Why Make Lucee Extensions?

Jetendo integrates with Lucee's best features and is very optimized for Lucee.  I've started to take it further by customizing Lucee to achieve even greater performance and reliability by making a hybrid of Java + CFML application.   Because Lucee provides an excellent security barrier for Java, it is my belief that we shouldn't expose Java directly in our CFML applications.   So Jetendo has a configuration that is so strict and layered, it is basically impossible to have unexpected code get installed or executed at the CFML level.   

As a result, any Java or system access I want to allow has to be explicitly defined.  One way to allow Java to execute safely is to wrap it with a Lucee Extension.  This lets you define only the methods and data types you want to expose in your Java application, and it even prevents calling any methods on those return types without them also being explicitly defined.   I think this is amazing for security.

This is why I develop a Lucee extension for CFML instead of trying to execute my Java directly via plain Java OSGi/Jar in the CFML code.   I am trying to reach for a very high bar in security with the design of these extension features.

Java can be pretty secure by itself since you don't have to have dynamic compilation features enabled as a production server feature of the application.   But Lucee is able to compile and run new code very easily, so it is harder to protect the system without being very explicit in your security layers.   We use custom Ubuntu AppArmor profiles, a very specific Lucee security profile in the admin, readonly filesystem permissions, non-root users, firewalls, brute force user login protection, email alerts, and lots of validation in our application to protect the server from a breach.  This is all part of Jetendo.

Also in order to keep Jetendo able to work as an open source application by someone else, it is required that I open source all the parts of it that are needed and update my documentation eventually.  I now rely on changes to Lucee and some custom extensions for our production Jetendo environment, so I am trying to release or document what those changes are on this web site.

