Sandbox Security - Adobe 38043740 - ColdFusion Standard - Mac Development Manual

DEVELOPING COLDFUSION 9 APPLICATIONS
Developing CFML Applications
About resource and sandbox security
ColdFusion provides two levels of resource-based security:
• ColdFusion Standard refers to its resource-based security as resource security. It lets you specify a single set of
limitations on access to ColdFusion resources that apply to all ColdFusion applications.
• ColdFusion Enterprise refers to its resource-based security as sandbox security. Sandbox security is a superset of
resource security. Sandbox security lets you create multiple sandboxes, each corresponding to a different directory.
For each sandbox, you specify a set of resource limitations that apply to all ColdFusion pages in the sandbox
directory and its subdirectories. If you create a sandbox that is a subdirectory of a sandbox, the subdirectory's rules
override the parent directory's rules.
The ColdFusion Administrator Resource Security page (in Standard) and Sandbox Security page (in Enterprise) let
you enable resource-based security. In ColdFusion Standard, the page lets you configure the resource settings that
apply to all your ColdFusion applications. In ColdFusion Enterprise, the page lets you create sandboxes and configure
the resource limitations for each sandbox individually.
Resource control
ColdFusion lets you control access to the following resources:
Resource Description
Data sources Enables access to specified data sources.
CF tags Prevents pages from using CFML tags that access external resources. You can prevent pages in the directory from
using any or all of the following tags:
cfcollection, cfcontent, cfcookie, cfdirectory, cfdocument, cfexecute, cffile, cfftp, cfgridupdate, cfhttp,
cfhttpparam, cfindex, cfinsert, cfinvoke, cfldap, cflog, cfmail, cfobject, cfobjectcache, cfpop, cfquery, cfregistry,
cfreport, cfschedule, cfsearch, cfstoredproc, cftransaction, cfupdate
CF functions Prevents pages from using CFML functions that access external resources. You can prevent pages from using any
or all of the following functions:
CreateObject (COM, Java, Web Service),DirectoryExists. ExpandPath, FileExists, GetBaseTemplatePath,
GetDirectoryFromPath, GetFileFromPath, GetGatewayHelper, GetProfileString, GetTempDirectory, GetTempFile,
GetTemplatePath, SendGatewayMessage, SetProfileString
Files/directories Sets read, write, execute, and delete access to specified directories, directory trees, or files.
Server/ports Controls access from ColdFusion to IP addresses and port numbers. You can specify host names or numeric
addresses, and you can specify individual ports and port ranges.
Note: For more information on configuring resource and sandbox security, see Configuring and Administering
ColdFusion and the ColdFusion Administrator online Help.

Sandbox security

In ColdFusion Enterprise, sandbox security lets you apply different sets of rules to different directory structures. Use
it to partition a shared hosting environment so that a number of applications with different purposes, and possibly
different owners, run securely on a single server. When multiple applications share a host, you set up a separate
directory structure for each application, and apply rules that let each application access only its own data sources and
files.
Sandbox security also lets you structure and partition an application to reflect the access rights that are appropriate to
different functional components. For example, if your application has both employee inquiry functions and HR
functions that include creating, accessing, and modifying sensitive data, you could structure the application as follows:
• HR pages go in one directory with access rules that enable most activities.
Last updated 1/20/2012
340