Security section

The Security section of the Administrator lets you configure the security frameworks of ColdFusion.

For more information on security, see Administering Security.

    Administrator page

    Use the Administrator page of the Administrator to enable and disable password-restricted access to the Administrator, and to change the Administrator password. Restrict ColdFusion Administrator access to trusted users. You can also configure all users to use a single ColdFusion Administrator password or allow only users defined in the User Manager and the root administrative user to have access to the ColdFusion Administrator.

    Configurable seed for password encryption

    The Administrator has option to specify a new seed value to encrypt data source passwords. To modify the default seed value assigned by ColdFusion or to change the value you specified,

    1. In the Password Seed section, specify the new seed value between 8-500 characters.

    2. Click Submit Changes.

    Note: When you modify the seed value, all data source connections are reset. Therefore, Adobe recommends that you perform this task when the server is idle or at the initial phase (after installation).

    RDS page

    Use the RDS page to enable and disable password-restricted RDS access to server resources from Adobe Macromedia Dreamweaver MX , Adobe Macromedia HomeSite+ , ColdFusion Extensions for Eclipse, or the ColdFusion Report Builder, and to change the RDS password.

    You can also configure all users to use a single RDS password, or allow only users defined in the User Manager to have access through RDS. The minimum character limit is 5 and the maximum character limit is 50.

    Sandbox security page

    You use the Sandbox Security page (called Resource Security in the Standard Edition) to specify security permissions for data sources, tags, functions, files, directories, IP addresses, ports, and runtime permissions.

    Sandbox security uses the location of your ColdFusion pages to determine functionality. A sandbox is a designated area (CFM files or directories that contain CFM files) of your site to which you apply security restrictions. By default, a subdirectory (or child directory) inherits the sandbox settings of the directory one level above it (the parent directory). If you define sandbox settings for a subdirectory, you override the sandbox settings inherited from the parent directory.

    Use sandbox security to control access to the following:

    • Data sources

    • Tags

    • Functions

    • Files and directories

    • IP addresses and ports

    You can also edit runtime permissions for ColdFusion pages.

    Note: If you have enabled sandbox security and want to use the Administrator API, enable access to the CFIDE/adminapi directory.

    For details, see Using sandbox security.

    User Manager page

    Use the User Manager page to specify the user name, password, description, access rights, exposed services, sandboxes, and allowed roles for individual users. This page is especially useful for web hosting when multiple ColdFusion applications are on one server, each maintained by a different user or organization.

    You can grant access to the ColdFusion Administrator, which also grants access to the Administrator API.

    If the administrator revokes the role of a user while the user is logged in, the revocation takes effect only when the user logs in again.

    The default user ID of an administrator is admin. To change the administrator user ID, add the following in the neo-security.xml file, replacing admin with the user ID to use:

    <var name='admin.userid.root'> 
    <string>admin</string> 
</var>

    Add a user

    The User Manager lets you create users that have individually tailored access to portions of the ColdFusion Administrator, the Administrator API, or RDS access.

    Note: To grant ColdFusion Administrator permissions to multiple users, in addition to creating users on the User Manager page, you must select the Separate Username And Password Authentication option on the Security > Administrator page. Similarly, you must select the Separate Username And Password Authentication option on the RDS page to grant RDS access to multiple users.

    1. In Security > User Manager, click Add User.

    2. Specify the username, password, and then confirm the password.

    3. Optionally, enter a description.

    4. Select the following options:

      • Allow RDS access

      • Allow Administrative access: Select one of the following: Administrator Console & API Access and API Access Only.

    5. Select the ColdFusion Administrator pages that you want the user to be able to access.

    6. Select any sandboxes that you want the user to be able to access.

    7. Select the services that you want the user to be able to access.

    8. Click Add User.

    Note: To select multiple contiguous sandboxes or roles, press the Shift key while making selections. To select multiple noncontiguous sandboxes or roles, press the Control key while making selections.
    After you create a user, you must log into the ColdFusion Administrator using both a username and password. The default username for the root administrator is admin. To change it, you must edit the neo-security.xml file by changing the string "admin" in admin.userid.root, as follows:
    <var name="admin.userid.root"> 
<string>admin</string> 
</var>
    When you grant access to specific Administrator pages, the user sees only those pages after logging in to the Administrator. When you grant Administrator API access and select roles, the user can access the API only for the pages you specified.

    For information editing existing user configuration, see Edit User Configuration.

    User Sandboxes

    If you change the pages or sandboxes to which a user is allowed access while that user is logged in to the Administrator, the changes take effect only after the user logs out, and then logs in again. For details about creating sandboxes, see Configure ColdFusion security.

    Exposed Services

    ColdFusion exposes existing enterprise services as web services. You can access these services using SOAP and AMF/Flash remoting. You can select the services available to a user from the Exposed Services section. By default, all the services are listed in the Allowed Services list box. Press CTRL and select the services that you do not want the user to avail and click the >> button.

    Now, click Edit User to implement the changes to the user settings. The following are the exposed services:

    • Allowed services: Mail Service, Document Service, PDF Service, Image Service, Chard Service, POP Service,

    • Prohibited services: Exchange Service

    You can secure the exposed services to prevent access by unknown applications or users. This can be done by configuring the client IP address range to which services are accessible. Also, you can set up user access control for the services.On the Security > User Manager page, you can select the services available to a user from the Exposed Services section. By default, all the services are listed in the Prohibited Services list box.Press CTRL and select the services that you want the user to avail and click the << button. Now, click Edit User to implement the changes to the user settings.

    Edit user configuration

    In the User Manager page, click either the user name like in the User column or the Edit icon in the Action column. The User Manager page opens in Edit mode, where you can reconfigure the user account settings such as password, RDS Administrator access, adding sandboxes, and resetting the exposed services for the user.

    Note: You would not be able to reset the user authentication type in the edit mode.

    Allowed IP Addresses

    Specify client IP addresses that have the permission to access exposed services.