Using Advanced Security

Previous page
Table of content
Next page


Advanced security is a useful feature of ColdFusion administration. As mentioned, user security and Sandbox security are managed through advanced security. By default, advanced security is disabled.

Elements of Advanced Security Implementation

Advanced security in ColdFusion is implemented using the following elements:

  • User directories

  • Resources

  • Rules

  • Policies

  • Security contexts

  • ColdFusion Server

User Directories

User directories provide a list of user information for authentication. The information that is used for authentication includes the user identity, the password, and the group. After the user provides this data at the time of login, ColdFusion verifies the credentials of the user. The user directory can be a Windows NT domain, an ODBC data source, or an LDAP directory.

When a security context is created, you can select users and groups from a user directory. You can then assign them access rights to ColdFusion resources. You can include the code in your applications that checks if a user has rights to a ColdFusion resource or not.

Resources

The objective of the ColdFusion security system is to provide selective access to resources. The resources that can be protected are as follows:

  • Applications

  • ColdFusion tags

  • ColdFusion functions

  • Custom tags

  • Data sources

  • Files and directories

  • User objects

  • Users

  • Verity collections

  • Components

Verity collections are discussed in Chapter 20, "Understanding the Verity Search Engine."

Besides selecting the resource to be protected, you also need to specify the kind of protection you want to give to that resource. For example, you can decide not to provide access to the files in a certain directory. You could also specify certain data sources that cannot be updated.

Rules

Rules enable you to identify the resources to which you want to restrict access. A resource isn't secure until you build a rule to protect it. When you create a rule, you need to create a policy that gives access rights to a group of users.

If you create a rule but don't create a policy to administer the rule, users won't be able to access the resources that the rule protects. For example, you can specify

  • Which SQL statements are allowed to be executed for a specific data source

  • Which CFML tag actions are restricted

  • Whether inserts or updates should be restricted for a specific data source

Policies

When you specify a resource to protect, you need to create a policy for using that resource. A policy ties a resource to the user group with the type of the access. If you've specified a resource to protect without including it in any policy, by default no users would have an access to that resource.

Security Contexts

A security context is a container for logically related groups of policies. You have many sets of security contexts in your development environment. Ideally, each development group should have a separate security context. This is especially needed when you have several developer groups accessing remote ColdFusion resources.

ColdFusion Server

You need to specify a server that acts as the security server for your environment. Specify the hostname or IP address where the security authentication and authorization services run and are used to authenticate individual users or groups.

ColdFusion advanced security is implemented by defining the following elements in the specified order:

  1. A security server

  2. A security context

  3. A user directory, either an NT domain or an LDAP directory

  4. Rules

  5. Users and groups for whom the rules will apply

  6. Policies

Types of Advanced Security Implementation

Using the elements in advanced security, you can implement various types of security mechanisms. The commonly used security mechanisms are as follows:

  • User security

  • Remote Development Services (RDS) security

  • Server Sandbox security

  • Administrator security

Sandbox security is discussed in the next section separately, while the others are discussed in this section.

Securing Applications with User Security

This mechanism offers runtime user authentication and authorization. It authenticates users in a ColdFusion application and then assigns privileges based on the applicable ColdFusion security context. ColdFusion developers implement user security.

To implement user security, ColdFusion Administrator needs to

  • Set up the security server.

  • Set up user directories to authenticate against an NT domain, an LDAP directory, or an ODBC data source.

  • Create a security context for the application.

  • Specify individual resources to protect and set up policies that match secure resources with authorized users and groups.

RDS

RDS security authenticates a Dreamweaver MX developer to access ColdFusion resources before the developer is allowed to access the protected ColdFusion resources, such as data sources, files, and directories.

RDS security is used as the security framework in a multiple developer group environment. Various groups require different levels of access to ColdFusion files and data sources. While working in ColdFusion Studio, various groups access these ColdFusion resources remotely, opening *.cfm files or accessing data sources. RDS security authenticates users and grants them access only to the resources appropriate to their group.

A ColdFusion administrator implements RDS advanced security to the developers working in ColdFusion Studio who want to connect to the ColdFusion server. When they attempt to access remote servers for files or data sources, access is granted according to the rules and policies associated with their group.

Administrator Security

Administrator security secures the ColdFusion Server administrator against unauthorized access. You can use it to grant various levels of administrative access to specified users. When you enable Administrator security, it's possible to add other users as ColdFusion administrators with varying degrees of control.

ColdFusion creates three resource rules to authenticate users for different levels of security access to Administrator pages. These rules correspond to the three levels of access to the Administrator that you can configure:

  • CF Administrator Access. Allows full read and write access to the Administrator, including advanced security pages

  • CF Privileged Access. Allows full read and write access to the Administrator, except the advanced and basic Security pages

  • CF Restricted Access. Allows read and write access only to the ODBC, Native Drivers, and OLE DB data sources; Verify Data Sources pages; and the miscellaneous Verify Administrator pages

When Administrator security is enabled, ColdFusion creates a security context, called ColdFusion Admin, used exclusively for Administrator security. ColdFusion Admin secures only Collection, DataSource, and UserObject resource types. The resource types secured by the ColdFusion Admin security context shouldn't be changed. The ColdFusion decentralized administration model enables efficient developmental work in a team and a reduced load for the administrator.


Previous page
Table of content
Next page
Macromedia ColdFusion MX. Professional Projects
ColdFusion MX Professional Projects
ISBN: 1592000126
EAN: 2147483647
Year: 2002
Pages: 200
Authors: Rohit Kochar, Parag Rastogi
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
C++ How to Program (5th Edition)
Programming Microsoft ASP.NET 3.5
The Oracle Hackers Handbook: Hacking and Defending Oracle
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy