Why Security is Important

Configure ColdFusion security

Security > Sandbox Security (in ColdFusion Server Enterprise Edition)

Security > Resource Security (in ColdFusion Server Standard Edition)

Enable ColdFusion security

1. Select the Enable ColdFusion Security option.

2. Click Submit Changes.

3. Restart your ColdFusion server.

Note: To use sandbox security in the multiserver and J2EE configurations, the application server must be running a security manager (java.lang.SecurityManager) and you must define the following JVM arguments (for Macromedia JRun, this is the java.args line in the jrun_root/jvm.config file):

-Djava.security.manager

-Djava.security.policy="cf_root/WEB-INF/cfusion/lib/coldfusion.policy"

-Djava.security.auth.policy="cf_root/WEB-INF/cfusion/lib/neo_jaas.policy"

You can do the following actions:

• Add a sandbox (Enterprise Edition only)

• Edit security permissions for data sources, tags, and functions, as follows:

• Data sources: Restrict usage of data sources (data sources connect ColdFusion applications to databases.

• Tags: Restrict use of the ColdFusion tags that manipulate resources on the server (or on an external server), such as files, the registry, LDAP, mail, and the log.

• Functions: Restrict usage of the ColdFusion functions that access the file system.

• Edit security permissions for files and directories  Enable tags and functions within the sandbox to access files and directories outside of the sandbox.

• Edit security permissions for servers and ports   Specify the IP addresses, ports, and port ranges that the ColdFusion tags can use to call third-party resources.

Note: You can click Finish after you make all your changes. You don't have to click Finish after configuring each tab.

Security in ColdFusion Enterprise Edition: In ColdFusion Enterprise Edition, you can configure multiple security areas on a per-directory basis. These security areas are called sandboxes. A sandbox is a designated directory of your site to which you apply security restrictions. Thus, sandbox security lets you specify which tags, functions, and resources (for example, files, directories, and data sources) can be used by ColdFusion pages located in and beneath the designated directory.

When you enable ColdFusion security, ColdFusion creates the following internal system-level sandboxes, which you can edit, but not delete:

• (ColdFusion CFIDE system directory)

• (ColdFusion WEB-INF system directory)

Note: If you enable sandbox security and want to use the Administrator API, you must enable access to the CFIDE/adminapi directory.

Security in ColdFusion Standard Edition: In ColdFusion Standard Edition, Sandbox Security is named Resource Security. You can configure security at the server level and settings apply to all directories beneath the web root.

Add a sandbox (Enterprise Edition only)

1. In the Add Security Sandbox field on the Sandbox Security page, enter the name of the new sandbox. This name must be a fully qualified directory path or a ColdFusion mapping.

Note: The directory or ColdFusion mapping must exist.

2. To create a sandbox based on the default sandbox, select New Sandbox from the drop-down list box. Alternatively, select an existing sandbox to copy its settings to your new sandbox.

3. Click Add. The sandbox appears in the list of Defined Directory Permissions.

Edit security permissions for data sources, tags, and functions

1. In the list of Defined Directory Permissions on the Sandbox Security page, click the name or the Edit button for the directory that you want to edit.

2. To disable a data source, in the left column of the Data Sources tab, highlight the data source, and click the right arrow. By default, ColdFusion pages in this sandbox can access all data sources.

Note: The All Datatsources option includes future data sources and those not specified as enabled or disabled.

3. Click the CF Tags tab. To disable tags, highlight the tags in the left column, and click the right arrow. By default, ColdFusion pages in this sandbox can access all listed tags.

4. Click the CF Functions tab. To disable functions, highlight the functions in the left column, and click the right arrow. By default, ColdFusion pages in this sandbox can access all listed functions.

Edit security permissions for files and directories

1. Click the Files/Dirs tab. The Secured Files and Directories list displays the files and directories outside of the sandbox that pages within the sandbox can access. This behavior differs from the CF Tags and CF Functions tabs, where you select items to disable.

2. To edit an existing file or directory specification, click the Edit icon or filepath in the Secured Files and Directories list.

3. To enable access to files or directories, use the File Path entry field to enter or browse to the files or directories to enable; for example, C:\pix. A filepath consisting of the special token <<ALL FILES>> matches any file. Optionally, append a wildcard to customize access to child directories and files:

• A backslash followed by a dash (\-) lets tags and functions access all files in the specified directory and recursively allows access to all files in child directories contained in that directory; for example, C:\pix\-.

• A backslash followed by an asterisk (\*) lets tags and functions access all files in the present directory and a list of child directories, but denies access to files in any child directories; for example, C:\pix\* .

4. Select the permissions. For example, select the Read option for ColdFusion pages within my_sandbox to read files in the C:\pix directory.

5. Click Add Files/Paths. The filepath and its permissions appear in the Secured Files and Directories list.

Note: When running ColdFusion in the J2EE configuration on IBM WebSphere, file or directory security is not enabled.

Edit security permissions for servers and ports

1. Click the Server/Ports tab.

Note: By default, all IPs and ports are available to the protocol tags.

2. To turn off default behavior (global access to all IP addresses and ports), enter the IP addresses and port numbers that pages in this sandbox will be allowed to connect to using tags that access external resources (for example, cfmail, cfpop, cfldap, cfhttp, and so on). You can specify an IP address, a server name (such as www.someservername.com), or a domain name (such as someservername.com). Specifying a port restriction is optional. After you enter server and, optionally, port information, protocol tags cannot access any other server/port, unless you explicitly add it.

   For example, to let this sandbox access 207.88.220.3 on ports 80 and lower, perform the following steps:

   1. In the IP Address field, enter 207.88.220.3.

   2. In the Port field, enter 80, and click This Port and Lower.

3. Click Add IP Address. The entry appears in the Enabled IP/Ports list.

Note: When running ColdFusion in the J2EE configuration on IBM WebSphere, IP/port security is not enabled.

Edit runtime permissions for ColdFusion pages

1. Click the Others tab. By default, all runtime permissions are enabled.

2. If you want to disable any runtime permissions for a ColdFusion page in the specified directory, then select the runtime permission from the Enabled Runtime Permissions box and click the >> button. To select more than one runtime permissions, press the CTRL key and select the runtime permissions.

3. Click Finish.

Related topics

• Set ColdFusion Administrator password

• Set RDS password