View comments | RSS feed
Developing ColdFusion MX Applications with CFML Previous Up One Level Next
Securing Applications


About resource security

Resource security lets you secure access to ColdFusion resources based on the ColdFusion page location, by applying a set of access rules to all ColdFusion pages in a directory. The directory or directories to which a set of rules apply is called a sandbox, and resource security is also called sandbox security. The ColdFusion Administrator Security Settings page enables resource security; the Sandbox Security page configures access to resources. Resource security controls access to the following resources:
Resource
Description
Data Sources
Enables access to specified data sources.
CF Tags
Prevents pages from using CFML tags that access external resources. You can prevent pages in the directory from using any or all of the following tags:
cfcollection, cfcontent, cfcookie, cfdirectory, cfexecute, cffile, cfftp, cfgridupdate, cfhttp, cfhttpparam, cfindex, cfinsert, cfinvoke, cfldap, cflog, cfmail, cfobject, cfobjectcache, cfquery, cfregistry, cfschedule, cfsearch, cfstoredproc, cftransaction, cfupdate
CF Functions
Prevents pages from using CFML functions that access external resources. You can prevent pages from using any or all of the following functions:
CreateObject, DirectoryExists. ExpandPath, FileExists, GetBaseTemplatePath, GetDirectoryFromPath, GetFileFromPath, GetProfileString, GetTempDirectory, GetTemplatePath, SetProfileString
Files/Directories
Sets read, write, execute, and delete access to specified directories, directory trees, or files.
Server/Ports
Controls access to IP addresses and port numbers. You can specify host names or numeric addresses, and you can specify individual ports and port ranges.

By default, resource security rules apply to the specified directory and all its subdirectories. If you create a set of rules for a subdirectory of another sandbox, the subdirectory's rules override the parent directory's rules.

Resource security lets you apply different sets of rules to different directory structures. You can use it to partition a shared hosting environment, so that a number of applications with different purposes, and possibly different owners, run securely on a single server. When multiple applications share a host, you set up a separate directory structure for each application, and apply rules that allow each application to access only its own data sources and files.

Resource security also lets you to structure and partition an application to reflect the access rights that are appropriate to different functional components. For example, if your application has both user functions and administrator functions, you could structure the application as follows:

For more information on configuring resource security, see Administering ColdFusion MX.

Previous Up Next

ColdFusion 9 | ColdFusion 8 | ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | Bug Reporting

Version 6

Comments are no longer accepted for ColdFusion MX. ColdFusion 8 is the current version.

Comments


wwwmaster said on Jun 11, 2002 at 1:34 PM :
Gramatical error:

"Resource security also lets you to structure and partition "
jochemd said on May 6, 2002 at 8:00 PM :
The text at the top of the page suggests that Resource Security and Sandbox Security is the same. However, http://www.macromedia.com/software/coldfusion/whitepapers/pdf/ColdFusionMXFeatureGrid_03.pdf suggests that CF MX Pro does not have Sandbox Security but has Resource Security. How can that be if they are the same?
carehart@systemanage said on Aug 7, 2002 at 6:22 AM :
Agreeing with jochemd's comment of May 6, this page needs to do a better job of distinsguishing Resource Security (in Pro) from Sandbox Security (in Enterprise).

In the section "About Resource Security", it states:

"The directory or directories to which a set of rules apply is called a sandbox, and resource security is also called sandbox security."

That does suggest they're the same without making a distinction. Further, is it appropriate to say that the set of rules applied to the "root security context" in Pro is really "a sandbox"? It may seem a picky distinction, but for folks just getting started, the looseness and inconsistency of the terminology used in the docs, articles, and admin can be confusing.

Further, it states:

"The ColdFusion Administrator Security Settings page enables resource security; the Sandbox Security page configures access to resources. Resource security controls access to the following resources:"

This is a real mishmash. There is no "security settings page", unless it's that this is the name of the link in the nav bar in Pro. If so, then it should say:

"In CFMX Pro, the ColdFusion Administrator Security Settings page enables resource security, configuring access to resources for the global "root security context". In CFMX Enteprise (or Trial or Developer Editions), the Sandbox Security page configures access to resources in any named sandbox. Access can be controlled for the following resources:"

In addition, the final 3 paragraphs of this section (after the table) apply ONLY to Enterprise's Sandbox Security (as they refer to creating andboxes for various directories), yet they freely use the phrase Resource Security as if it's the same thing.

Speaking of that table, it's missing GetTempFile from the list of functions that can be restricted.
carehart@systemanage said on Aug 7, 2002 at 3:59 PM :
As a follow-up to my previous comment, I can now confirm that in Pro, the page for working with this resource security is indeed called Resource Security (not "sandbox Security as it is in Enterprise nor "Security Settings" as is asserted above.

I can also now confirm that there is no "root security context" in Pro (a confusion that came from the docs in Chap 4 of the Admin manual, which I'll clarify there).

So the rewording I'd proposed in the last note should instead read:

"In CFMX Pro, the ColdFusion Administrator Resource Security page enables resource security, configuring access to resources for all templates on the server. In CFMX Enteprise (or Trial or Developer Editions), the Sandbox Security page configures access to resources in any named sandbox. Access can be controlled for the following resources:"
carehart@systemanage said on Aug 7, 2002 at 4:12 PM :
As follow-up to my previous comments, I have now been able to confirm how things look and work in Pro. I applied a Pro serial number to a trial/developer edition and observed the following which affects both my comments and info on this page.

1) By changing to Pro, I observed that the name of the page for setting Resource Security does indeed change (in the nav bar) from Sandbox Security to Resource Security.

2) Further, in Pro, when one selects that page, there is no "root security context" displayed. Instead, one is dropped right into the equivalent of Sandbox's "Security Permissions" page, with the display of the tabs for controlling Datasources, Tag and Functions, etc.

So in Pro there's no display (naturally) of the "Add Security Sandbox" pane nor even the "Defined Directory Permissions" pane. Instead, one is dropped right into setting up the resource controls for the entire server. Simple and appropriate, but not clarified at all in these docs.

Indeed, it would be helpful for this page to show both what the page looks like in Enterprise and in Pro, to save people the confusion.

3) Continuing the refinement of the current phrase above, "If you have the Standard Edition of ColdFusion MX, you can configure the root security sandbox.", besides changing Standard to Professional, the reference to "root security sandbox" should just be removed. It should instead say:

"If you have the Professional Edition of ColdFusion MX, you can configure resource security controls for all applications on the server."

4) As to whether Resource Security in Pro is enabled by default, I cannot say. Since in my "downgrade" to Pro I did already have the "Enable ColdFusion Security" checkbox checked, I don't know if it was persisted or not. It would be very useful for someone to install CF from scratch with a Pro license to see if it's enabled by default.

 

RSS feed | Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity3.htm