Scheduled Tasks in Mach II Applications - Mach-II/Mach-II-Framework GitHub Wiki
As an application grows, it is quite common to utilize scheduled tasks in order to accomplish tasks that need to be run on a frequent basis. Most developers rely on using <cfschedule>
or scheduling a task within the administration console of their CFML server. When a scheduled tasks is executed by a CFML server, it retrieves the defined target URL. A scheduled task is no different from a normal HTTP request other than the fact that the CFML server is the user agent instead of a browser.
Considering there is no different in the request between a scheduled task or a user's browser, it makes the most sense to utilize the infrastructure already built into your Mach-II application instead of reinventing the wheel by creating single .cfm files for each scheduled task. The simplest solution is to have your scheduled task request a Mach-II event. In our example, we need to send a report of all orders that we took in for that day.
Example Scheduled Task Target URL:
https://www.example.com/index.cfm?event=scheduled.sendOrderReport
This would announce an event-handler in your Mach-II configuration file:
<event-handler event="scheduled.sendOrderReport" access="public">
<notify listener="order" method="sendOrderReport"/>
</event-handler>
You might have already noticed a potential security concern in the example above is that anybody could kick off the sending an order report if they knew the URL. While it might be hard for somebody to guess the event name, it's easy to accidentally disclose this information with a link that was left on production or causally sending a question to an email list. Just imagine what could happen if Google indexed this URL and it was presented to users in search results. This type of security is known as security by obscurity and something we should all strive to avoid as developers.
The easiest solution is to add an additional parameter to the target URL for the scheduled task such as a password:
https://www.example.com/index.cfm?event=scheduled.sendOrderReport&scheduleTaskPwd=123abc
This would allow you to use a filter in all of your scheduled tasks events that checked for a valid scheduled task password before letting the event continue processing:
<event-handler event="scheduled.sendOrderReport" access="public">
<filter name="checkScheduledTaskCredentials"/>
<notify listener="order" method="sendOrderReport"/>
</event-handler>
Routing your scheduled tasks through Mach-II allows you to utilize and reuse the architecture you already have in place for your application. It also do not introduce any coupling of your scheduled task to Mach-II because scheduled tasks are normal HTTP requests. Since Mach-II is an HTTP request framework, there is no reason you should not route scheduled task request through the framework.