Adobe ColdFusion 8

About resource and sandbox security

ColdFusion provides two levels of resource-based security:

  • ColdFusion Standard refers to its resource-based security as resource security. It lets you specify a single set of limitations on access to ColdFusion resources that apply to all ColdFusion applications.
  • ColdFusion Enterprise refers to its resource-based security as sandbox security. Sandbox security is a superset of resource security. Sandbox security lets you create multiple sandboxes, each corresponding to a different directory. For each sandbox, you specify a set of resource limitations that apply to all ColdFusion pages in the sandbox directory and its subdirectories. If you create a sandbox that is a subdirectory of a sandbox, the subdirectory's rules override the parent directory's rules.

The ColdFusion Administrator Resource Security page (in Standard) and Sandbox Security page (in Enterprise) let you enable resource-based security. In ColdFusion Standard, the page lets you configure the resource settings that apply to all your ColdFusion applications. In ColdFusion Enterprise, the page lets you create sandboxes and configure the resource limitations for each sandbox individually.

Resource control

ColdFusion lets you control access to the following resources:

Resource

Description

Data sources

Enables access to specified data sources.

CF tags

Prevents pages from using CFML tags that access external resources. You can prevent pages in the directory from using any or all of the following tags:

cfcollection, cfcontent, cfcookie, cfdirectory, cfdocument, cfexecute, cffile, cfftp, cfgridupdate, cfhttp, cfhttpparam, cfindex, cfinsert, cfinvoke, cfldap, cflog, cfmail, cfobject, cfobjectcache, cfpop, cfquery, cfregistry, cfreport, cfschedule, cfsearch, cfstoredproc, cftransaction, cfupdate

CF functions

Prevents pages from using CFML functions that access external resources. You can prevent pages from using any or all of the following functions:

CreateObject (COM, Java, Web Service), DirectoryExists. ExpandPath, FileExists, GetBaseTemplatePath, GetDirectoryFromPath, GetFileFromPath, GetGatewayHelper, GetProfileString, GetTempDirectory, GetTempFile, GetTemplatePath, SendGatewayMessage, SetProfileString

Files/directories

Sets read, write, execute, and delete access to specified directories, directory trees, or files.

Server/ports

Controls access from ColdFusion to IP addresses and port numbers. You can specify host names or numeric addresses, and you can specify individual ports and port ranges.

Note: For more information on configuring resource and sandbox security, see Configuring and Administering ColdFusion and the ColdFusion Administrator online Help.

Sandbox security

In ColdFusion Enterprise, sandbox security lets you apply different sets of rules to different directory structures. You can use it to partition a shared hosting environment so that a number of applications with different purposes, and possibly different owners, run securely on a single server. When multiple applications share a host, you set up a separate directory structure for each application, and apply rules that let each application access only its own data sources and files.

Sandbox security also lets you structure and partition an application to reflect the access rights that are appropriate to different functional components. For example, if your application has both employee inquiry functions and HR functions that include creating, accessing, and modifying sensitive data, you could structure the application as follows:

  • HR pages go in one directory with access rules that enable most activities.
  • Employee pages go in another directory whose rules limit the files they can modify and the tags they can use.
  • Pages required for both HR and employee functions go in a third directory with appropriate access rules.