About Securing ColdFusion Resources
ColdFusion Advanced Security allows you to secure the following resource types:
- Applications
- CFML tags
- Verity collections
- Components such as a CFApplet, CFX, or CFOBJECT Class name
- CustomTag
- DataSources
- Files
- UserObjects
Securing one of these resource types means defining a set of rules that identify the resource and, in the case of CFML tags, for example, the set of actions you want to secure. With a rule defined, you then associate the rule with a user or group.
There are several contexts in which security comes into play:
- At runtime: With a security context defined, ColdFusion developers can build authentication logic into application pages using the CFAUTHENTICATE tag. See Developing Web Applications with ColdFusion.
- From ColdFusion Studio: ColdFusion Studio users are authenticated and their access to files and data sources authorized before they can edit files or manipulate data sources.
- Pages and functions in the ColdFusion Administrator: Since the Administrator is the locus of all security management functions, as well as data source, performance, and scheduling, you may need to define rules to authenticate users before they access individual Administrator pages.
- The sandbox: In a hosted environment, ColdFusion applications are secured on a directory level allowing the hosting ISP to partition access to application pages and resources.
Securing Resources
The process of securing ColdFusion resources is essentially the same for all resource types, with minor variances based on different resource types.
It's important to understand that you do not need to explicitly define rules for every single ColdFusion resource type. Instead, by defining a rule for a particular type, you are saying `I want ColdFusion to authorize access to this resource by this person.' Since rules are only enforced when associated with users and groups in a security policy, you only need rules to define exceptions to default behavior.
In summary, you follow these steps.
First, specify ColdFusion resource types:
- You define a security context using the Administrator, Advanced Security pages.
Part of defining a security context is specifying the resource types you want to
secure. You can select multiple resource types.
- With your resource types selected, make sure you click the Apply button. Then click the Rules button.
Define rules for each resource type:
- From the Edit Security Context page, click the Rules button.
- Define a rule by entering the name of the rule you want and selecting the resource type from the list box. If the resource type you want is not listed in the list box, go back and edit the security context definition to include the resource type you want.
Create a new security policy:
- From the Edit Security Context page, click the Policies button.
- Enter a policy name that gives some indication of its purpose, such as WebTeam1, and click the Add button.
- In the New Security Policy page, enter a description of the policy and click Add. ColdFusion returns you to the Resource Policies page for the current security context.
- Click the name of the policy you just created. ColdFusion opens the Edit Security Policy page.
Associate users with the security context:
- At the Edit Security Policy page, you can change the name or description of the current policy. To associate users with this policy, click the Users button. ColdFusion opens the Users page for the current policy.
- If necessary, select a User Directory and click the Add/Remove button to open the Add/Remove Users page.
- Based on the user directory you chose, you'll see a list of available users on the left of the list control and a list of current users on the right. To add users to the current policy select the users you want and click the left arrow button.
- Click the Back button to return to the Users page for the current policy. If you click the Back button one more time, you return to the Edit Security Policy page for the current policy where you can click the Map button to view a schematic of the current security structure.
AllaireDoc@allaire.com
Copyright © 1998, Allaire Corporation. All rights reserved.