110
L
ast
u
p
dated
7/9/2
01
2
Chapter 7: Administering Security
You can secure many Adobe ColdFusion resources using password authentication and configure sandbox security.
About ColdFusion security
Security is especially important in web-based applications, such as those you develop in ColdFusion. ColdFusion
developers and administrators must fully understand the security risks that could affect their development and
runtime environments so they can enable and restrict access appropriately.
Whether you have an e-commerce site where customers enter credit card information or a global collaboration site
where users share confidential data, you should understand the security risks that could threaten your web
applications.
•
Snooping and eavesdropping:
Someone can monitor data sent over the public connections of the web.
•
User impersonation:
Someone can impersonate a trusted user to gain access to information that only the trusted
user should see or download.
•
Unauthorized access:
Unauthorized users can gain access to sensitive information. This security risk is the most
complex because the Internet links every computer to one large network. Completely allowing or disallowing access
to a given system or data source is relatively straight-forward, but allowing the partial access required for an
application to be useful remains risky. For example, a bank can easily publish a public, freely accessible site with
general banking information. Creating an account maintenance site where users have exclusive access to their own
personal account information is more difficult.
ColdFusion provides a highly secure environment for web application development and deployment. It helps you
reduce security risks in the following ways:
•
Encryption:
Use of the Secure Sockets Layer (SSL) protocol prevents snooping, eavesdropping, and message
tampering as information passes between clients and servers. SSL, which is supported by most web servers, encrypts
Internet protocols (such as HTTP) with public key cryptography. A private key resides on the server to decrypt
inbound data and encrypt outbound data.
After the key is installed, the web server automatically handles encryption and decryption.
•
Authentication:
Authentication checks whether someone is a valid system user. It prompts a user for a unique
login or user name, and a password or personal identification number (PIN).
•
Access Control:
Authenticated users have access to particular features or components based on security clearance,
group affiliation, or other criteria specified by the developer.
You can implement
development security
by requiring a password to use the ColdFusion Administrator and a
password for Remote Development Services (RDS), which allows developers to develop CFML pages remotely. You
implement
runtime security
in your CFML pages and in the ColdFusion Administrator. ColdFusion has the following
runtime security categories:
User security
Programmatically determine the logged-in user and allow or disallow restricted functionality based on
the roles assigned to that user. For more information about user security, see ColdFusion security features in Securing
Applications in the
Developing ColdFusion Applications
.
Sandbox security
Using the ColdFusion Administrator, define the actions and resources that the ColdFusion pages in
and below a specified directory can use.