Session End - Extends undefined in COMPONENTMETADATA

15 views
Skip to first unread message

Irvin Wilson

unread,
Nov 3, 2014, 11:58:15 AM11/3/14
to model...@googlegroups.com
I'm getting these error messages (below) over and over that appear to be related to session end. Does this ring a bell with anyone?

Thank you!

 Event Name: onSessionEnd
 Message: Event handler exception. 
Root Cause Message: Element EXTENDS is undefined in COMPONENTMETADATA

.....\ModelGlue\Util\ModelGlueFrameworkLocator.cfc



Irvin Wilson

unread,
Nov 3, 2014, 12:16:48 PM11/3/14
to model...@googlegroups.com
Figured I should post the "flow" that leads to this

In Application.cfc I have

<cffunction name="onSessionEnd" output="false">
<cfargument name="sessionScope" type="struct" required="true">
<cfargument name="appScope" type="struct" required="false">
<cfset invokeSessionEvent("modelglue.onSessionEnd", arguments.sessionScope, appScope) />
</cffunction>

<cffunction name="invokeSessionEvent" output="false" access="private">
<cfargument name="eventName" />
<cfargument name="sessionScope" />
<cfargument name="appScope" />
<cfset var mgInstances = createObject("component", "ModelGlue.Util.ModelGlueFrameworkLocator").findInScope(appScope) />
<cfset var values = structNew() />
<cfset var i = "" />
<cfset values.sessionScope = arguments.sessionScope />
<cfloop from="1" to="#arrayLen(mgInstances)#" index="i">
<cfset mgInstances[i].executeEvent(arguments.eventName, values) />
</cfloop>
</cffunction> 

ModelGlueFrameworkLocator then has....

<cffunction name="findInScope" output="false" returntype="array" hint="Finds all or specific instances of Model-Glue within a given scope (or any struct, for that matter).">
<cfargument name="scope" type="struct" required="true" />
<cfargument name="scopeKey" type="string" required="false" />
<cfset var key = "" />
<cfset var mgInstance = "" />
<cfset var result = arrayNew(1) />
<!--- Find ModelGlue instances in the application scope. --->
<cfloop collection="#scope#" item="key">
<cfif isObject(scope[key]) and isTypeOf( "ModelGlue.gesture.ModelGlue", scope[key] )>
<cfif not structKeyExists(arguments, "scopeKey") or arguments.scopeKey eq key>
<cfset arrayAppend(result, scope[key]) />
</cfif>
</cfif>
</cfloop>
<cfreturn result />
</cffunction>
<!--- This could be refactored for isInstanceOf once we drop CF7 support.  --->
<cffunction name="isTypeOf" output="false" access="public" returntype="any" hint="I check to see if this component extends another component somewhere in the inheritance chain">
<cfargument name="type" type="string" required="true"/>
<cfargument name="instance" type="any" required="true"/>
<cfset var componentMetadata = getMetadata( arguments.instance ) />
<cfset var scope = componentMetadata.extends />
<!--- Maybe the component is the component we want --->
<cfif listFindNoCase( "#arguments.type#,#scope.name#", componentMetadata.name ) GT 0>
<cfreturn true />
</cfif>
<!--- Ok, maybe it extends the component we want, so we'll rip over the metadata until we either find it, or hit the end of the road --->
<cfloop condition="true">
<!--- Check to see if this go-round has what we are looking for --->
<cfif scope.name IS arguments.type>
<cfreturn true />
<!--- Put the defensive position here so we don't spiral out of control. No more EXTENDS structs means the end of the inheritance tree --->
<cfelseif structKeyExists( scope, "extends") IS false>
<cfreturn false />
</cfif>
<!--- Set the scope to the next struct and let's spin the wheel again --->
<cfset scope = scope.extends />
</cfloop>
</cffunction>


So I guess the real question is why wouldn't getMetadata( arguments.instance ) have an "extends"?   Adobe says  "Metadata for the component’s ancestor component. Components that do not explicitly extend another component extend the WEB-INF.cftags.component."


Dan Wilson

unread,
Nov 3, 2014, 12:49:16 PM11/3/14
to model...@googlegroups.com
Trap the error and find out what this variable contains:

scope[key] 

in this line in ModelGlueFrameworkLocator .findInScope()

<cfif isObject(scope[key]) and isTypeOf( "ModelGlue.gesture.ModelGlue", scope[key] )>


DW
Monday, November 03, 2014 12:16 PM
--
--
Model-Glue Sites:
Home Page: http://www.model-glue.com
Documentation: http://docs.model-glue.com
Bug Tracker: http://bugs.model-glue.com
Blog: http://www.model-glue.com/blog
 
You received this message because you are subscribed to the Google
Groups "model-glue" group.
To post to this group, send email to model...@googlegroups.com
To unsubscribe from this group, send email to
model-glue+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/model-glue?hl=en
---
You received this message because you are subscribed to the Google Groups "model-glue" group.
To unsubscribe from this group and stop receiving emails from it, send an email to model-glue+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Monday, November 03, 2014 11:58 AM
--
--
Model-Glue Sites:
Home Page: http://www.model-glue.com
Documentation: http://docs.model-glue.com
Bug Tracker: http://bugs.model-glue.com
Blog: http://www.model-glue.com/blog
 
You received this message because you are subscribed to the Google
Groups "model-glue" group.
To post to this group, send email to model...@googlegroups.com
To unsubscribe from this group, send email to
model-glue+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/model-glue?hl=en
---
You received this message because you are subscribed to the Google Groups "model-glue" group.
To unsubscribe from this group and stop receiving emails from it, send an email to model-glue+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Irvin Wilson

unread,
Nov 3, 2014, 1:32:54 PM11/3/14
to model...@googlegroups.com
Dan,
I fired onSessionEnd manually and trapped 

<cfset var componentMetadata = getMetadata( arguments.instance ) />
<cfset var scope = componentMetadata.extends />

since it was componentMetadata.extends that was breaking.  This is what I get. Not sure if same as session expiring naturally?  That said, it sorta makes sense now but not sure what to do about it.

Results of the following:
<cfdump var=#arguments.type# label="type" />
<cfdump var=#instance#  label="instance" />
<cfdump var=#componentMetadata# abort="true" label="componentMetadata" />

ModelGlue.gesture.ModelGlue
instance - object of org.owasp.esapi.ESAPI
Class Nameorg.owasp.esapi.ESAPI
Methods
MethodReturn Type
accessController()org.owasp.esapi.AccessController
authenticator()org.owasp.esapi.Authenticator
clearCurrent()void
currentRequest()javax.servlet.http.HttpServletRequest
currentResponse()javax.servlet.http.HttpServletResponse
encoder()org.owasp.esapi.Encoder
encryptor()org.owasp.esapi.Encryptor
executor()org.owasp.esapi.Executor
getLogger(java.lang.Class)org.owasp.esapi.Logger
getLogger(java.lang.String)org.owasp.esapi.Logger
httpUtilities()org.owasp.esapi.HTTPUtilities
initialize(java.lang.String)java.lang.String
intrusionDetector()org.owasp.esapi.IntrusionDetector
log()org.owasp.esapi.Logger
override(org.owasp.esapi.SecurityConfiguration)void
randomizer()org.owasp.esapi.Randomizer
securityConfiguration()org.owasp.esapi.SecurityConfiguration
validator()org.owasp.esapi.Validator
componentMetadata - object of java.lang.Class
Class Namejava.lang.Class
Methods
MethodReturn Type
asSubclass(java.lang.Class)java.lang.Class
cast(java.lang.Object)java.lang.Object
desiredAssertionStatus()boolean
forName(java.lang.String, boolean, java.lang.ClassLoader)java.lang.Class
forName(java.lang.String)java.lang.Class
getAnnotation(java.lang.Class)java.lang.annotation.Annotation
getAnnotations()java.lang.annotation.Annotation[]
getCanonicalName()java.lang.String
getClassLoader()java.lang.ClassLoader
getClasses()java.lang.Class[]
getComponentType()java.lang.Class
getConstructor(java.lang.Class[])java.lang.reflect.Constructor
getConstructors()java.lang.reflect.Constructor[]
getDeclaredAnnotations()java.lang.annotation.Annotation[]
getDeclaredClasses()java.lang.Class[]
getDeclaredConstructor(java.lang.Class[])java.lang.reflect.Constructor
getDeclaredConstructors()java.lang.reflect.Constructor[]
getDeclaredField(java.lang.String)java.lang.reflect.Field
getDeclaredFields()java.lang.reflect.Field[]
getDeclaredMethod(java.lang.String, java.lang.Class[])java.lang.reflect.Method
getDeclaredMethods()java.lang.reflect.Method[]
getDeclaringClass()java.lang.Class
getEnclosingClass()java.lang.Class
getEnclosingConstructor()java.lang.reflect.Constructor
getEnclosingMethod()java.lang.reflect.Method
getEnumConstants()java.lang.Object[]
getField(java.lang.String)java.lang.reflect.Field
getFields()java.lang.reflect.Field[]
getGenericInterfaces()java.lang.reflect.Type[]
getGenericSuperclass()java.lang.reflect.Type
getInterfaces()java.lang.Class[]
getMethod(java.lang.String, java.lang.Class[])java.lang.reflect.Method
getMethods()java.lang.reflect.Method[]
getModifiers()int
getName()java.lang.String
getPackage()java.lang.Package
getProtectionDomain()java.security.ProtectionDomain
getResource(java.lang.String)java.net.URL
getResourceAsStream(java.lang.String)java.io.InputStream
getSigners()java.lang.Object[]
getSimpleName()java.lang.String
getSuperclass()java.lang.Class
getTypeParameters()java.lang.reflect.TypeVariable[]
isAnnotation()boolean
isAnnotationPresent(java.lang.Class)boolean
isAnonymousClass()boolean
isArray()boolean
isAssignableFrom(java.lang.Class)boolean
isEnum()boolean
isInstance(java.lang.Object)boolean
isInterface()boolean
isLocalClass()boolean
isMemberClass()boolean
isPrimitive()boolean
isSynthetic()boolean
newInstance()java.lang.Object
toString()java.lang.String


 

Dan Wilson

unread,
Nov 3, 2014, 1:48:21 PM11/3/14
to model...@googlegroups.com
Interesting. Did you add the OWASP code to your web application? I don't think Model Glue does that internally

DW

Monday, November 03, 2014 1:32 PM

Irvin Wilson

unread,
Nov 3, 2014, 1:49:50 PM11/3/14
to model...@googlegroups.com
BTW, maybe I'm using esapi all wrong.  What I'm doing is setting

<cfset application.esapi = CreateObject("java", "org.owasp.esapi.ESAPI") />

in onApplicationStart and then I have a helper that does 

<cfreturn application.esapi.encoder().encodeForHTML(local.strToEncode) />

among other things.  I forget some details but I think I have it this way because is ACF9  and ACF10 added encodeForHTML?  I just thought better than creating the object each time in helper......



Dan Wilson

unread,
Nov 3, 2014, 1:54:25 PM11/3/14
to model...@googlegroups.com
I think ModelGlue isn't too pleased you put this component in the application scope. If it were me, I'd have placed the component in ColdSpring, with the rest of my model objects.

It's generally better practice, when using a framework, to stick with the framework and not go around it. By placing the component in the application scope, you are not using the stack as intended.

That said, one could easily fix the model glue code to not continue to assume the components in the application scope belong to Model Glue.

Do you think you can move your ESAPI code into ColdSpring?

Monday, November 03, 2014 1:49 PM
--
--
Model-Glue Sites:
Home Page: http://www.model-glue.com
Documentation: http://docs.model-glue.com
Bug Tracker: http://bugs.model-glue.com
Blog: http://www.model-glue.com/blog
 
You received this message because you are subscribed to the Google
Groups "model-glue" group.
To post to this group, send email to model...@googlegroups.com
To unsubscribe from this group, send email to
model-glue+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/model-glue?hl=en
---
You received this message because you are subscribed to the Google Groups "model-glue" group.
To unsubscribe from this group and stop receiving emails from it, send an email to model-glue+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Monday, November 03, 2014 11:58 AM

Irvin Wilson

unread,
Nov 3, 2014, 2:11:57 PM11/3/14
to model...@googlegroups.com
I'm afraid that I haven't treated Coldspring very well.  Kind of viewed it as a "black box".  I'll read up on it and see how I can do that.  I'll post back here once I figure that out.

Thank you!

Irv 

Irvin Wilson

unread,
Nov 3, 2014, 3:01:41 PM11/3/14
to model...@googlegroups.com
Ok, the following works but I might be abusing coldspring and/or modelglue in the process.  Can you tell me if this makes sense?

In coldspring.xml:

<!-- creates java loader -->
<bean id="javaObjectFactory" class="lib.jfactory" />
<!-- /creates java loader -->

<!-- load esapi -->
<bean id="esapiService" factory-bean="javaObjectFactory" factory-method="createJavaObject">
   <constructor-arg name="className">
      <value>org.owasp.esapi.ESAPI</value>
   </constructor-arg>
</bean>
<!-- /load esapi --> 

in lib/jFactory.cfc I have:

<cfcomponent name="jFactory">
   <cffunction name="createJavaObject" returntype="any">
      <cfargument name="className" type="string"/>
      <cfreturn createObject("java",arguments.className)/>
   </cffunction>
</cfcomponent>


Then in helper function I have:
<cfset local.esapi = application._modelglue.GetBean("esapiService") />
<cfreturn local.esapi.encoder().encodeForHTML(local.strToEncode) />


As mentioned it works but so did my initial go-round (sort of).  Just wondering if this looks ok.

Thank you!

Irvin Wilson

unread,
Nov 4, 2014, 12:20:55 PM11/4/14
to model...@googlegroups.com
I was looking to add latest versions of esapi and antiSamy to an app running on ACF9.  I have it working now but isn't really proper probably.  In my mind these functions were "helpers" so I had them set up external to MG.  Now that I have them in Coldspring I have to reference them with a _modelglue.GetBean approach (or so I believe).  Anyway it's pretty much at the controller level where these get called in order to scrub and format input and output that originated from the user. I've got one spot where the model uses esapi in order to format some stored text for output in the email. Maybe these functions should have been in a section in the model...

Dan Wilson

unread,
Nov 4, 2014, 12:37:15 PM11/4/14
to model...@googlegroups.com
If you are using a modern version of Model Glue, you can add these to the beans scope for a controller:

https://github.com/modelglue/modelglue-framework/wiki/How-To-Use-Bean-Injection


Use in a model object just means you need to create the bean object and inject it into a model object. Like this:
***ColdSpring Config***
    <bean id="NameOfObjectThatNeedsESAPI" class="path.to.ObjectThatNeedsESAPI">
        <constructor-arg name="ESAPI">
            <ref bean="ESAPI"/>
        </constructor-arg>
    </bean>
    <bean id="ESAPI" class="path.to.ESAPI">
        <constructor-arg name="AParamYouWantToPassIn">
            <value>TheValueOfTheParam</value>
        </constructor-arg>
    </bean>
   
***CFC Definition Example for NameOfObjectThatNeedsESAPI object ***

<cfcomponent>

    <cffunction name="init" output="false" access="public" returntype="NameOfObjectThatNeedsESAPI">
        <cfargument name="ESAPI" type="any" required="true" />
        <cfset variables.ESAPI = arguments.ESAPI/>

        <cfreturn this />
    </cffunction>




Then, any place in NameOfObjectThatNeedsESAPI just call variables.ESAPI.doSomething() and you'll be using that method from the ESAPI component you set up in ColdSpring.

Make sense?

Tuesday, November 04, 2014 12:20 PM
Monday, November 03, 2014 1:48 PM
Monday, November 03, 2014 12:49 PM
Trap the error and find out what this variable contains:

scope[key] 

in this line in ModelGlueFrameworkLocator .findInScope()
<cfif isObject(scope[key]) and isTypeOf( "ModelGlue.gesture.ModelGlue", scope[key] )>


<cfset var componentMetadata = getMetadata( arguments.instance ) />
<cfset var scope = componentMetadata.extends />
<!--- Maybe the component is the component we want --->
<cfif listFindNoCase( "#arguments.type#,#scope.name#", componentMetadata.name ) GT 0>
<cfreturn true />
</cfif>
<!--- Ok, maybe it extends the component we want, so we'll rip over the metadata until we either find it, or hit the end of the road --->
<cfloop condition="true">
<!--- Check to see if this go-round has what we are looking for --->
<cfif scope.name IS arguments.type>
<cfreturn true />
<!--- Put the defensive position here so we don't spiral out of control. No more EXTENDS structs means the end of the inheritance tree --->
<cfelseif structKeyExists( scope, "extends") IS false>
<cfreturn false />
</cfif>
<!--- Set the scope to the next struct and let's spin the wheel again --->
<cfset scope = scope.extends />
</cfloop>
</cffunction>


So I guess the real question is why wouldn't getMetadata( arguments.instance ) have an "extends"?   Adobe says  "Metadata for the component’s ancestor component. Components that do not explicitly extend another component extend the WEB-INF.cftags.component."


Irvin Wilson

unread,
Nov 4, 2014, 12:47:31 PM11/4/14
to model...@googlegroups.com
I thought I tried that (or similar).  Seems Coldspring thinks esapi needs to be a cfc rather than something loaded from java.  I found a post online where someone made a cfc that returned createObject("java",arguments.className) and then loaded that first, then loaded esapi using that bean to load it.  That's what I have going on presently...

...

Irvin Wilson

unread,
Nov 4, 2014, 12:54:33 PM11/4/14
to model...@googlegroups.com
I kind of stopped short in my reply of explaining that, yes, I get the 2nd part of what you said.  I just have the functions in the helper scope and the functions do a couple of things. I could switch that to a model cfc and do the same thing.  I just started down the path of viewing these things as helpers that could be need from a variety of controllers (and perhaps views but not currently).  That's what got me off on a tangent...

...
Reply all
Reply to author
Forward
0 new messages