Loading...
Loading...
Luis Majano is a Computer Engineer with over 15 years of software development and systems architecture experience. He was born in San Salvador, El Salvador in the late 70’s, during a period of economic instability and civil war. He lived in El Salvador until 1995 and then moved to Miami, Florida where he completed his Bachelors of Science in Computer Engineering at Florida International University. Luis resides in Houston, Texas with his beautiful wife Veronica, baby girl Alexia and baby boy Lucas!
He is the CEO of Ortus Solutions, a consulting firm specializing in web development, ColdFusion (CFML), Java development and all open source professional services under the ColdBox and ContentBox stack. He is the creator of ColdBox, ContentBox, WireBox, MockBox, LogBox and anything “BOX”, and contributes to many open source ColdFusion projects. He is also the Adobe ColdFusion user group manager for the Inland Empire. You can read his blog at www.luismajano.com
Luis has a passion for Jesus, tennis, golf, volleyball and anything electronic. Random Author Facts:
He played volleyball in the Salvadorean National Team at the tender age of 17
The Lord of the Rings and The Hobbit is something he reads every 5 years. (Geek!)
His first ever computer was a Texas Instrument TI-86 that his parents gave him in 1986. After some time digesting his very first BASIC book, he had written his own tic-tac-toe game at the age of 9. (Extra geek!)
He has a geek love for circuits, microcontrollers and overall embedded systems.
He has of late (during old age) become a fan of running and bike riding with his family.
Keep Jesus number one in your life and in your heart. I did and it changed my life from desolation, defeat and failure to an abundant life full of love, thankfulness, joy and overwhelming peace. As this world breathes failure and fear upon any life, Jesus brings power, love and a sound mind to everybody!
“Trust in the LORD with all your heart, and do not lean on your own understanding.” – Proverbs 3:5
Brad grew up in southern Missouri where he systematically disassembled every toy he ever owned which occasionally led to unintentional shock therapy (TVs hold charge long after they've been unplugged, you know). After high school he majored in Computer Science with a music minor at MidAmerica Nazarene University (Olathe, KS). Today he lives in Kansas City with his wife and three girls where he still disassembles most of his belongings (including automobiles) just with a slightly higher success rate of putting them back together again.) Brad enjoys church, all sorts of international food, and the great outdoors.
Brad has been programming CFML since 2001 and has used every version of CF since 4.5. He first fell in love with ColdFusion as a way to easily connect a database to his website for dynamic pages. Brad blogs at (http://www.codersrevolution.com) and likes to work on solder-at-home digital and analog circuits with his daughter as well as building projects with Arduino-based micro controllers.
Brad's CommandBox Snake high score is 141.
Jorge Reyes - ColdBox Aficionado
Loading...
In this section you will find the release notes for each version we release under this major version. If you are looking for the release notes of previous major versions use the version switcher at the top left of this documentation book. Here is a breakdown of our major version releases.
Versions 5.x - Mar 2020 - August 2023
Versions 4.x - Jun 2018 - Sept 2019
Versions 3.x - Feb 2016 - Nov 2017
Versions 2.x - June 2015 - Nov 2015
Versions 1.x - Feb 2015
In this section you will find the release notes for the 5.x version of CommandBox.
Version 5.9.1 - August 2023
Version 5.9.0 - May 2023
Version 5.8.0 - April 2023
Version 5.7.0 - December 2022
Version 5.6.0 - September 2022
Version 5.5.2 - May 2022
Version 5.5.1 - May 2022
Version 5.4.2 - October 2021
Version 5.4.1 - September 2021
Version 5.4.0 - August 2021
Version 5.3.0 - May 2021
Version 5.2.1 - Dec 2020
Version 5.2.0 - Nov 2020
Version 5.1.1 - June 2020
Version 5.1.0 - May 2020
Version 5.0.0 - Mar 2020
This is a very small release with two changes.
Update to Lucee 5.4.3.2
Update bundled JRE to 11.0.20+8
Note Lucee 5.4.3.2 contains critical security patches which are outlined here:
https://dev.lucee.org/t/lucee-critical-security-alert-august-15th-2023-cve-2023-38693/12893
The new Lucee version affects the core CLI runtime as well as the default server you get when running "server start" with no cfengine specified. Possible compatibility issues related to the major bump in Lucee version:
This Lucee version does not include Hibernate, so the Ortus Hibernate extension is installed. We will stop doing this in 6.0
This Lucee version has strict XML parsing settings on by default which may affect any servers you start which parse XML containing DTDs.
If you do run into XML errors, this code may help you in your Application.cfc, which allows DTDs, but still disallows XML external entities (XEE).
COMMANDBOX-1609 Update bundled JRE to 11.0.20+8
COMMANDBOX-1610 Update to Lucee 5.4.3.2
Java 17 was a breaking change for Java users as it now blocks illegal reflective access. Both Adobe and Lucee have been slow to address this. Lucee 5.3.10 mostly seems to run on Java 17, but only the public beta of ColdFusion 2023 (Fortuna) supports Java 17. You may want to start testing Java 17 out, so the CommandBox CLI and its servers seem to have basic support for running on Java 17 now. Note, you may need to add additional JVM args to any servers based on the specific Java libraries you use.
We've bumped library versions such as Redhat Undertow to stay current with recent CVE fixes.
If you have a project and want all packages of a certain type to use a different-than-normal default install location, you can override each package type just for that project. Create an installPathConventions key in the containing package's box.json which is an object containing keys for each package type you wish to override package install paths for.
Read more: https://commandbox.ortusbooks.com/package-management/installing-packages/installation-path
You can get recursive file listings now in a tree view by using the --tree flag
In task runners and custom commands, you can now tap into the same tree printer that the "package list" and "ls --tree" use to output your own ASCII trees.
which outputs
Read More: https://commandbox.ortusbooks.com/task-runners/printing-tree
There is also a print helper method for task runners and custom commands as well as a CLI command you can use that accepts an array or list of simple values and prints them in a column format based on the widest value and the available terminal width.
Read More: https://commandbox.ortusbooks.com/task-runners/task-output/printing-columns
This command will accepted piped text and strip any ANSI formatting from it. Especially useful if piping the text to a native OS binary which doesn't handle formatting well.
We've introduced a new command for piping text onto your native operating system's clipboard.
Here's the full list of all the changes in CommandBox 5.9.0.
Loading...
Loading...
We know this stuff may seem boring, but it's super important to ensure you stay safe and secure on the latest versions of our bundled libraries. We updated the following libs in this release:
org.lucee:lucee
5.3.9.141 -> 5.3.9.160
io.undertow:undertow-servlet
2.2.17.Final -> 2.2.19.Final
io.undertow:undertow-websockets-jsr
2.2.17.Final -> 2.2.19.Final
net.minidev:json-smart-mini
1.0.8 -> 1.3.2
commons-cli:commons-cli
1.2 -> 1.5.0
org.jooq:joox
1.2.0 -> 1.6.2
org.apache.logging.log4j:log4j-slf4j-impl
2.17.1 -> 2.18.0
org.apache.logging.log4j:log4j-core
2.17.1 -> 2.18.0
org.jboss.logging:jboss-logging
3.4.1.Final -> 3.4.3.Final
Over half of the tickets in this release were bug fixes to keep the CLI running smoothly on all operating systems. You can check out the full list of ticket below to see the screws we tightened.
CommandBox servers have an exciting new weapon in their arsenal, and that is a new system of security that allows you to protect certain parts of your site from the general public. This could be CF admins, private dashboards, or a subfolder of sensitive files.
You'll find a new section in the server.json
called web.security
where these settings live. You can leverage the power of our Server Rule predicates to match whatever requests you want to secure, based on folder, HTTP method, remote IP, HTTP headers and more.
That authPredicate
would require authorization for any pages in the Lucee admin unless you were on localhost. NOTE: path-prefix is case sensitive, so on Windows you'd want to use a regex()
based check such as regex( pattern='^/lucee/admin/.*', case-sensitive=false )
When a request is marked as requiring authentication, you can enable one or more auth mechanisms to challenge the user as discussed below.
Read more on Server Security Here.
CommandBox has supported basic auth for a while, but it was a simple all-or-nothing implementation. Basic auth has been revamped and rolled into the new security system. If no authPredicate
is defined, it will still apply to the whole site. But when an authPredicate
is declared in your server.json
, it will only kick in for those pages.
We've also moved the basic auth settings in server.json
to here:
Don't worry, the old location still works too for now. We won't remove support for it until the next major release of CommandBox. If both the settings exist (Ex: web.basicAuth.enable
and web.security.basicAuth.enable
), the new location will be given precedence.
Read more on Basic Auth Security Here.
Adding support for client SSL certs was one of our largest undertakings and is a very exciting new feature for government shops who use PKI based authentication, often times in the form of DoD CAC (cards) which are physical cards containing a private PKI cert that identifies the user. This feature was one of the last reasons to need IIS or Apache in your mix, but now CommandBox can do it all!
Client certs have two part-- first is the ability of the web server to prompt the user's browser to ask for a client cert to send. This requires configuring a trust store or a list of trusted CA certs to accept. When the user sends a cert, it automatically makes a number of CGI and request variables available to your CF code. You can configure your SSL connection to accept or require client certs like so:
Some of the CGI variables which are automatically created when a client cert is present are
CGI.SSL_CLIENT_CERT
- PEM-encoded cert (base 64 string)
CGI.CERT_SUBJECT
- The Subject distinguished name of the client cert (CN=foo, O=bar, OU=baz)
CGI.CERT_SERIALNUMBER
- The serial number of the cert in the format 91-7e-5f-a5-b2-20-a1-8b-4c-d0-40-3b-1c-a1-a8-58
CGI.CERT_ISSUER
- The Issuer distinguished name of the client cert (CN=foo, O=bar, OU=baz)
CGI.SSL_CLIENT_VERIFY
- Matches Apache HTTP. Values will be "SUCCESS" or "NONE"
The second part of client certs is the ability to use that client cert information as an authentication mechanism to enforce your authPredicate
automatically. (When CommandBox's security system is unable to authorize a user, it stops the request before it ever even reaches CF!)
When authorizing based on client certs, you can have 4 levels of checks:
Any user with a cert is allowed. (Remember, the client cert must always be trusted by one of your configured trusted CA certs)
Subject Distinguished Name (DN) matches one or more complete or partial DNs you specify
Issuer Distinguished Name (DN) matches one or more complete or partial DNs you specify
Or disable the web.security.clientCert.enabled
setting and allow all requests to reach CF where you can write your own checks.
CommandBox also supports SSL Renegotiation which allows you to not force the client cert right away until the user gets to a page on the site that kicks in the authPredicate
and then their browser will prompt them then. This is a popular configuration since the user can hit your login page first and then be prompted for their cert once they login.
The configuration for all this looks like this:
Read more on Client Cert Auth security Here.
loadModules()
As Task Runners become more popular and people combine them with more modules to perform their operations, you run into the need to load a list of modules all at the same time which may have interdependencies. There is now a new loadModules()
method available to Task Runners which accepts an array of module paths. Each module is first registered, and then each module is activated.
Read more here:
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
CommandBox is a standalone, native Command Line Interface (CLI), Package Manager, Embedded CFML Server and Read Eval Print Loop (REPL) aimed to help ColdFusion (CFML) developers become more productive through automation, dependency management, command line-based tools, and ASCII snake games.
CommandBox is an amalgamation of many different tools and borrows concepts from NPM, Grunt/Gulp, Maven, Bower, and Node. Features include:
Command Line for ColdFusion (CFML)
Operating System integration for executing commands
Ability to create and execute commands built using ColdFusion (CFML)
ForgeBox integration for cloud package management and installations
ColdBox Platform, TestBox, and ContentBox CMS Integrations
Integrated servlet server with rewrite capabilities
Ability to create command recipes and execution
REPL (Read-Evaluate-Print-Loop) console for immediate ColdFusion
(CFML) interaction
Ability to interact with user via CLI and create workflows and
installers
Ability to execute workflows and tasks
Built-in Help system
The source code for this book is hosted in GitHub: https://github.com/ortus-solutions/commandbox-docs. You can freely contribute to it and submit pull requests. The contents of this book is copyright by Ortus Solutions, Corp and cannot be altered or reproduced without author's consent. All content is provided "As-Is" and can be freely distributed.
The majority of code examples in this book are done in cfscript
.
Flash, Flex, ColdFusion, and Adobe are registered trademarks and copyrights of Adobe Systems, Inc. Railo is a trademark and copyright of Railo Technologies, GmbH. Lucee is a trademark and copyright of Lucee Association Switzerland.
The information in this book is distributed “as is”, without warranty. The author and Ortus Solutions, Corp shall not have any liability to any person or entity with respect to loss or damage caused or alleged to be caused directly or indirectly by the content of this training book, software and resources described in it.
We highly encourage contribution to this book and our open source software. The source code for this book can be found in our GitHub repository where you can submit pull requests.
15% of the proceeds of this book will go to charity to support orphaned kids in El Salvador - http://www.harvesting.org/. Please donate and purchase the printed version of this book as every book sold can help a child for almost 2 months.
Shalom Children’s Home (http://www.harvesting.org/) is one of the ministries that is dear to our hearts located in El Salvador. During the 12 year civil war that ended in 1990, many children were left orphaned or abandoned by parents who fled El Salvador. The Benners saw the need to help these children and received 13 children in 1982. Little by little, more children came on their own, churches and the government brought children to them for care, and the Shalom Children’s Home was founded.
Shalom now cares for over 80 children in El Salvador, from newborns to 18 years old. They receive shelter, clothing, food, medical care, education and life skills training in a Christian environment. The home is supported by a child sponsorship program.
We have personally supported Shalom since 2006; it is a place of blessing for many children in El Salvador that either have no families or have been abandoned. This is good earth to seed and plant.
To be more useful, CommandBox now bundles the following system modules
They will be automatically installed (or updated) when you start the CLI for the first time. You can still update or uninstall them, just like any system module. Note: If you have any of these modules currently linked into the CommandBox core, any uncommitted changes will be overwritten when you upgrade box. Please unlink the repos first before upgrading.
The CommandBox Update Check modules can be disabled if you don't like it via
It will also automatically obey the
CommandBox will automatically set the content type in the HTTP response for common static file types. If you come across a file extension that doesn't have the correct type, you can set it like so in your server.json
:
Which creates the following
In the above example, hitting a file such as foo.log
would come back with a text/plain
content type header.
This setting will override any <mime-mapping>
tag in your web.xml
file.
If you are authenticated to ForgeBox in the CLI, you can synchronize your config settings to and from your ForgeBox account. This is a great way to get up and running on a new PC or keep multiple CommandBox installs in sync. In addition to synchronizing your Config Settings, this feature will also track your installed system modules, such as CFConfig, etc.
This command will push your local settings and modules up to your ForgeBox account.
By default, the settings are "merged" so new local settings will be added to ForgeBox, but nothing will be removed. To remove config that only exists on ForgeBox, you can use the --overwrite
flag to force a full sync.
This command will pull your settings and modules from your ForgeBox account and set/install them locally.
By default, the settings are "merged" so missing settings will be added locally, and missing system modules will be installed, but nothing will be removed. To remove config and modules that only exist locally, you can use the --overwrite
flag to force a full sync. This will remove local config settings and uninstall local system modules which were not on ForgeBox.
This command will not change anything, but gives you a full report of all settings which are different between your local CommandBox CLI and ForgeBox. It will show you "Remote Only," "Local Only," and "Changed" settings and modules. Use this to see what you're about to change before pushing or pulling.
This is the same as onServerInstall
, but it only runs the VERY FIRST time a CF engine is installed. This is helpful if you want to install Lucee extensions or ACF modules and only need to do it the first time. This interceptor is easier than using onServerInstall
and inspecting the installDetails.initialInstall
flag.
This has been an experimental feature of CommandBox servers for a while, but we've finalized the feature and added a proper setting to enable it in server.json. By default, the web server in CommandBox will follow the case sensitivity of the underlying file system. So, when on Windows /FiLe.TxT
will still load an actual file called /file.txt
. But on Linux, the case in the browser would need to match that of the file system. CommandBox allows you to force case sensitivity to be ON or OFF for a server, overriding the server's file system.
To force CommandBox's web server to be case sensitive, even on operating systems like Windows, use the following setting. There is a nominal performance benefit in doing this, and it can allow a Windows CommandBox server to mimic a Linux server for testing.
To force CommandBox's web server to be case insensitive, even on operating systems like Linux, use the following setting. There is a nominal performance overhead in doing this, and it can allow a Linux CommandBox server to mimic a Windows IIS server. In this mode, CommandBox will use an internal cache of file system lookups to improve performance. If there are two files of the same name using different case, then you will get whatever file is found first.
If using CommandBox's SSL, you can now use a PFX file (PKCS #8 format) which contains the public and private key in one file.
Most of the Server Rule predicates are case-sensitive, which poses a problem when using them for security on Windows since they will only match one specific spelling of a folder or file. We have added "-nocase" versions of several popular predicates which perform case-insensitive checks.
regex-nocase()
path-suffix-nocase()
path-prefix-nocase()
path-nocase()
equals-nocase()
contains-nocase()
There is already a Config Setting for the preferred browser when opening up sites. You can now customize this on a per-server basis with this server.json setting
You can now control the Log4j appender layout for CommandBox servers, which includes formats such as JSON, which allows your server logs to be automatically imported into Elastic Search
There is a helpful command called forgebox version-debug
which will show you what version of a package will be installed without actually installing it. It can also be useful to test a semver range and see what packages it matches.
The notable updates include:
Updated version of JBoss Undertow, which contains security fixes
Updated version of Lucee to 5.3.10 which also contains library security updates
New "artifacts prune" command to remove older artifacts that haven't been used recently
Improved "upgrade" command which can also update new jars (you'll be able to use this in the NEXT update!)
Support for PFX cert file for server SSL
And here are the full release notes:
Server shutdowns aren't always done cleanly
Don't prompt on already-running server when terminal isn't interactive
Globber copyTo() command mishandles *nix leading slash
preServerStart can no longer affect server.json env var replacements
Servers can no longer override rest mappings
Corruption in interactive job output
Can't set XNIO socket settings or Sequence types
Command chaining has a code path where "job" variable is not defined
cfpm breaks in single server mode
Allow Undertow's resource manager file system watcher to be disabled
Customize Undertow's enabled SSL protocols
Update to Lucee 5.3.9.141 stable
More Info:
Read More:
Read More:
More Info:
Undertow's reverse-proxy() handler would not connect to a back-end server using SSL. We've given up on , and added a new load-balanced-proxy() handler which works with SSL.
Due to in the Lucee evaluate() function that seem like they'll , we've finally put a workaround in the REPL, which captures the return value of member functions chained to literals and expressions using closures. Ex:
Read More:
Read More:
Experimental feature force insensitive web server has stopped working in some cases
Hide Felix error messages in console on startup
Custom tray options calling box with space in path fail
Add load-balanced-proxy() handler to replace Undertow's broken reverse-proxy() because they refuse to fix it
Capture return value from some REPL expressions because Lucee refuses to fix evaluate()'s parser
Two instance of CLI cause class loading issues from OSGI bundles
server start port check doesn't take web.http.enable into accout
CommandBox settings sync feature
Add onServerInitialInstall package/server script
Add `.webp` as a default mime type for CommandBox to support this new image format
Formalize setting for case sensitivity of web server
Add "nocase" versions of regex(), path-suffix(), path-prefix(), equals(), contains(), and path() predicates
Improve forgebox whoami command
Allow CommandBox to customize console appender Layout
New "forgebox version-debug" command
Bundle super helpful modules in box core
onConfigSettingSave and onEndpointLogin interception announcements
Ability to pass file name to "more" command
Add a method in server.json to add MIME type mappings to Undertow
Improve message when starting second server with single server mode enabled
system setting serverinfo namespace use interceptdata if running inside of server script
Allow `web.webroot` to be changed in single server mode
Authentication failures don't send custom error pages
Add directory param to coldbox watch-reinit command
Support PKCS #8 format private keys
Allow preferredBrowser to be set on a per-server basis
Add file and directory completion to the ID param of the install command
Add installExtension() for commands and task runners to install Lucee extensions on the fly to the CLI
Update Lucee to 5.3.10.120 in CLI core
Improve upgrade command
Load libdirs in system classloader
Check for default branch of "main" in Git endpoint
Try removing JAX API classes from runwar
Update to Undertow 2.2.22-Final
Update bundled JRE to jdk-11.0.18+10
Remove stopgap for COMMANDBOX-1459