Adobe 38043740 - ColdFusion Standard - Mac Manual page 75

Section 6: ColdFusion Server Services
ColdFusion provides a large number of services for developers to take advantage of. Most applications do not
make use of all these services, and can therefore be disabled to improve security.
6.1 Servlets and Servlet Mappings in web.xml
All JEE web applications have a file in the WEB-INF directory called web.xml this file defines the servlets and
servlet mappings for the JEE web application. A servlet mapping defines a URI pattern that a particular servlet
responds to. For example the servlet that handles requests for .cfm files is called the CfmServlet the servlet
mapping for that looks like this:
<servlet-mapping id="coldfusion_mapping_3">
</servlet-mapping>
The servlets are also defined in the web.xml file, the CfmServlet is defined as:
<servlet id="coldfusion_servlet_3">
<servlet-name>CfmServlet</servlet-name>
<display-name>CFML Template Processor</display-name>
<description>Compiles and executes CFML pages and tags</description>
<servlet-class>coldfusion.bootstrap.BootstrapServlet</servlet-class>
<init-param id="InitParam_1034013110656ert">
</init-param>
<load-on-startup>4</load-on-startup>
</servlet>
We can remove servlet mappings in the web.xml to reduce the surface of attack. You don't typically want to
remove the CfmServlet or its servlet mapping, but there are other servlets and mappings that may be removed.
<servlet-name>CfmServlet</servlet-name>
<url-pattern>*.cfm</url-pattern>
<param-name>servlet.class</param-name>
<param-value>coldfusion.CfmServlet</param-value>
75