I'm upgrading our server from CF9 to CF2016 now. CF2016 can successfully talking to Apache and our cfm web pages seems working perfectly with cf2016. However, all the .jsp files stopped working. When trying to access a simple test.jsp file throught https://our_web_url/test.jsp, the raw code displayed like this:
Any hint on how to debug next would be really appreciate!
JSPs seem to work fine for me with CF 2016 and 2018. I think this will be down to your web server's configuration. Your web server needs to process JSPs the same way it processes CFM and CFC files. In IIS, you'd do this by ensuring you had the same handler mappings etc for all three file extensions.
Dave Watts, Eidolon LLC
luvianw4652648,, you say you're moving from cf9.There was in fact a change in cf10 where CF would not run JSPs unless they were in the CF webroot (cfusion/wwwroot) rather than in your external web server root.
Are you indeed trying to serve them via an external web server, like IIS?
And Dave, are the jsps you're running in the cf webroot? If not, that would be interesting to hear.
Also, note that cf has a characteristic whereby pages in the cf webroot (cfm or jsp) can be accessed WHEN REQUESTED BY THE EXTERNAL WEB SERVER. So yes, I'm saying to luvianw4652648 that you should find you CAN still access the jsp via IIS simply by putting the jsp file in the cf webroot (or subdolder) but accessing it via IIS *AS IF* it was in the IIS web root (or its subfolders)
That said, I am writing this on my phone, so not testing it, but sharing it from past experience. I look forward to hearing back from you both.
Thank you for your quick reply. We are using Apache for our web server instead of IIS.
I put the test.jsp file in the wwwroot and try to access it via out virtual host, still only displaying raw code. Is there any handler mappings like Dave mentioned I need to do?
Now that you mention it, yes. Wherever you see the conf file config for the cfm extensions, make sure it has a jsp one configured the same way. It's possible that Adobe stopped doing that by default with that change in CF10.
Further, you may have Apache configured to just proxy to the CF built-in web server, or you may have it (more typically, I think) set to use CF's "web server connector" (the wsconfig tool), which implements an AJP connector to talk to CF. That then not only changes the apache conf but also puts files in the CF config\wsconfig folder, where there would be a numbered folder for each connector created. And one of those is the uriworkermap.properties file, which ALSO lists what extensions CF is expected to process. I find that mine DOES list jsp. And so I would think you should see it, there and in the apache conf. But do check it out.
If you do need to change either config file, you do need to reload Apache for them to take effect.
Let us know if that gets you going.
I have another question regarding the critical vulnerability affecting CF.
I saw you are in the acknowledgment list, so I think you may know the answer.
Do you know if our CF9 servers are affected? In the advisory they seem to only indicated Coldfusion 2018, 2016 and 11, but I’m unclear if that is because those are the only supported versions?
Sorry, I missed this last month. Yes, absolutely all cf editions are vulnerable. But no, cf10 and earlier are no longer updated--and cf11 updates end this month.
So you won't be able to look to Adobe to fix this, but you can take precautions yourself. See my blog post, which besides pointing out the update, proposes steps for those who can't apply the update:
I actually got the jsp files working in the wwwroot folder. Now I need to figure out how to get them working in our web directory. Thanks a lot for your help!