Resource Control; Sandbox Security - MACROMEDIA COLDFUSION MX 61-DEVELOPING COLDFUSION MX Develop Manual

Resource control

ColdFusion lets you control access to the following resources:
Resource
Data sources
CF tags
CF functions
Files/directories
Server/ports
Note: For more information on configuring resource and sandbox security, see Configuring and
Administering ColdFusion MX and the ColdFusion MX Administrator online Help.

Sandbox security

In ColdFusion Enterprise, sandbox security lets you apply different sets of rules to different
directory structures. You can use it to partition a shared hosting environment, so that a number of
applications with different purposes, and possibly different owners, run securely on a single server.
When multiple applications share a host, you set up a separate directory structure for each
application, and apply rules that allow each application to access only its own data sources and
files.
Sandbox security also lets you structure and partition an application to reflect the access rights
that are appropriate to different functional components. For example, if your application has both
employee inquiry functions and HR functions that include creating, accessing, and modifying
sensitive data, you could structure the application as follows:
•
HR pages go in one directory with access rules that enable most activities.
•
Employee pages go in another directory whose rules limit the files they can modify and the tags
they can use.
•
Pages required for both HR and employee functions go in a third directory with appropriate
access rules.
Description
Enables access to specified data sources.
Prevents pages from using CFML tags that access external resources. You
can prevent pages in the directory from using any or all of the following tags:
cfcollection, cfcontent, cfcookie, cfdirectory, cfexecute, cffile,
cfftp, cfgridupdate, cfhttp, cfhttpparam, cfindex, cfinsert, cfinvoke,
cfldap, cflog, cfmail, cfobject, cfobjectcache, cfpop, cfquery,
cfregistry, cfschedule, cfsearch, cfstoredproc, cftransaction,
cfupdate
Prevents pages from using CFML functions that access external resources.
You can prevent pages from using any or all of the following functions:
CreateObject, DirectoryExists. ExpandPath, FileExists,
GetBaseTemplatePath, GetDirectoryFromPath,
GetFileFromPath, GetProfileString, GetTempDirectory,
GetTempFile, GetTemplatePath,
Sets read, write, execute, and delete access to specified directories,
directory trees, or files.
Controls access to IP addresses and port numbers. You can specify host
names or numeric addresses, and you can specify individual ports and port
ranges.
SetProfileString
About resource and sandbox security 347