One my coworkers had and issue where she couldn’t run cfreport from her site. The error from the site was rather unhelpfull:

ROOT CAUSE:
java.lang.NoClassDefFoundError: Could not initialize class coldfusion.runtime.report.Report
	at coldfusion.tagext.lang.ReportTag.doEndTag(ReportTag.java:581)
	at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2662)
	at cfprintLabels2ecfm1064228503.runPage(D:\sites\********\www\common\widgets\printLabels.cfm:49)

Initially Google only came with one hit when searching for this, and it didn’t provide any solution. Since it was a simple report to generate Avery labels in pdf I recommeded a workaround: use a pdf form template and fill out the addresses¬† through cfpdfform. But today when I saw a WEB-INF/cfusion/tmpCache/CFFileServlet/_cf_report/ folder on my development system I suddenly realized the problem might be caused by a sandbox issue.¬† The site is on a shared server and sandboxes default to the site folder and all subfolders, but nothing outside that. And as it turns out ColdFusion tries to do something with WEB-INF/cfusion/tmpCache/CFFileServlet/_cf_report/ so the sandbox will need access to that folder for cfreport to work. Once we allowed access to the Sandbox to this folder, cfreport started working again.

In case you are interested, the script to add a directory to all sandboxes is here:

<!--- For Sandbox stuff use the platform specific directory delimiter --->
<cfset cftempdir = server.ColdFusion.rootDir & "\tmpCache\-" />
<cfset adminPassword = "" />
 
<cfset administrator = CreateObject('component', 'cfide.adminapi.administrator')>
<cfset security = CreateObject('component', 'cfide.adminapi.security') />
 
<!--- Login --->
<cfif NOT administrator.login(adminPassword)>
	<cfthrow message="Login failed" detail="Unable to login to the CF adminAPI.">
</cfif>
 
<!--- Collect the defined sandboxes--->
<cfset sandBoxes = security.getSecuritySandboxes() />
<cfloop collection="#sandBoxes#" item="box">
 
	<!--- Test if it is a user-sanbox and not a system-sandbox and add the tmpCache folder --->
	<cfif Left(box, 12) IS "z:\websites\">
		<cfset security.setSecuredFolder(
				directory=box
				, folder=cftempdir
				) />
	</cfif>
 
</cfloop>

Other tags that won’t work in a sandbox

This issue appears to be new in CF 8 because aparently it had worked before in a similar sandbox on CF 7. Several more tags have problems if you typically limit sandbox access to the folder the code is in and to subfolders. My current list is

tag folder
cfdocument font directory (c:\windows\fonts\)
cffile upload J2EE server temp dir (c:\JRUN4\servers\cfusion\SERVER-INF\temp\cfusion.war-tmp\)
cfreport WEB-INF/cfusion/tmpCache/CFFileServlet/_cf_report/
cfimage WEB-INF/cfusion/tmpCache/CFFileServlet/_cf_image/

So who has discovered any other tags that need access to special directories to work properly?

12 Comments

  1. Brad Wood says:

    You use a blank password for your ColdFusion Administrator?? :)

  2. Jenn says:

    Just curious - did this problem ever come back? We’ve been having the same error on ALL our servers now. I tried adding the path to the sandboxes, but still get the error. This is the ONLY site that has found some solution to this error. Do you have files in the _cfreport folder?

  3. Jochem says:

    I haven’t seen the problem since changing the Sandbox settings.

  4. “it could be bunnies” » Blog Archive » CF shared hosting security: filesystem access and sandbox security says:

    [...] To get real security against this reading of directories we need to enable Sandbox Security. Sandbox Security allows us to define a directory on the filesystem as a Sandbox and subject every request that starts from that Sandbox to a set of constraints. These constraints can include which tags are allowed, i.e. forbid cfregistry outright, or which resources can be accessed. Typically each Sandbox is defined at the root of a customers FTP and / or WWW directory and then allows for access of only some directories and datasources. Setting up the allowed resources and tags in a Sandbox can occasionally be a bit counterintuitive, for instance to allow a file to be used in a cfinclude it needs execute permissions and several extra directories need to be accessible for some tags. [...]

  5. “it could be bunnies” » Blog Archive » ColdFusion shared hosting security and internals says:

    [...] we need to grant read and execute permissions on that directory to every Sandbox (you can adapt the script I posted before for that). I just ran into this this weekend when I updated my dump template to show interface [...]

  6. Sebastiaan says:

    Hi Jochem,

    at our servers we can use CFIMAGE en CFFILE upload no problem within our shared sandbox.

    Does this mean that the sandbox is NOT limited?

  7. Jochem says:

    If you want to know how your sandbox is configured just try the following code to read the neo-security.xml file:

    <!— read the security configuration —>
    <cffile action=”read” file=”#server.coldfusion.rootdir#/lib/neo-security.xml” variable=”fileContent” />
    <!— output the security configuration —>
    <cfoutput>#HTMLCodeFormat(fileContent)#</cfoutput>

  8. James Holmes says:

    I just discovered that the cffeed tag can have issues (at least on CF8.01 patched to current levels as of this post) unless {cfroot}/WEB-INF/cfusion/lib is permitted in the sandbox.

    http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:58123

    BTW, anyone still getting errors after adding the sandbox rules should restart the server - classes created with the old sandbox rules are cached and may not be cleared until you restart.

  9. Elias says:

    and when ” Enable ColdFusion Sandbox Security ” is not checked, but the error is the same, what can i do??????????? please……

  10. Jochem says:

    First try your report on another server with the same patchlevel. Then try clearing out the cfclasses folder.

  11. Elias says:

    I have to servers, development and production, all reports in production are ok, but in development any report work fine.

    This error happened suddenly, I do not know why.

    It forgot it, my cf version is the 8.0.1

    thks!!!

  12. Elias says:

    Hey, finally i could fix it.

    For some reason the folder \tmpCache\CFFileServlet\_cfreport was not empty in development (850 mg!!!), but in production it was.

    I erased the folder and i creates the folder again, with this, cfreport works again.