User Guide
Table Of Contents
- Contents
- Introduction
- Administering ColdFusion MX 7
- Administering ColdFusion MX
- Using the ColdFusion MX Administrator
- Contents
- Initial administration tasks
- Accessing user assistance
- Server Settings section
- Data & Services section
- Debugging & Logging section
- Extensions section
- Event Gateways section
- Security section
- Packaging and Deployment section
- Enterprise Manager section
- Custom Extensions section
- Administrator API
- Data Source Management
- Contents
- About JDBC
- Adding data sources
- Connecting to DB2 Universal Database
- Connecting to Informix
- Connecting to Microsoft Access
- Connecting to Microsoft Access with Unicode
- Connecting to Microsoft SQL Server
- Connecting to MySQL
- Connecting to ODBC Socket
- Connecting to Oracle
- Connecting to other data sources
- Connecting to Sybase
- Connecting to JNDI data sources
- Web Server Management
- Deploying ColdFusion Applications
- Administering Security
- Using Multiple Server Instances
- Administering Verity
- Introducing Verity and Verity Tools
- Indexing Collections with Verity Spider
- Using Verity Utilities
- Contents
- Overview of Verity utilities
- Using the mkvdk utility
- Using the rck2 utility
- Using the rcvdk utility
- Using the didump utility
- Using the browse utility
- Using the merge utility
- Index
Using sandbox security 87
To use sandbox security in the multiserver and J2EE editions, the application server must be
running a security manager (
java.lang.SecurityManager) and you must define the following
JVM arguments (for Macromedia JRun, this is the java.args line in the jrun_root/jvm.config file):
-Djava.security.manager
-Djava.security.policy="cf_root/WEB-INF/cfusion/lib/coldfusion.policy"
-Djava.security.auth.policy="cf_root/WEB-INF/cfusion/lib/neo_jaas.policy"
Note: Sandbox security is not enabled by default. You must enable it on the Security > Sandbox
Security page before ColdFusion enforces the settings.
Using multiple sandboxes (Enterprise Edition only)
By default, a subdirectory of a sandbox inherits the settings of the directory one level above it.
However, if you define a sandbox for a subdirectory, the subdirectory no longer inherits settings
from the parent, completely overriding the parent directory’s sandbox settings. For example,
consider the following directories:
C:\Inetpub\wwwroot
C:\Inetpub\wwwroot\sales
C:\Inetpub\wwwroot\rnd
C:\Inetpub\wwwroot\rnd\dev
C:\Inetpub\wwwroot\rnd\qa
If you define a sandbox for the wwwroot directory, the settings also apply to the sales and rnd
directories. If you also define a sandbox for the rnd directory, the rnd sandbox settings also apply
to the dev and qa directories; the wwwroot and sales directories maintain their original settings;
and the rnd settings override the wwwroot directory settings for the rnd directory and its
subdirectories.
This hierarchical arrangement of security permits the configuration of personalized sandboxes for
users with different security levels. For example, if you are a web hosting administrator who hosts
several clients on a ColdFusion shared server, you can configure a sandbox for each customer.
This prevents one customer from accessing the data sources or files of another customer.
Resources that you can restrict
You can restrict the following resources:
Data Sources Restrict the use of ColdFusion data sources.
CF Tags Restrict the use of ColdFusion tags that manipulate resources on the server (or on an
external server), such as files, the registry, Lightweight Directory Access Protocol (LDAP), mail,
and the log.
CF Functions Restrict the use of ColdFusion functions that access the file system.
Files/Dirs Enable tags and functions in the sandbox to access files and directories outside of the
sandbox.
Note: To use the Administrator API when sandbox security is enabled, you must allow access to the
cf_web_root/CFIDE/adminapi directory.
Server/Ports
Specify the servers, ports, and port ranges that the ColdFusion tags that call
third-party resources can use.