Käyttöopas Peruuta

Administer ColdFusion security

  1. ColdFusion User Guide
  2. Introduction to ColdFusion
    1. About Adobe ColdFusion
    2. Download Adobe ColdFusion
    3. What's new in ColdFusion (2021 release)
    4. ColdFusion (2021 release) Release Notes
    5. Deprecated Features
    6. REST enhancements in ColdFusion (2018 release)
    7. Server Auto-Lockdown
    8. Asynchronous programming
    9. Docker images for ColdFusion
  3. Adobe ColdFusion (2021 release)
    1. Install ColdFusion- Zip Installer
    2. Install ColdFusion- GUI Installer
    3. ColdFusion Licensing and Activation
    4. ColdFusion Package Manager
    5. CFSetup configuration tool
    6. SAML in ColdFusion
    7. ColdFusion and Amazon S3
    8. ColdFusion and DynamoDB
    9. ColdFusion and Amazon SQS
    10. ColdFusion and Amazon SNS
    11. ColdFusion and MongoDB
    12. ColdFusion and Azure Blob
    13. ColdFusion and Azure Service Bus
    14. New and updated language enancements
    15. Multi-cloud storage services
    16. Multi-cloud RDS databases
    17. ColdFusion and Azure Cosmos DB
  4. Install ColdFusion
    1. ColdFusion server profiles
    2. Prepare to install ColdFusion
    3. Install the server configuration
    4. Install the JEE configuration
    5. Install ColdFusion Express
    6. Install integrated technologies
    7. Configure your system
    8. Troubleshoot installation issues
    9. Install ColdFusion silently
    10. Install Adobe ColdFusion (2016 release) hotfix
    11. ColdFusion (2018 release) - Install JEE configuration
  5. Use ColdFusion
    1. Command Line Interface (CLI)
    2. External session storage
    3. Generate Swagger documents
    4. Language enhancements
    5. NTLM support
    6. New and changed functions/tags in Adobe ColdFusion (2016 release)
    7. PDF enhancements
    8. Security enhancements in ColdFusion (2016 release)
  6. Performance Monitoring Toolset
    1. Auto-discovery of ColdFusion nodes and clusters
    2. Code profiler in ColdFusion Performance Monitoring Toolset
    3. Configure ColdFusion Performance Monitoring Toolset settings
    4. Install ColdFusion Performance Monitoring Toolset
    5. Overview of ColdFusion Performance Monitoring Toolset
    6. View cluster and node metrics
    7. View data source metrics
    8. View external services
    9. View incoming services
    10. View list of sites and busy connections
    11. View topology of sites
    12. Datastore Health Monitoring
    13. Performance Monitoring Toolset Update 1
    14. Secure Performance Monitoring Toolset with HTTPS/SSL
    15. Performance Monitoring Toolset deployment guide
  7. Use ColdFusion Builder
    1. About ColdFusion Builder
    2. System requirements | ColdFusion Builder
    3. Install ColdFusion Builder
    4. Edit code in ColdFusion Builder
    5. Manage servers in ColdFusion Builder
    6. Manage projects in ColdFusion Builder
    7. What’s new in Adobe ColdFusion Builder (2018 release)
    8. Frequently Asked Questions (FAQ) | Adobe ColdFusion Builder (2018 release)
    9. Debug applications in ColdFusion Builder
    10. ColdFusion Builder workbench
    11. ColdFusion Builder extensions
    12. Debugging Perspective in ColdFusion Builder
    13. Build mobile applications using ColdFusion Builder
    14. Bundled ColdFusion Server
    15. Debug mobile applications in ColdFusion Builder
    16. Use extensions in ColdFusion Builder
  8. Coldfusion API Manager
    1. Overview of Adobe ColdFusion API Manager
    2. Features in ColdFusion API Manager
    3. Get started with ColdFusion API Manager
    4. Install ColdFusion API Manager
    5. Authentication types
    6. Create and publish APIs
    7. Administrator
    8. Subscriber
    9. Throttling and rate limiting
    10. Notifications
    11. Connectors
    12. Set up cluster support
    13. Integrate ColdFusion and API Manager
    14. Metrics and Logging in API Manager
    15. Generate Swagger documents
    16. Configure SSL
    17. Known issues in this release
    18. Policies in ColdFusion API Manager
    19. Create a Redis cluster
    20. Multitenancy in API Manager
    21. Docker images for ColdFusion API Manager
  9. Configure and administer ColdFusion
    1. Administer ColdFusion
    2. Use the ColdFusion administrator
    3. Data Source Management for ColdFusion
    4. Connect to web servers
    5. Deploy ColdFusion applications
    6. Administer ColdFusion security
    7. Basic Troubleshooting and FAQs
    8. Work with Server Manager
    9. Use multiple server instances
    10. WebSocket Enhancements (ColdFusion 11)
    11. Security Enhancements (ColdFusion 11)
    12. Work with Server Monitor
    13. ColdFusion Administrator API Reference
  10. CFML Reference
    1. Introduction to CFML Reference
      1. New functions in ColdFusion (2018 release)
      2. New and changed functions/tags in Adobe ColdFusion (2016 release)
      3. Script supported tags and functions
      4. New and changed tags/functions in ColdFusion 11
    2. Reserved words and variables
      1. Reserved words and variables
      2. Reserved words
      3. Scope-specific built-in variables
      4. Custom tag variables
      5. ColdFusion tag-specific variables
      6. CGI environment (CGI Scope) variables
    3. ColdFusion tags
      1. ColdFusion tags
      2. Tags in ColdFusion 10
      3. Tag summary
      4. Tags by function
      5. Tag changes since ColdFusion 5
      6. Tags a-b
      7. Tags c
      8. Tags d-e
      9. Tags f
      10. Tags g-h
      11. Tags i
      12. Tags j-l
      13. Tags m-o
      14. Tags p-q
      15. Tags r-s
      16. Tags t
      17. Tags u-z
    4. ColdFusion functions
      1. ColdFusion functions
      2. New functions in ColdFusion 10
      3. ColdFusion functions by category
      4. Function changes since ColdFusion 5
      5. Functions a-b
      6. Functions c-d
      7. Functions e-g
      8. Functions h-im
      9. Functions in-k
      10. Functions l
      11. Functions m-r
      12. Functions s
      13. Functions t-z
      14. BooleanFormat
    5. Ajax JavaScript functions
      1. Ajax JavaScript functions
      2. Function summary Ajax
      3. ColdFusion.Ajax.submitForm
      4. ColdFusion.Autosuggest.getAutosuggestObject
      5. ColdFusion.Layout.enableSourceBind
      6. ColdFusion.MessageBox.getMessageBoxObject
      7. ColdFusion.ProgressBar.getProgressBarObject
      8. ColdFusion.MessageBox.isMessageBoxDefined
      9. JavaScriptFunctionsinColdFusion9Update1
    6. ColdFusion ActionScript functions
      1. ColdFusion ActionScript functions
      2. CF.http
      3. CF.query
    7. ColdFusion mobile functions
      1. ColdFusion Mobile Functions
      2. Accelerometer Functions
      3. Camera Functions
      4. Connection Functions
      5. Contact Functions
      6. Event Functions
      7. File System Functions
      8. Geolocation Functions
      9. Media and Capture Functions
      10. Notification Functions
      11. Splash Screen Functions
      12. Storage Functions
    8. Application.cfc reference
      1. Application.CFC reference
      2. Application variables
      3. Method summary
      4. onAbort
      5. onApplicationEnd
      6. onApplicationStart
      7. onMissingTemplate
      8. onCFCRequest
      9. onError
      10. onRequestEnd
      11. onRequest
      12. onRequestStart
      13. onServerStart
      14. onSessionEnd
      15. onSessionStart
    9. Script functions implemented as CFCs
      1. Script Functions Implemented as CFCs
      2. Accessing the functions
      3. Function summary
      4. ftp
      5. http
      6. mail
      7. pdf
      8. query
      9. Script functions implemented as CFCs in ColdFusion 9 Update 1
      10. storedproc
    10. ColdFusion Flash Form style reference
      1. Styles valid for all controls
      2. Styles for cfform
      3. Styles for cfformgroup with horizontal or vertical type attributes
      4. Styles for box-style cfformgroup elements
      5. Styles for cfformgroup with accordion type attribute
      6. Styles for cfformgroup with tabnavigator type attribute
      7. Styles for cfformitem with hrule or vrule type attributes
      8. Styles for cfinput with radio, checkbox, button, image, or submit type attributes
      9. Styles for cftextarea tag and cfinput with text, password, or hidden type attributes
      10. Styles for cfselect with size attribute value of 1
      11. Styles for cfselect with size attribute value greater than 1
      12. Styles for cfcalendar tag and cfinput with dateField type attribute
      13. Styles for the cfgrid tag
      14. Styles for the cftree tag
      15. ColdFusion Flash Form Style Reference
    11. ColdFusion event gateway reference
      1. ColdFusion Event Gateway reference
      2. addEvent
      3. CFEvent
      4. CFEventclass
      5. Constructor
      6. Gateway development interfaces and classes
      7. getStatus
      8. setCFCPath
      9. setCFCMethod
      10. getOriginatorID
      11. getLogger
      12. getBuddyList
      13. getBuddyInfo
      14. IM gateway message sending commands
      15. IM Gateway GatewayHelper class methods
      16. onIncomingMessage
      17. onIMServerMessage
      18. onBuddyStatus
      19. onAddBuddyResponse
      20. onAddBuddyRequest
      21. IM Gateway CFC incoming message methods
      22. IM gateway methods and commands
      23. CFML CFEvent structure
      24. warn
      25. info
      26. setOriginatorID
      27. data command
      28. submit Multi command
      29. submit command
      30. setGatewayType
      31. setGatewayID
      32. setData
      33. setCFCListeners
      34. outgoingMessage
      35. getStatusTimeStamp
      36. numberOfMessagesReceived
      37. numberOfMessagesSent
      38. removeBuddy
      39. removeDeny
      40. removePermit
      41. setNickName
      42. setPermitMode
      43. setStatus
      44. SMS Gateway CFEvent structure and commands
      45. SMS Gateway incoming message CFEvent structure
      46. getStatusAsString
      47. getProtocolName
      48. getPermitMode
      49. getPermitList
      50. getNickName
      51. getName
      52. getDenyList
      53. getCustomAwayMessage
      54. getQueueSize
      55. getMaxQueueSize
      56. getHelper
      57. getGatewayType
      58. getGatewayServices
      59. getGatewayID_1
      60. getGatewayID
      61. getData
      62. getCFCTimeout
      63. setCFCTimeout
      64. getCFCPath
      65. getCFCMethod
      66. GatewayServices class
      67. Gateway interface
      68. GatewayHelper interface
      69. addPermit
      70. addDeny
      71. addBuddy
      72. error
      73. debug
      74. Logger class
      75. stop
      76. start
      77. CFML event gateway SendGatewayMessage data parameter
      78. restart
      79. fatal
      80. SMS gateway message sending commands
    12. ColdFusion C++ CFX Reference
      1. C++ class overview
      2. Deprecated class methods
      3. CCFXException class
      4. CCFXQuery class
      5. CCFXRequest class
      6. CCFXStringSet class
      7. ColdFusion C++ CFX Reference
    13. ColdFusion Java CFX reference
      1. ColdFusion Java CFX reference
      2. Class libraries overview
      3. Custom tag interface
      4. Query interface
      5. Request interface
      6. Response interface
      7. Debugging classes reference
    14. WDDX JavaScript Objects
      1. WDDX JavaScript objects
      2. JavaScript object overview
      3. WddxRecordset object
      4. WddxSerializer object
  11. Develop ColdFusion applications
    1. Introducing ColdFusion
      1. Introducing ColdFusion
      2. About ColdFusion
      3. About Internet applications and web application servers
      4. About JEE and the ColdFusion architecture
    2. Changes in ColdFusion
      1. Changes in ColdFusion
      2. Replacement of JRun with Tomcat
      3. Security enhancements
      4. ColdFusion WebSocket
      5. Enhanced Java integration
      6. ColdFusion ORM search for indexing and search
      7. Solr enhancements
      8. Scheduler enhancements
      9. Integration with Microsoft Exchange Server 2010
      10. RESTful Web Services in ColdFusion
      11. Lazy loading across client and server in ColdFusion
      12. Web service enhancements
      13. Displaying geolocation
      14. Client-side charting
      15. Caching enhancements
      16. Server update using ColdFusion Administrator
      17. Secure Profile for ColdFusion Administrator
    3. Introduction to application development
      1. Introduction to application development using ColdFusion
      2. Using the Developing ColdFusion Applications guide
      3. About Adobe ColdFusion documentation for Developers
    4. The CFML programming language
      1. The CFML programming language
      2. Elements of CFML
      3. ColdFusion variables
      4. Expressions and number signs
      5. Arrays and structures
      6. Extend ColdFusion pages with CFML scripting
      7. Regular expressions in functions
      8. ColdFusion language enhancements
      9. Built-in functions as first class citizen
      10. Data types- Developing guide
    5. Building blocks of ColdFusion applications
      1. Building blocks of ColdFusion applications
      2. Create ColdFusion elements
      3. Write and call user-defined functions
      4. Build and use ColdFusion Components
      5. Create and use custom CFML tags
      6. Build custom CFXAPI tags
      7. Use the member functions
      8. Object Oriented Programming in ColdFusion
    6. Develop CFML applications
      1. Develop CFML applications
      2. Design and optimize a ColdFusion application
      3. Handle errors
      4. Use persistent data and locking
      5. Use ColdFusion threads
      6. Secure applications
      7. Client-side CFML (for mobile development)
      8. Use the ColdFusion debugger
      9. Debugging and Troubleshooting Applications
      10. Develop globalized applications
      11. REST enhancements in ColdFusion
      12. Authentication through OAuth
      13. Social enhancements
    7. Develop mobile applications
      1. Mobile application development
      2. Build mobile applications
      3. Debug mobile applications
      4. Inspect mobile applications
      5. Package mobile applications
      6. Troubleshoot mobile applications
      7. Device detection
      8. Client-side CFML
      9. Mobile Templates
      10. Code samples to build a mobile application
    8. Access and use data
      1. Access and use data
      2. Introduction to Databases and SQL
      3. Access and retrieve data
      4. Update database
      5. Use Query of Queries
      6. Manage LDAP directories
      7. Solr search support
    9. ColdFusion ORM
      1. ColdFusion ORM
      2. Introducing ColdFusion ORM
      3. ORM architecture
      4. Configure ORM
      5. Define ORM mapping
      6. Work with objects
      7. ORM session management
      8. Transaction and concurrency
      9. Use HQL queries
      10. Autogenerate database schema
      11. Support for multiple data sources for ORM
      12. ColdFusion ORM search
    10. ColdFusion and HTML5
      1. ColdFusion and HTML 5
      2. Use ColdFusion Web Sockets
      3. Media Player enhancements
      4. Client-side charting
      5. Display geolocation data
    11. Flex and AIR integration in ColdFusion
      1. Flex and AIR integration in ColdFusion
      2. Use the Flash Remoting Service
      3. Use Flash Remoting Update
      4. Offline AIR application support
      5. Proxy ActionScript classes for ColdFusion services
      6. Use LiveCycle Data Services ES assembler
      7. Use server-side ActionScript
    12. Request and present information
      1. Request and present information
      2. Retrieve and format data
      3. Build dynamic forms with cfform tags
      4. Validate data
      5. Create forms in Flash
      6. Create skinnable XML forms
      7. Use Ajax data and development features
      8. Use Ajax User Interface components and features
    13. Office file interoperability
      1. Office file interoperability
      2. Using cfdocument
      3. Using cfpresentation
      4. Using cfspreadsheet
      5. Supported Office conversion formats
      6. SharePoint integration
    14. ColdFusion portlets
      1. ColdFusion portlets
      2. Run a ColdFusion portlet on a JBoss portal server
      3. Run a ColdFusion portlet on a WebSphere portal server
      4. Common methods used in portlet.cfc
      5. ColdFusion portlet components
      6. Support for JSR-286
    15. Work with documents, charts, and reports
      1. Work with documents, charts, and reports
      2. Manipulate PDF forms in ColdFusion
      3. Assemble PDF documents
      4. Create and manipulate ColdFusion images
      5. Create charts and graphs
      6. Create reports and documents for printing
      7. Create reports with Report Builder
      8. Create slide presentations
    16. Use web elements and external objects
      1. Use web elements and external objects
      2. Use XML and WDDX
      3. Use web services
      4. Use ColdFusion web services
      5. Integrate JEE and Java elements in CFML applications
      6. Use Microsoft .NET assemblies
      7. Integrate COM and CORBA objects in CFML applications
    17. Use external resources
      1. Send and receive e-mail
      2. Interact with Microsoft Exchange servers
      3. Interact with remote servers
      4. Manage files on the server
      5. Use event gateways
      6. Create custom event gateways
      7. Use the ColdFusion extensions for Eclipse
      8. Use the data services messaging event gateway
      9. Use the data management event gateway
      10. Use the FMS event gateway
      11. Use the instant messaging event gateways
      12. Use the SMS event gateway

 

You can secure many Adobe ColdFusion resources using password authentication and configure sandbox security.

About ColdFusion security

Security is especially important in web-based applications, such as those you develop in ColdFusion. ColdFusion developers and administrators must fully understand the security risks that could affect their development and runtime environments so they can enable and restrict access appropriately.
Whether you have an e-commerce site where customers enter credit card information or a global collaboration site where users share confidential data, you should understand the security risks that could threaten your web applications.

  • Snooping and eavesdropping: Someone can monitor data sent over the public connections of the web.
  • User impersonation: Someone can impersonate a trusted user to gain access to information that only the trusted user should see or download.
  • Unauthorized access: Unauthorized users can gain access to sensitive information. This security risk is the most complex because the Internet links every computer to one large network. Completely allowing or disallowing access to a given system or data source is relatively straight-forward, but allowing the partial access required for an application to be useful remains risky. For example, a bank can easily publish a public, freely accessible site with general banking information. Creating an account maintenance site where users have exclusive access to their own personal account information is more difficult.
    ColdFusion provides a highly secure environment for web application development and deployment. It helps you reduce security risks in the following ways:
  • Encryption: Use of the Secure Sockets Layer (SSL) protocol prevents snooping, eavesdropping, and message tampering as information passes between clients and servers. SSL, which is supported by most web servers, encrypts Internet protocols (such as HTTP) with public key cryptography. A private key resides on the server to decrypt inbound data and encrypt outbound data.After the key is installed, the web server automatically handles encryption and decryption.
  • Authentication: Authentication checks whether someone is a valid system user. It prompts a user for a unique login or user name, and a password or personal identification number (PIN).
  • Access Control: Authenticated users have access to particular features or components based on security clearance, group affiliation, or other criteria specified by the developer.
    You can implement development security by requiring a password to use the ColdFusion Administrator and a password for Remote Development Services (RDS), which allows developers to develop CFML pages remotely. You implement runtime security in your CFML pages and in the ColdFusion Administrator. ColdFusion has the following runtime security categories:
  • User security Programmatically determine the logged-in user and allow or disallow restricted functionality based on the roles assigned to that user. For more information about user security, see ColdFusion security features in Securing Applications in the Developing ColdFusion Applications.
  • Sandbox security Using the ColdFusion Administrator, define the actions and resources that the ColdFusion pages in and below a specified directory can use.

    Note: In ColdFusion 11, you can configure multiple security sandboxes irrespective of the edition that you are using. 

    The Security area in the Administrator lets you do the following tasks:


    • Configure password protection for the ColdFusion Administrator. For more information, see Using password protection.
    • Configure password protection for RDS access. For more information, see RDS password protection.
    • Enable, disable, and customize ColdFusion security, on the Security > Sandbox Security page (called Resource Security page in the Standard edition). For more information, see Using sandbox security.

Using password protection

Password protection restricts access to the ColdFusion Administrator and to a ColdFusion server when you attempt access through RDS security.

ColdFusion Administrator password protection

Secure access to the ColdFusion Administrator is enabled by default. The password that you enter during installation is saved as the default. You are prompted to enter this password whenever you open the Administrator.
Password protection for accessing the Administrator helps guard against unauthorized modifications of ColdFusion, and Adobe recommends using passwords. You can disable or change the Administrator password on the Security > CF Admin Password pag

Configurable seed for password encryption

You can specify a new seed value to encrypt data source passwords.
To modify the default seed value assigned by ColdFusion or to change the value you specified,

  1. In the ColdFusion Administrator, got to Security > Administrator and then in the Password Seed section, specify the new seed value between 8-500 characters.
  2. Click Submit Changes.

    Note: When you modify the seed value, all data source connections are reset. Therefore, Adobe recommends that you perform this task when the server is idle or at the initial phase (after installation).

RDS password protection

If you configured password protection for RDS access when you installed ColdFusion, you are prompted for the password when you attempt to access ColdFusion from Dreamweaver MX 2004, HomeSite+, or the ColdFusion Report Builder.
You can disable RDS or change the RDS password on the Security > RDS Password page.

Note: Disabling RDS also disables the applet that the ColdFusion Administrator uses in file-related dialog boxes.

If you use RDS security, you rely on web server and operating system security settings to set permissions for ColdFusion application and document directories.

Enhancing ColdFusion Security on Windows

To enhance security for the ColdFusion server on Windows, restrict access to the following files to selected ColdFusion users:

  • /cfusion/lib/seed.properties
  • /cfusion/lib/password.properties
  • /cfusion/lib/license.properties
  • /cfusion/bin/passwordreset.bat
  • /cfusion/bin/cf-passwordreset.jar

Exposing services to users

ColdFusion exposes many services as web services. You can access these services using SOAP and AMF/Flash remoting.
The following are the exposed services:

  • cfpdf
  • cfImage
  • cfdocument
  • cfmail
  • cfpop
  • cfchart
  • upload service
    You can secure the exposed services to prevent access by unknown applications or users. This can be done by configuring the client IP address range to which services are accessible. Also, you can set up user access control for the services.
    On the Security > User Manager page, you can select the services available to a user from the Exposed Services section. 
    By default, all the services are listed in the Prohibited Services drop-down list. Press CTRL and select the services that you want the user to avail and click the << button. 
    Now, click Edit User to implement the changes to the user settings.

Configure IP address to access exposed services

To configure IP addresses to access exposed services:

  1. Go to Security > Allowed IP Addresses
  2. To add an IP address, specify the IP address in the IP addresses field and click Add.
  3. To remove an IP address, select the IP address from the View/Remove Selected IP Addresses for Exposed Services list.
  4. Click Remove Selected to remove the IP addresses.

Restricting access to ColdFusion Administrator

You can restrict access to ColdFusion Administrator.

Note: By default, localhost and all IP addresses can access ColdFusion server.

To add IP addresses that must be allowed access:

  1. Go to Security > Allowed IP Addresses > Add/Remove IP Addresses which will have Administrator access.
  2. In the IP Address text box, specify the IP addresses.
  3. Click Add.
  4. Repeat the procedures to add more IP addresses.
    Regular expressions are supported. That is, if you specify 10...*, all IP addresses starting with 10. are allowed access.

Enabling Secure Profile for ColdFusion Administrator

ColdFusion allows you to secure ColdFusion server furthermore by enabling or disabling selected settings on the ColdFusion Administrator. When installing ColdFusion, you can enable Secure Profile by selecting the option when prompted on the Secure Profile screen. Further, you could provide a comma separate list of IP addresses that may be allowed to access the ColdFusion Administrator.

Administrator settings affected by enabling Secure Profile

Administrator Settings Path Default Admin Profile Secure Profile Changes to the setting post migration to ColdFusion 10
Use UUID for cftoken Server Settings > Settings Enabled Enabled Overwritten
Disable access to internal ColdFusion Java components Server Settings > Settings Disabled Enabled Overwritten
Enable Global Script Protection Server Settings > Settings Enabled Enabled Overwritten
Maximum size of post data Server Settings > Settings 20MB 20MB Overwritten
Missing Template Handler Server Settings > Settings No Value Custom missing error template Retained if specified
Site-wide Error Handler Server Settings > Settings No Value Custom site-wide error template Retained if specified
Request Queue Timeout Page Server Settings > Request Tuning No value Custom error template Retained if specified
Cookie Timeout Server Settings > Memory Variables 15767000 minutes 1440 minutes N/A
Disabling updating of ColdFusion internal cookies using ColdFusion tags/functions Server Settings > Memory Variables Disabled Enabled N/A
Enable WebSocket Server Server Settings > WebSocket Enabled Disabled N/A
Start Flash Policy Server Server Settings > WebSocket Enabled Disabled N/A
Allowed SQL (all settings) Data & Services > Data Sources > database > Advanced Settings Enabled Create, Drop, Alter, Grant, Revoke, Stored Procedures are disabled Retained if specified
Enable Robust Exception Information Debugging & Logging > Debug Output Settings Disabled Disabled Overwritten
Enable CFSTAT Debugging & Logging > Debug Output Settings Enabled Disabled Overwritten
Select the type of Administrator authentication Security > Administrator Use a single password only Separate user name and password authentication (allows multiple users) N/A
Enable RDS Service Security > RDS Configurable at install time Disabled N/A
Select the type of RDS authentication Security > RDS Use a single password only Separate user name and password authentication (allows multiple users) N/A
Allowed IP addresses for ColdFusion Administrator access Security > Allowed IP Addresses Not available at install time Available at install time N/A
Allow concurrent login sessions for Administrator Console Security > Secure Profile Enabled Disabled  
Huomautus:

Secure Profile disables Directory Browsing for a stand alone ColdFusion installation with built-in web server.

COMMUNITY CONTRIBUTED HELP

The page above explains that if the "secure profile" option is taken during installation, ColdFusion will set the 3 error handlers to a value that is shown above merely as "Custom missing error template".

More specifically, and particularly if anyone may remove them from the CF Admin and need to add them back, the three templates can be found in this directory in your installation: C:\ColdFusion10\cfusion\wwwroot\CFIDE\administrator\templates, and are named (in the order listed above): 

  • secure_profile_error.cfm
  • missing_template_error.cfm
  • request_timeout_error.cfm

So for instance, to put the "default" "secure" sitewide error handler back in place, provide this value for the CF Admin>Settings>Site-wide Error Handler:

  • /CFIDE/administrator/templates/secure_profile_error.cfm

Changes in Secure Profile (ColdFusion 11)

When installing ColdFusion Server, you can enable Secure Profile by selecting the option when prompted on the Secure Profile screen. Further, you could provide a comma separate list of IP addresses that may be allowed to access the ColdFusion Administrator. This feature has been available from ColdFusion 10. In ColdFusion 11, Secure Profile has been enhanced to handle access to other internal components too. For instance, you can set restrictions for following URLs:

  • CFIDE/main/*
  • CFIDE/adminapi/*
  • CFIDE/administrator/*
  • CFIDE/componentutils/*
  • CFIDE/wizards/*
  • CFIDE/servermanager/*

To allow IP addresses to access the internal ColdFusion components, perform the following tasks:

  1. Login to ColdFusion Administrator
  2. Click Security > Allow IP Addresses
  3. Go to Allow IP Addresses for accessing ColdFusion Administrator and ColdFusion Internal Directories section and add grant access to  individual IP address to access the internal components as shown in the following figure:
Allowed IP addresses
Allowed IP addresses

If you have configured an external web server, you can also restrict access to the ColdFusion Administrator and ColdFusion Internal Directories at the connector-level by modifying the iprestriction.properties file available under the connector folder. For instance, <cf_root>/config/wsconfig//iprestriction.properties.

Note : You will need to restart the external web server after modifying the iprestriction.properties file. 

Using sandbox security

Sandbox security (called Resource security in the Standard Edition) uses the location of your ColdFusion pages to control access to ColdFusion resources. A sandbox is a designated directory of your site to which you apply security restrictions. Sandbox security lets you specify which tags, functions, and resources (for example, files, directories, and data sources) can be used by ColdFusion pages located in and under the designated directory.
To use sandbox security in the J2EE editions, the application server must be running a security manager (java.lang.SecurityManager) and you define the following JVM arguments (for Tomcat, this is the java.args line in the cf_root/cfusion/bin/jvm.config file):

-Djava.security.manager "-Djava.security.policy=cf_root/WEB-INF/cfusion/lib/coldfusion.policy" "-Djava.security.auth.policy=cf_root/WEB-INF/cfusion/lib/neo_jaas.policy"

Note: Sandbox security is not enabled by default. You enable it on the Security > Sandbox Security page before ColdFusion enforces the settings.

Using multiple sandboxes

By default, a subdirectory of a sandbox inherits the settings of the directory one level above it. However, if you define a sandbox for a subdirectory, the subdirectory no longer inherits settings from the parent, completely overriding the parent directory's sandbox settings. For example, consider the following directories:

C:\Inetpub\wwwroot
C:\Inetpub\wwwroot\sales
C:\Inetpub\wwwroot\rnd
C:\Inetpub\wwwroot\rnd\dev
C:\Inetpub\wwwroot\rnd\'a

If you define a sandbox for the wwwroot directory, the settings also apply to the sales and rnd directories. If you also define a sandbox for the rnd directory, the rnd sandbox settings also apply to the dev and qa directories. The wwwroot and sales directories maintain their original settings, and the rnd settings override the wwwroot directory settings for the rnd directory and subdirectories.
This hierarchical arrangement of security permits the configuration of personalized sandboxes for users with different security levels. For example, if you are a web hosting administrator who hosts several clients on a ColdFusion shared server, you can configure a sandbox for each customer. This prevents one customer from accessing the data sources or files of another customer.

Resources that you can restrict

You can restrict the following resources:

  • Data Sources Restrict the use of ColdFusion data sources.
  • CF Tags Restrict the use of ColdFusion tags that manipulate resources on the server (or on an external server), such as files, the registry, Lightweight Directory Access Protocol (LDAP), mail, and the log.
  • CF Functions Restrict the use of ColdFusion functions that access the file system.
  • Files/DirsEnable tags and functions in the sandbox to access files and directories outside the sandbox.

    Note: To use the Administrator API when sandbox security is enabled, allow access to the cf_web_root/CFIDE/adminapi directory.

  • Server/PortsSpecify the servers, ports, and port ranges that the ColdFusion tags that call third-party resources can use.For more information, see the Administrator online Help.

    Note: When you run ColdFusion in the J2EE configuration on IBM WebSphere, the Files/Dirs and Server/Ports tabs are not enabled.

About directories and permissions

When you enable access to files outside the sandbox, you specify the filename. When you enable access to directories outside the sandbox, you specify directoryname_indicator_, where indicator is a dash or asterisk, as follows:

  • A backslash followed by a dash (-) lets tags and functions access all files in the specified directory, and recursively allows access to all files in subdirectories.
  • A backslash followed by an asterisk (*) lets tags and functions access all files in the specified directory and also lets tags and functions access a list of subdirectories. However, this option denies access to files in any subdirectories.
    You can also specify the actions that ColdFusion tags and functions can perform on files and directories outside the sandbox. The following table shows the relationship between the permissions of a file and a directory:

Permission

Effect on files

Effect on directories

Read

View the file

List all files in the directory

Write

Write to the file

Not applicable

Execute

Execute the file

Not applicable

Delete

Delete the file

Delete the directory

Add a sandbox

ColdFusion lets you define multiple security sandboxes.

  1. Open the Security > Sandbox Security page in the ColdFusion Administrator. The Sandbox Security Permissions page appears.
  2. In the Add Security Sandbox box, enter the name of the new sandbox. This name must be either a ColdFusion mapping (defined in the Administrator) or an absolute path.
  3. Select New Sandbox from the drop-down list to create a sandbox based on the default sandbox, or select an existing sandbox to copy its settings to your new sandbox.
  4. Click Add. The new sandbox appears in the list of Defined Directory Permissions.

Configure a sandbox

Before you begin security sandbox configuration, analyze your application and its usage to determine the tags, functions, and resources that it requires. You can then configure the sandbox to enable access to the required resources and disable use of the appropriate tags and functions. For example, if the applications in the sandbox do not use the cfregistry tag, you can safely disable it.

Note: In the Standard Edition, the Root Security Context is the only sandbox without any initial list of defined directory permissions.

  1. Open the Security > Sandbox Security page (Security > Resource Security page in the Standard Edition) in the ColdFusion Administrator.
  2. In the list of Defined Directory Permissions, click the name or Edit icon for the directory.A page with several tabs appears. This is the initial page in the Standard Edition. The remaining steps describe the use of each tab.
  3. To disable a data source, in the left column of the Datasources tab, highlight the data source, and click the right arrow.By default, ColdFusion pages in this sandbox can access all data sources.

    Note: If <<ALL DATASOURCES>> is in the Enabled Datasources column, any data source that you add is enabled. If you move <<ALL DATASOURCES>> to the Disabled Datasources column, any new data source is disabled.

  4. Click the CFTags tab.
  5. To disable tags, in the left column of the CFTags tab, highlight the tags, and click the right arrow.By default, ColdFusion pages in this sandbox can access all listed tags.
  6. Click the CFFunctions tab.
  7. To disable functions, in the left column of the CFFunctions tab, highlight the functions, and click the right arrow.By default, ColdFusion pages in this sandbox can access all listed functions.
  8. Click the Files/Dirs tab.
  9. To enable files or directories, in the File Path box, enter or browse to the files or directories; for example, C:\pix. A file path that consists of the special token <<ALL FILES>> matches any file. For information on using the backslash-hyphen (-) and backslash-asterisk (*) wildcard characters, see About directories and permissions.
  10. Select the permissions.For example, select the Read check box to let ColdFusion pages in the mytestapps sandbox read files in the C:\pix directory.
  11. Click Add Files/Paths. When you edit an existing sandbox, this button reads Edit Files/Paths. The file path and its permissions appear in the Secured Files and Directories list.
  12. In the Secured Files and Directories list, verify that the file path is correct. The character after the backslash is important. For information, see About directories and permissions.

    Note: The Files/Dirs tab works together with the file-based permissions of the operating system. To restrict a user from browsing another user's directory, use file-based permissions.

  13. Click the Server/Ports tab.
  14. To turn off default behavior (global access to all servers and ports), enter the IP addresses and port numbers that pages in this sandbox can connect to by using tags that access external resources (for example, cfmail, cfpop, cfldap, cfhttp, and so on). You can specify an IP address, a server name (such as  www.someservername.com), or a domain name (such as someservername.com). You can optionally specify a port restriction.

    Note: This behavior differs from other tabs, such as CFTags, where you select items to disable. If you set any values in this tab, external-resource tags executed in this sandbox can access only the specified servers and ports.

    For example, to allow this sandbox access to 207.88.220.3 on ports 80 and lower, perform the following steps:


    1. In the IP Address field, enter 207.88.220.3.
    2. In the Port field, enter 80, and click This Port and Lower.

      Note: To deny access by these ColdFusion tags to an entire site, enable access for a local resource, such as your local mail server, FTP server, and so on.

  15. Click Finish to save changes to the sandbox.

Sandbox Considerations

Using OpenOffice within Sandbox

Grant permissions in sandbox for the following filepaths:

  • D:\ColdFusion10\cfusion\runtime\servers\lib Read
  • D:\ColdFusion10\cfusion\runtime\servers\lib- Read
  • D:\ColdFusion10\cfusion\runtime\lib- Read
  • D:\ColdFusion10\cfusion\runtime\lib Read
  • C:\Program Files\OpenOffice.org 3\ Read, Execute
  • C:\Program Files\OpenOffice.org 3- Read
    , Execute

Using Caching within Sandbox

For disk-based caching to work inside a sandbox, the sandbox must provide read/write permission to the disk cache directory. This can be the default directory (java.io.tmpdir) or a user-configured directory as identified by the diskStore property. The diskStore property in cf_root\lib\ehcache.xml is used to specify the directory for disk cache (<diskStore path="java.io.tmpdir"/>).Use the following code to identify the temp directory:

writeoutput("Temp Dir : " & createobject("java","java.lang.System").getProperty("java.io.tmpdir") );
</cfscript>

Also, read permission must be granted to cf_root\lib\ehcache.xml for certain functions that read from/write to ehCache.xml to work. For example, cacheGetProperties and cacheSetProperties.

Using Service CFCs within Sandbox

Grant the following permissions:

  • execute permission to cf_root\CustomTags\com\adobe\coldfusion
  • read permission to cf_root\WEB-INF\cftags\META_INF\taglib.tld
Adobe-logo

Kirjaudu sisään tiliisi

[Feedback V2 Badge]