Admin API Best Practices

Previous page
Table of content
Next page

The Admin API extends ColdFusion Administrator objects to end users. Like all things ColdFusion, Macromedia makes it easy to use this extremely powerful functionality. Administrators can even use the Admin API to expose administrative functions as Web services, enabling remote administration of ColdFusion servers from any client. As always, security should be the primary concern. Implement the following best practices for using the Admin API.

Admin API Configuration

  • Control the Administrator and RDS Passwords.

    Enable strong Administrator and RDS passwords; do not use the same string for both passwords.

    Keep the passwords secret.

    Disable RDS on production systems.

  • Secure the Admin API directory (/CFIDE/adminapi).

    Create sandboxes for all application directories, and only enable access to the Admin API directory for the custom admin console. Console code needs only read and execute permissions on the Admin API files and folders.

    Enable operating system permissions. The ColdFusion user (usually LocalSystem on Windows, nobody on Unix) and administrator (or root) accounts should have full control. Only allow read and execute access for the Web server user and other authenticated users.

    Only allow access to the Admin API through custom console code.

Custom Console Coding Best Practices

Just a few custom console coding best practices include:

  • Code custom admin modules that provide end-user access to the Admin API.

  • Create methods with the same name as the API methods to avoid uncertainty.

  • Limit the access to segments of Admin API features:

    No access to anything requiring restart.

    No access to the security.cfc or runtime.cfc.

    Limit access to serverwide settings: DSNs, mappings, debugging settings, and so on.

  • Limit functionality to adding and modifying settings. All delete functionality should be done via the ColdFusion Administrator by administrators

  • Secure the custom admin modules:

    Leverage the roles' <cffunction> attribute to enforce user security.

    If you're hard-coding the ColdFusion Administrator password, pass it as a local variable to the login() method of administrator.cfc.

  • Encrypt the custom admin console templates with the cfcompile utility. See the section on sourceless deployment in Chapter 6 for details on using cfcompile to encrypt ColdFusion templates.


Previous page
Table of content
Next page
Advanced Macromedia ColdFusion MX 7 Application Development
Advanced Macromedia ColdFusion MX 7 Application Development
ISBN: 0321292693
EAN: 2147483647
Year: 2006
Pages: 240
Authors: Ben Forta, et al
BUY ON AMAZON
Image Processing with LabVIEW and IMAQ Vision
Network Security Architectures
Introduction to 80x86 Assembly Language and Computer Architecture
Data Structures and Algorithms in Java
Comparing, Designing, and Deploying VPNs
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy