aggresive
[] - If native command is piped into RUN, allow the output to be piped again
[] - Load predicates in Runwar
[] - Pass Predicates as part of Server Start in CommandBox
[] - Add default server rules/predicates in CommandBox for default lockdown
[] - Improve logging in Undertow for execution of predicate handlers
[] - Track/address Undertow tickets