|
|
About resource and sandbox security
ColdFusion
provides two levels of resource-based security:
ColdFusion Standard refers to its resource-based security
as resource security. It lets you specify a single set of limitations
on access to ColdFusion resources that apply to all ColdFusion applications.
ColdFusion Enterprise refers to its resource-based security
as sandbox security. Sandbox security is a superset of resource
security. Sandbox security lets you create multiple sandboxes,
each corresponding to a different directory. For each sandbox,
you specify a set of resource limitations that apply to all ColdFusion
pages in the sandbox directory and its subdirectories. If you create
a sandbox that is a subdirectory of a sandbox, the subdirectory’s
rules override the parent directory’s rules.
The ColdFusion Administrator Resource Security page (in Standard)
and Sandbox Security page (in Enterprise) let you enable resource-based
security. In ColdFusion Standard, the page lets you configure the
resource settings that apply to all your ColdFusion applications.
In ColdFusion Enterprise, the page lets you create sandboxes and
configure the resource limitations for each sandbox individually.
Resource controlColdFusion lets you control access to
the following resources:
Resource
|
Description
|
|---|
Data sources
|
Enables access to specified data sources.
|
CF tags
|
Prevents pages from using CFML tags that
access external resources. You can prevent pages in the directory
from using any or all of the following tags:
cfcollection, cfcontent, cfcookie, cfdirectory, cfdocument, cfexecute, cffile, cfftp, cfgridupdate, cfhttp, cfhttpparam, cfindex, cfinsert, cfinvoke, cfldap, cflog, cfmail, cfobject, cfobjectcache, cfpop, cfquery, cfregistry, cfreport, cfschedule, cfsearch, cfstoredproc, cftransaction, cfupdate
|
CF functions
|
Prevents pages from using CFML functions
that access external resources. You can prevent pages from using
any or all of the following functions:
CreateObject (COM, Java, Web Service),DirectoryExists. ExpandPath, FileExists, GetBaseTemplatePath, GetDirectoryFromPath, GetFileFromPath, GetGatewayHelper, GetProfileString, GetTempDirectory, GetTempFile, GetTemplatePath, SendGatewayMessage, SetProfileString
|
Files/directories
|
Sets
read, write, execute, and delete access to specified directories,
directory trees, or files.
|
Server/ports
|
Controls access from ColdFusion to IP
addresses and port numbers. You can specify host names or numeric addresses,
and you can specify individual ports and port ranges.
|
Note: For more information on configuring resource
and sandbox security, see Configuring and Administering ColdFusion
and the ColdFusion Administrator online Help.
Sandbox securityIn ColdFusion Enterprise,
sandbox security lets you apply different sets of rules to different
directory structures. Use it to partition a shared hosting environment
so that a number of applications with different purposes, and possibly
different owners, run securely on a single server. When multiple
applications share a host, you set up a separate directory structure
for each application, and apply rules that let each application
access only its own data sources and files.
Sandbox security also lets you structure and partition an application
to reflect the access rights that are appropriate to different functional
components. For example, if your application has both employee inquiry
functions and HR functions that include creating, accessing, and
modifying sensitive data, you could structure the application as
follows:
HR pages go in one directory with access rules that enable
most activities.
Employee pages go in another directory whose rules limit
the files they modify and the tags they use.
Pages required for both HR and employee functions go in a
third directory with appropriate access rules.
|
