security.cfc

CFIDE.adminapi.security
Component security (security)

Manages passwords, RDS, and sandbox security.

hierarchy: WEB-INF.cftags.component
CFIDE.adminapi.base
CFIDE.adminapi.security
path: {web-root}\CFIDE\adminapi\security.cfc
serializable: Yes
properties:
methods: createDefaultSandboxes, deleteAllowedIPAddresses, deleteDisabledCFFunction, deleteDisabledCFTag, deleteDisabledDatasource, deleteSecuredFolder, deleteSecuredIPPort, deleteSecuritySandbox, deleteUser, disableRDSServlet*, enableRDSServlet*, formatPort*, getAllAdminRoles, getAllExposedServices, getAllowedIPList, getDefaultSecuritySandbox*, getDisabledCFFunctions, getDisabledCFTags, getDisabledDatasources, getEnableRDS, getEnableSandboxSecurity, getFunctionPermissionPosition*, getSecurableCFFunctions, getSecurableCFTags, getSecuredFolders, getSecuredIPPorts, getSecuritySandboxes, getTagPermissionPosition*, getUseAdminPassword, getUser, getUseRDSPassword, getUseSingleRDSPassword, isLoginUserIdRequired, isRAMAllFiles*, setAdminPassword, setAllowedIPAddresses, setDefaultFilePermission*, setDisabledCFFunction, setDisabledCFTag, setDisabledDatasource, setEnableRDS, setEnableSandboxSecurity, setLoginUserIdRequired, setRDSPassword, setSecuredFolder, setSecuredIPPort, setSecuritySandbox, setUseAdminPassword, setUser, setUseRDSPassword, setUseSingleRDSPassword, validateDirectory*
inherited methods: dump, getEdition, getInstallType, getJRunRootDir, isAdminUser, RDSInvoker, setJrunSN

* – private method

createDefaultSandboxes
public void createDefaultSandboxes (

)

Creates the default sandboxes needed to secure the ColdFusion Administrator and the WEB-INF system folder.

Output: suppressed

deleteAllowedIPAddresses
public void deleteAllowedIPAddresses ( required string debugip
)

Removes an IP address from client IP addresses that should be allowed to invoke exposed services.

Output: suppressed
Parameters:
debugip: string, required, debugip – List of IP addresses to remove.

deleteDisabledCFFunction
public void deleteDisabledCFFunction ( required directory, required functionName
)

Remove a function from the list of disabled functions in the sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which the function is enabled.
functionName: any, required, functionName – Specifies the name of the function to enable.

deleteDisabledCFTag
public void deleteDisabledCFTag ( required directory, required tag
)

Removes a tag from the list of disabled tags in the sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which the tag is enabled.
tag: any, required, tag – Specifies the name of the tag to be enabled.

deleteDisabledDatasource
public void deleteDisabledDatasource ( required directory, required datasource
)

Removes a data source from the list of disabled data sources in the sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which the data source is enabled.
datasource: any, required, datasource – Specifies the name of the data source to enable.

deleteSecuredFolder
public void deleteSecuredFolder ( required directory, required folder
)

Makes a folder inaccessible to a secured sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which a folder is disabled.
folder: any, required, folder – Specifies the path of the folder to be made inaccessible.

deleteSecuredIPPort
public deleteSecuredIPPort ( required directory, required IP, required PORT, portType="single"
)

Removes a specified IP address and port from restricted status.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which the restriction is removed.
IP: any, required, IP – Specifies the target IP address.
PORT: any, required, PORT – Specifies the target port.
portType: any, optional, portType – Specifies the port type:

  • single – Single port
  • higher – The specified port and higher
  • lower – The specified port and lower
  • range – Specified range of ports
deleteSecuritySandbox
public void deleteSecuritySandbox ( required directory
)

Removes security sandbox restrictions for a directory.

Output: enabled
Parameters:
directory: any, required, directory – Specifies the directory of the security sandbox to be removed.

deleteUser
public void deleteUser ( required username
)

Removes the user.

Output: suppressed
Parameters:
username: any, required, username – Specifies the username of the user to delete.

disableRDSServlet*
private boolean disableRDSServlet (

)

Disables the servlet that performs RDS processing.

Output: suppressed

enableRDSServlet*
private boolean enableRDSServlet (

)

Enables the servlet that performs RDS processing.

Output: suppressed

formatPort*
private formatPort ( required port, required portType
)

Format a port based on the specified range.

Output:
Parameters:
port: any, required, port – Specifies the port number.
portType: any, required, portType – Specifies the range designation:

  • single
  • higher
  • lower
getAllAdminRoles
getAllAdminRoles (

)

Output:

getAllExposedServices
getAllExposedServices (

)

Output:

getAllowedIPList
public getAllowedIPList (

)

Returns a list of client IP addresses that should be allowed to invoke exposed services.

Output: suppressed

getDefaultSecuritySandbox*
private getDefaultSecuritySandbox ( required directory
)

Create the default structure for a blank sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the directory of the sandbox.

getDisabledCFFunctions
public getDisabledCFFunctions ( required directory
)

Returns an array of functions that have been disabled for the sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which disabled functions are returned.

getDisabledCFTags
public getDisabledCFTags ( required directory
)

Returns an array of tags that have been disabled for the sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which disabled tags are returned.

getDisabledDatasources
public array getDisabledDatasources ( required directory
)

Returns an array of data sources that have been disabled for the sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which disabled data sources are returned.

getEnableRDS
public boolean getEnableRDS (

)

Checks whether RDS is enabled.

Output: suppressed

getEnableSandboxSecurity
public getEnableSandboxSecurity (

)

Checks whether sandbox security is enabled.

Output: suppressed

getFunctionPermissionPosition*
private getFunctionPermissionPosition ( required webapp, required directory
)

Returns the index in the function permissions array.

Output: suppressed
Parameters:
webapp: any, required, webapp – Specifies the name of the web application using the secured sandbox.
directory: any, required, directory – Specifies the sandbox directory for which the index is returned.

getSecurableCFFunctions
public getSecurableCFFunctions (

)

Returns an array of securable functions.

Output: suppressed

getSecurableCFTags
public getSecurableCFTags (

)

Returns an array of securable tags.

Output: suppressed

getSecuredFolders
public getSecuredFolders ( required directory
)

Returns an array of secured folders for the sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which secured folders are returned.

getSecuredIPPorts
public getSecuredIPPorts ( required directory
)

Returns an array of secured ports for the sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which secured ports are returned.

getSecuritySandboxes
public getSecuritySandboxes ( directory
)

Returns all security sandboxes or a specified sandbox.

Output: suppressed
Parameters:
directory: any, optional, directory – Sandbox directory to be returned.

getTagPermissionPosition*
private getTagPermissionPosition ( required webapp, required directory
)

Returns the index in the permissions array.

Output: suppressed
Parameters:
webapp: any, required, webapp – Specifies the name of the web application using the secured sandbox.
directory: any, required, directory – Specifies the sandbox directory for which the index is returned.

getUseAdminPassword
public getUseAdminPassword (

)

Checks whether ColdFusion Administrator security is required.

Output: suppressed

getUser
public struct getUser ( string username
)

Get all users or get single user by specifying a username.

Output: suppressed
Parameters:
username: string, optional, username – Specifies the username of the user to return.

getUseRDSPassword
public getUseRDSPassword (

)

Checks whether a Remote Development Services (RDS) password is required.

Output: suppressed

getUseSingleRDSPassword
public boolean getUseSingleRDSPassword (

)

Indicates whether or not a user is is required in addition to a password for logging in to RDS

Output: suppressed

isLoginUserIdRequired
public isLoginUserIdRequired (

)

Checks whether or not a user id is required in addition to a password in order to login. If this returns true, a user id must be passed to the login function in addition to a password.

Output: suppressed

isRAMAllFiles*
private boolean isRAMAllFiles ( required path
)

Checks if the argument is ram:///- or ram://-

Output: suppressed
Parameters:
path: any, required, path – specifies the path to the ram file

setAdminPassword
public setAdminPassword ( required string password
)

Sets the ColdFusion Administrator password.

Output: suppressed
Parameters:
password: string, required, password – Administrator password.

setAllowedIPAddresses
public void setAllowedIPAddresses ( required string debugip
)

Sets a list of one or more client IP addresses that should be allowed to invoke exposed services.

Output: suppressed
Parameters:
debugip: string, required, debugip – List of IP addresses.

setDefaultFilePermission*
private void setDefaultFilePermission ( required directory
)

Removes the wildcard and sets the permission for only the defined folder.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the directory to receive permission.

setDisabledCFFunction
public void setDisabledCFFunction ( required directory, required functionName
)

Disables the use of a function in the sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which the specified function is disabled.
functionName: any, required, functionName – Specifies the function to disable.

setDisabledCFTag
public void setDisabledCFTag ( required directory, required tag
)

Disables use of a tag in the sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which the specified tag is disabled.
tag: any, required, tag – Specifies the tag to disable.

setDisabledDatasource
public void setDisabledDatasource ( required directory, required datasource
)

Disables use of a data source in the sandbox.

Output: enabled
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which the data source is disabled.
datasource: any, required, datasource – Specifies the name of the data source to disable.

setEnableRDS
public void setEnableRDS ( required boolean flag
)

Specifies whether to enable or disable RDS.

Output: suppressed
Parameters:
flag: boolean, required, flag – Specify true or false.

setEnableSandboxSecurity
public void setEnableSandboxSecurity ( required boolean enable
)

Specifies whether to enable sandbox security.

Output: suppressed
Parameters:
enable: boolean, required, enable – True or False

setLoginUserIdRequired
public setLoginUserIdRequired ( required boolean isUserIdRequired
)

Sets whether or not a user id is required for login.

Output: suppressed
Parameters:
isUserIdRequired: boolean, required, isUserIdRequired

setRDSPassword
public setRDSPassword ( required string password
)

Sets the RDS password.

Output: suppressed
Parameters:
password: string, required, password – RDS password.

setSecuredFolder
public void setSecuredFolder ( required directory, required folder, fileRead="true", fileWrite="true", fileExecute="true", fileDelete="true"
)

Makes a folder accessible for the secured sandbox.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which the folder is enabled.
folder: any, required, folder – Specifies the directory path of the folder to be enabled.
fileRead: any, optional, fileRead – Allow read permission.
fileWrite: any, optional, fileWrite – Allow write permission.
fileExecute: any, optional, fileExecute – Allow execute permission.
fileDelete: any, optional, fileDelete – Allow delete permission.

setSecuredIPPort
public setSecuredIPPort ( required directory, required IP, required PORT, portType="single"
)

Restrict the IP addresses and ports that ColdFusion tags can access.

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the sandbox directory for which the IP address and port are secured.
IP: any, required, IP – Specifies the IP address to restrict.
PORT: any, required, PORT – Specifies the port to restrict.
portType: any, optional, portType – Specifies the port type:

  • single – Single port
  • higher – The specified port and higher
  • lower – The specified port and lower
  • range – Specified range of ports
setSecuritySandbox
public void setSecuritySandbox ( required string directory, array sandbox
)

Creates a security sandbox for a specified directory.

Output: suppressed
Parameters:
directory: string, required, directory – Specifies a sandbox directory.
sandbox: array, optional, sandbox – The sandbox array object, which is an array of structures with each structure being a permission.

setUseAdminPassword
public void setUseAdminPassword ( required boolean useAdminPassword
)

Specifies whether ColdFusion Administrator security is required.

Output: suppressed
Parameters:
useAdminPassword: boolean, required, useAdminPassword – True or False

setUser
public void setUser ( required string username, required string password, string description="", array sandboxes="[runtime expression]", array roles="[runtime expression]", boolean allowrdsaccess="false", boolean allowadminaccess="false", boolean allowadminapiaccess="false", array services="[runtime expression]"
)

Add or Update a new user.

Output: suppressed
Parameters:
username: string, required, username – Specifies the username for this user.
password: string, required, password – Specifies the password for this user.
description: string, optional, description – Specifies a description of the user.
sandboxes: array, optional, sandboxes – Sandboxes user to allowed to access.
roles: array, optional, roles – Administrative roles assigned to user
allowrdsaccess: boolean, optional, allowrdsaccess – Specifies whether or not RDS access is allowed for this user.
allowadminaccess: boolean, optional, allowadminaccess – Specifies whether or not CF Administrator and Admin API access is allowed for this user.
allowadminapiaccess: boolean, optional, allowadminapiaccess – Specifies whether or not Admin API access is allowed for this user.
services: array, optional, services – Services user is allowed to access.

setUseRDSPassword
public void setUseRDSPassword ( required boolean useAdminPassword
)

Specifies whether RDS security is required.

Output: suppressed
Parameters:
useAdminPassword: boolean, required, useAdminPassword – Specify true or false.

setUseSingleRDSPassword
public setUseSingleRDSPassword ( required boolean useSingleRDSPassword
)

Sets whether or not to allow a user id in addition to a password for logging in to RDS

Output: suppressed
Parameters:
useSingleRDSPassword: boolean, required, useSingleRDSPassword

validateDirectory*
private validateDirectory ( required directory
)

Ensure that the directory starts with / and ends with /*

Output: suppressed
Parameters:
directory: any, required, directory – Specifies the directory to be secured.