Coldfusion task scheduler

Report · Aug 26, 2009

I have been forced to migrate a coldfusion program to windows server for authentication security purposes. I need to continue to use the task scheduler. Security concerns also do not allow me to use IE to kick-off the coldfusion task scheduler. If there any way to kick it off using a script without using a browser?

Report · Aug 26, 2009

What type of task with what type of scheduler?

If you are talking about a ColdFusion scheduled task, then IE has nothing to do with it, excep tthat IE is a common choice to use the ColdFusion Administrator portal web application to fill in the scheduled task form to configure a ColdFusion sceduled task.

The latest versions of ColdFusion also have the <cfscheduledtask...> tag that can do the same things that the Administrator form does, but it still needs to be run within a browser, IE or otherwise at least once.

Your comments about security concerns involving IE and ColdFusion scheduled tasks does not make much sense.

Report · Aug 26, 2009

The built-in task manager was what ran coldfusion tasks until another layer of authentication became required. The application was then placed on windows server. We are attempting to use scripting to set off the existing tasks in coldfusion. Due to security concerns, IE is not allowed to be run on the server. I realize that the security concerns don't make much sense but just understand that I work somewhere that they do (I guess). Basically, you are saying that there is no scripting from windows that will kick-off the existing tasks in the coldfusion task manager that will not use an Internet browser?

Report · Aug 26, 2009

You have some very strange requirement here that will need to be explained very well as they sure sound like they are counter to how ColdFusion works.

What do you mean by "fire off" the schedule task. If the task is scheduled it will be fired of by ColdFusion. So it is a matter of defining the scheduled task. There are to main ways one can define the scheduled task. One can complete the form in the ColdFusion Administration portal, or one can run a CFML page with a <cfappplicaiton...> tag in it. There is a third option I suppose, which is to try and edit the XML file where the configurations for scheduled tasks are stored, but this one would scare me personally.

What do you mean by a security requrimet for another layer of authentication?

Report · Aug 27, 2009

Sorry for not defining my requirements a little bit better from the beginning. Coldfusion currently runs its built-in task scheduler and all the necessary tasks are already scripted, probably from the admin portal. Coldfusion uses anonymous access for its security (at least in older versions). Windows provides user authentication, which makes the application more secure. That is why the program is being migrated to a windows environment. All the tasks are already scheduled in Coldfusion and we need to start the tasks, the cfm file, from the windows environment without using a browser. For security reasons, browsers are never run on servers. It might look something like this

start iexplore https://127.1.0.1/abc/admin/scheduledtasks.cfm?requesttimeout=1200

Then we kill the IE.

We need to to do that without using IE.

BKBK posted this '<cfhttp url="url_of_page_containing_cfschedule_tag">' which may work.

Report · Aug 27, 2009

You say ColdFusion uses annonymous access. If you look in the Services applet, you will see that you can start ColdFusion using whatever account you want. It does not have to be run annonymously. Tell the domain admin to set up a brand new account specifically for the ColdFusion service. Tell ColdFusion to run under THAT account. That way all logging and permissions etc will be attributed to THAT account.

I would think that would allay the security concerns.

Report · Aug 27, 2009

I think I am beginning to see what you are trying to describe.

Some things to make sure you clearly understand.

A ColdFusion scheduled task is nothing more then a HTTP request to a CFML file done at a scheduled time. If you have ColdFusion make this HTTP request, it will use a built in 'browser' internal to the ColdFusion engine to make the request. There is nothing preventing you from using any other system you want to make that HTTP request to the CFML file in some scheduled manner.

Secondly, you repeatedly talk about no browser (IE) allowed on the server. The browser does not need to be on the server to configure a scheduled task. Any browser on any system that can connect to the server can be used to configure the ColdFusion scheduled task. But if you do configure the scheduled task through ColdFusion, then ColdFusion will be using it's internal system to make the HTTP request to the CFML file.

Now we get to what I think you are talking about though. It sounds like you have locked down the server with Microsoft Windows Integrated Security and ColdFusion can not make these HTTP requests, because surpise suprise ColdFusion is not a Microsoft product and it does not use NTLM autentication.

What it can do is use is "Basic Security". What usually happens now is that people say basic security is not good because it passes the user name and password in plain text in the request. The idea here is that yes, the request is plain text, but it is expected that the entire request will then be encrypted with something like SSL.

The other common solution is to configure one small section of the web server, a certain directory or even just the specific scheduled task files, are configured to not use Windows integrated security. You can then configure your web server to only allow connections from the local ColdFusion applicaiton server IP address and no others so that there is no way for anybody else to access these so called 'unsecured' files.

But, unfortunatly, there is no way to have ColdFusion make NTLM connections to Windows Integrated Security resources.

To sumerize your three choices are:

1) Use some other techenology to make the HTTP requests on a scheduled basis to the CFML files.

2) Use basic security combined with SSL and not Windows Integrated Security

3) Don't use user authentication security, but lock down the scheduled task resources to only accept requests form the specific ColdFuiosn server.

P.S. I imagine one could combine the second and third options if one wanted to.

Report · Aug 27, 2009

Thanks Ian. I have a pretty good idea where to go from here. As you could tell, I have a little experience in application development but none in Cold Fusion. I work more from the windows admin side and we are using the windows integrated authentication. I'll take these possibilities forward and see what the big bosses want to do.

Report · Aug 27, 2009

As bizarre as it sounds, what As2210 describes is real. I know a firm that buys several Coldfusion licenses just for the chart functonality alone. They are into opinion polls and questionnaires. They know everything there is to know about the charts in Coldfusion, and the tools and scripts to acess, manipulate and export them. All without browser intervention!

@Ian Skinner

I presume that the cfml file that contained the <cfhttp....> line of code would need to be run by something nominally a browser.

Indeed, in the scenario I'm thinking of, <cfhttp> plays the role of a nominal browser.

@As2210

start iexplore https://127.1.0.1/abc/admin/scheduledtasks.cfm?requesttimeout=1200
Then we kill the IE.
We need to to do that without using IE.

In the scenario I'm thinking of, you could also run a script instead, or use a tool like curl, as Ian mentioned.

Actually, what I have in mind is simple. Use something we're already familiar with, namely, a second Coldfusion application server! The beauty of it is that the flavour doesn't matter. You can make the <cfhttp> call from any version, free or bought, of Macromedia or Adobe Coldfusion or even Railo.

Report · Aug 27, 2009

Yes, that is why I was trying to work out of the original poster was concerned with running something that configures the scheduled task or running the scheduld task itself.

We seem to have worked out along the way, was that it was the well known issue that the ColdFusion application server can not generate the HTTP request for a scheduled task to a resource protected with Microsofts Windows Integrated Security.

Report · Aug 26, 2009

any way to kick it [the coldfusion task scheduler] off using a script without using a browser?

Yeah, sure. <cfhttp url="url_of_page_containing_cfschedule_tag">

Report · Aug 26, 2009

I presume that the cfml file that contained the <cfhttp....> line of code would need to be run by something nominally a browser.

But that did make me think that there are comand line tools that allow one to make http requests, curl is a common one I believe.