2010

Securing server side Coldfusion code with cfcompile

Posted By : Shaun McCran
Related Categories: Security, Coldfusion

If you ever need to protect your intellectual property, or you have suspicions that your code maybe be accessed on a server to be tampered with, then your best option is to compile your code base.

This article addresses how to use the cfcompile command, and what it actually does to your code base.

Running the cfcompile command will compile your Coldfusion code base into java bytecode. This means that the Coldfusion server engine will not have to compile it at run time.

The cfcompile command can be found in your 'cf_root/bin' directory (wherever you installed Coldfusion. To run it the syntax is as below:

view plain print about

1c:\coldfusion8\bin\cfcompile.bat -deploy
2c:\inetpub\wwwroot
3c:\Inetpub\wwwroot\normal
4c:\Inetpub\wwwroot\compiled

This code runs the compile command with a deploy option, this tells the command to create a deploy set of code. Next you list your webroot directory, then the source directory and finally the destination directory.

Be careful to specify different source and destination directories, and DO NOT do this to your real code base, as it is irreversible.

Comments (7) |

Print |

Send |

del.icio.us |

Digg It! |

Linking Blogs |

Answer Questions

TweetBacks

Comments

[Add Comment] [Subscribe to Comments]

Thanks, Shaun. This is great, I think I'm going to add this to my ANT script as things get deployed to the server farm. For those interested, here's a direct link to the CF9 docs on cfcompile: http://help.adobe.com/en_US/ColdFusion/9.0/Admin/W...

# Posted By Adam Bellas | 01/11/10 14:22

You mentioned that if you compile the code the CF server doesn't need to compile it at run time. Is there any significant speed improvement with this method?

# Posted By Jason Haritou | 01/11/10 14:35

@adam, thats a pretty good idea, if you have an automated deployment routine that this could be integrated into, would be a seamless step in the chain then. Ideal as you really don't want to do this to code you ever need to change.

@Jason, you raise an interesting point. The file size after compilation is usually a fair bit larger than the normal cf code version, I'm not sure if that has an impact on load times (probably not). I may write a test or two to create a few thousand records in a struct and loop through them, and see what the time difference is.

I'd guess that it should be quicker.

# Posted By Shaun | 01/11/10 14:43

@Shaun, yeah I'd think it'd be marginally quicker since the compiler doesn't have to do as much work. Although tbh I think for most of us with simple push-pull apps (and when you break down most apps to their basic components, what isn't??), the work needed at compile time is tiny, if not insignificant.

Nice tip through!

# Posted By Jason Haritou | 01/11/10 14:51

Do you know why its necessary to specify the webroot? If you are already specifying a destination directory, why does it need to know the webroot?

What if I'm compiling a set of files for distribution, which will be used on my different servers with different webroots?

# Posted By Ryan Stille | 18/10/11 11:39

Hi Ryan,
Thats an intersting question. I'm not sure if the compile command needs to know the webroot because it is locating the compile.bat command or because it embeds a reference to the webroot location into the compiled java bytecode.

I'll try it on a small site and see if I can move it around my webroot and it still work.

# Posted By Shaun McCran | 18/10/11 14:01

Someone just informed me that the webroot argument is only for cfimport resolution. So if you aren't using cfimport in your code, there should be no problems compiling on a server with one particular webroot, then deploying the files on a server with a different webroot.

# Posted By Ryan Stille | 18/10/11 14:41

[Add Comment]

Shaun Mccran

Securing server side Coldfusion code with cfcompile