Security section

The Security section of the Administrator lets you configure the security frameworks of ColdFusion.

For more information on security, see Administering Security.

    Administrator page

    Use the Administrator page of the Administrator to enable and disable password-restricted access to the Administrator, and to change the Administrator password. Restrict ColdFusion Administrator access to trusted users. You can also configure all users to use a single ColdFusion Administrator password or allow only users defined in the User Manager and the root administrative user to have access to the ColdFusion Administrator.

    Configurable seed for password encryption

    The Administrator has option to specify a new seed value to encrypt data source passwords. To modify the default seed value assigned by ColdFusion or to change the value you specified,

    1. In the Password Seed section, specify the new seed value between 8-500 characters.

    2. Click Submit Changes.

    Note: When you modify the seed value, all data source connections are reset. Therefore, Adobe recommends that you perform this task when the server is idle or at the initial phase (after installation).

    Support for concurrent login sessions for the same user

    You can login and access an application through multiple concurrent login sessions for the given user. This option is enabled by default. If you have any security concern, please disable this option in ColdFusion Administrator.

    The following changes have been made to support multiple concurrent logins:

    • A new attribute, allowconcurrent has been added to the <cflogin> tag to allow concurrent logins:

      <cflogin allowconcurrent="true|false">

      The default value is true. If allowconcurrent is set to true, the Server allows concurrent logins for a user.               

    • A new attribute, session has been added to the <cflogout> tag to select the right user to logout:

      <cflogout session="all|current|others">


      The default value is current. If session is set to all, all the authenticated sessions for the current user will terminate, if it set to current, only the current session will terminate, and if it set to others, except the current session all the other sessions will be terminated.

    For administrator, to enable/disable concurrent login sessions, perform the following tasks:

    1. Login to ColdFusion Administrator
    2. Go to Security > Administrator Page
    3. Select Allow Concurrent Login Sessions for Administrator Console

     

    Note that by default concurrent login sessions will be enabled. Also, when the secure profile is enabled, concurrent login will be disabled. 

     

     

     

     

    RDS page

    Use the RDS page to enable and disable password-restricted RDS access to server resources from Adobe Macromedia Dreamweaver MX , Adobe Macromedia HomeSite+ , ColdFusion Extensions for Eclipse, or the ColdFusion Report Builder, and to change the RDS password.

    You can also configure all users to use a single RDS password, or allow only users defined in the User Manager to have access through RDS. The minimum character limit is 5 and the maximum character limit is 50.

    Sandbox security page

    You use the Sandbox Security page (called Resource Security in the Standard Edition) to specify security permissions for data sources, tags, functions, files, directories, IP addresses, ports, and runtime permissions.

    Sandbox security uses the location of your ColdFusion pages to determine functionality. A sandbox is a designated area (CFM files or directories that contain CFM files) of your site to which you apply security restrictions. By default, a subdirectory (or child directory) inherits the sandbox settings of the directory one level above it (the parent directory). If you define sandbox settings for a subdirectory, you override the sandbox settings inherited from the parent directory.

    Use sandbox security to control access to the following:

    • Data sources

    • Tags

    • Functions

    • Files and directories

    • IP addresses and ports

    You can also edit runtime permissions for ColdFusion pages.

    Note: If you have enabled sandbox security and want to use the Administrator API, enable access to the CFIDE/adminapi directory.

    For details, see Using sandbox security.

    User Manager page

    Use the User Manager page to specify the user name, password, description, access rights, exposed services, sandboxes, and allowed roles for individual users. This page is especially useful for web hosting when multiple ColdFusion applications are on one server, each maintained by a different user or organization.

    You can grant access to the ColdFusion Administrator, which also grants access to the Administrator API.

    If the administrator revokes the role of a user while the user is logged in, the revocation takes effect only when the user logs in again.

    The default user ID of an administrator is admin. To change the administrator user ID, add the following in the neo-security.xml file, replacing admin with the user ID to use:

    <var name='admin.userid.root'> 
    <string>admin</string> 
</var>

    Add a user

    The User Manager lets you create users that have individually tailored access to portions of the ColdFusion Administrator, the Administrator API, or RDS access.

    Note: To grant ColdFusion Administrator permissions to multiple users, in addition to creating users on the User Manager page, you must select the Separate Username And Password Authentication option on the Security > Administrator page. Similarly, you must select the Separate Username And Password Authentication option on the RDS page to grant RDS access to multiple users.

    1. In Security > User Manager, click Add User.

    2. Specify the username, password, and then confirm the password.

    3. Optionally, enter a description.

    4. Select the following options:

      • Allow RDS access

      • Allow Administrative access: Select one of the following: Administrator Console & API Access and API Access Only.

    5. Select the ColdFusion Administrator pages that you want the user to be able to access.

    6. Select any sandboxes that you want the user to be able to access.

    7. Select the services that you want the user to be able to access.

    8. Click Add User.

    Note: To select multiple contiguous sandboxes or roles, press the Shift key while making selections. To select multiple noncontiguous sandboxes or roles, press the Control key while making selections.
    After you create a user, you must log into the ColdFusion Administrator using both a username and password. The default username for the root administrator is admin. To change it, you must edit the neo-security.xml file by changing the string "admin" in admin.userid.root, as follows:
    <var name="admin.userid.root"> 
<string>admin</string> 
</var>
    When you grant access to specific Administrator pages, the user sees only those pages after logging in to the Administrator. When you grant Administrator API access and select roles, the user can access the API only for the pages you specified.

    For information editing existing user configuration, see Edit User Configuration.

    User Sandboxes

    If you change the pages or sandboxes to which a user is allowed access while that user is logged in to the Administrator, the changes take effect only after the user logs out, and then logs in again. For details about creating sandboxes, see Configure ColdFusion security.

    Exposed Services

    ColdFusion exposes existing enterprise services as web services. You can access these services using SOAP and AMF/Flash remoting. You can select the services available to a user from the Exposed Services section. By default, all the services are listed in the Allowed Services list box. Press CTRL and select the services that you do not want the user to avail and click the >> button.

    Now, click Edit User to implement the changes to the user settings. The following are the exposed services:

    • Allowed services: Mail Service, Document Service, PDF Service, Image Service, Chard Service, POP Service,

    • Prohibited services: Exchange Service

    You can secure the exposed services to prevent access by unknown applications or users. This can be done by configuring the client IP address range to which services are accessible. Also, you can set up user access control for the services.On the Security > User Manager page, you can select the services available to a user from the Exposed Services section. By default, all the services are listed in the Prohibited Services list box.Press CTRL and select the services that you want the user to avail and click the << button. Now, click Edit User to implement the changes to the user settings.

    Edit user configuration

    In the User Manager page, click either the user name like in the User column or the Edit icon in the Action column. The User Manager page opens in Edit mode, where you can reconfigure the user account settings such as password, RDS Administrator access, adding sandboxes, and resetting the exposed services for the user.

    Note: You would not be able to reset the user authentication type in the edit mode.

    Allowed IP Addresses

    Specify client IP addresses that have the permission to access exposed services.

    Changes in Secure Profile

    With ColdFusion 11 and above you can use Secure Profile to configure selected settings. Secure Profile can be enabled during installation. You can also provide a list of IP addresses which will be allowed to access Administrator Console. In ColdFusion 11, secure profile configuration facility is extended to the Administrator console to support post installation configuration.  

    To do this, from the ColdFusion Administration console, select from the ColdFusion Administrator console, Security > Secure Profile and click the Enable Secure Profile check box to use ColdFusion’s recommended default secure profile settings.  

    Administrator settings affected by enabling Secure Profile

    A table indicating the current settings, Secure default Settings, and values at the time you enable secure profile are displayed.

    Enable or disable using this check box to change between Secure and Normal modes respectively. 

    When installing ColdFusion Server, you can enable Secure Profile by selecting the option when prompted on the Secure Profile screen. Further, you could provide a comma separate list of IP addresses that may be allowed to access the ColdFusion Administrator. This feature has been available from ColdFusion 11. In ColdFusion 11, Secure Profile has been enhanced to handle access to other internal components too. For instance, you can set restrictions for following URLs:

    • CFIDE/main/*
    • CFIDE/adminapi/*
    • CFIDE/administrator/*
    • CFIDE/componentutils/*
    • CFIDE/wizards/*
    • CFIDE/servermanager/*

    To allow IP addresses to access the internal ColdFusion components, perform the following tasks:

    1. Login to ColdFusion Administrator
    2. Click Security > Allow IP Addresses
    3. Go to Allowed IP Addresses for accessing ColdFusion Administrator and ColdFusion Internal Directories section and add grant access to  individual IP address to access the internal components.