Chapter 6: Implementing Security in ColdFusion Application

Previous page
Table of content
Next page


Security is a major issue for any application, especially Web-based database applications. All Web applications are potential victims of security breaches. Most common security threats arise from hackers, imposters, and unauthorized users. Hackers can eavesdrop and monitor data sent over the Web. Imposters can impersonate registered users to gain access to the information that only registered users can access. Unauthorized users can gain access to sensitive information.

The ColdFusion environment is secure for Web application development and deployment. In this chapter, you'll learn about the various security levels and the mechanisms to implement security in ColdFusion applications.

Security Levels in ColdFusion

ColdFusion helps you manage security risks at three levels:

  • Encryption. Involves the use of the Secure Sockets Layer (SSL) protocol. The objective of SSL is to prevent eavesdropping and message tampering as information passes between clients and servers. Most Web servers support SSL, which functions by encrypting Internet protocols such as HTTP with public key cryptography. A private key resides on the server to decrypt inbound data and encrypt outbound data. After the key is installed, the Web server handles encryption and decryption automatically. The SSL security mechanism is implemented at the server level.

  • Authentication. Involves checking whether or not the identity of a user is valid. It usually prompts a user for a unique login or username, and a password or personal identification number.

  • Access control. Limits access to various resources. Authenticated users have access to particular features or components based on security clearance, group affiliation, or other criteria specified by the developer. Authorization is the process of limiting access to certain users.

ColdFusion provides both basic and advanced security features. These are mutually exclusive security features and have different purposes. Basic security is configurable from within ColdFusion Administrator. It requires the user to specify usernames and passwords for accessing Administrator and Studio. It can also enable or disable access to certain ColdFusion tags.

Advanced security defines features that provide a complete security system. It enables you to manage user security and server Sandbox security. Unlike basic security, which gives all developers the same level of access to all ColdFusion resources, advanced security allows you to customize access control for individual developers and development groups. By default, advanced security features are turned off. If you turn off both basic and advanced security, all ColdFusion resources and server administration functions become available to everyone.

Both security mechanisms, basic and advanced, support the SSL protocol. SSL prevents an unauthorized user from accessing the sensitive information passed between a client and the server.

SSL provides security at the server level. The server administrator installs a private key to decrypt inbound data and encrypt outbound data. If the Web server connections are encrypted with SSL, ColdFusion transmissions are also encrypted automatically.

To enable SSL on the ColdFusion MX built-in Web server, you first need to obtain a certificate and then enable the ColdFusion MX SSL service.

Caution

Although you can use the ColdFusion MX built-in Web server for developing, testing, and debugging ColdFusion applications, Macromedia doesn't recommend using it for deployment.

You can create a private certificate using the KEYTOOL Java command utility that's installed with Java JDK. A file called keystore is created, and it contains the digital certificate in the directory in which you run the KEYTOOL command.

The steps for enabling SSL on the ColdFusion MX built-in Web server are as follows:

  1. Open the cf_root\runtime\servers\default\SERVER-INF\jrun.xml file.

  2. Remove the comments around the following code:

     <service  name="SSLService"> <attribute name="enabled">true</attribute> <attribute name="port">9100</attribute> <attribute name="keyStore">{jrun.rootdir}/lib/keystore</attribute> <attribute name="keyStorePassword">changeit</attribute> <attribute name="trustStore">{jrun.rootdir}/lib/trustStore</attribute> <attribute name="socketFactoryName">      jrun.servlet.http.JRunSSLServerSocketFactory </attribute> </service>

  3. Set the port attribute to your SSL port attribute.

  4. Set the keystore attribute to the directory containing your certificate.

  5. Set the keystorepassword attribute to the password that you used while creating the certificate.

  6. Save the changes to jrun.xml.

  7. Restart ColdFusion MX, and then make an SSL request through the built-in server.

  8. Test SSL by opening ColdFusion MX Administrator using the following URL:

    https://localhost:9100/CFIDE/administrator/index.cfm

    The value 9100 indicates that you're accessing SSL on the built-in Web server port 9100.

The three security levels in the context of basic and advanced security are discussed in the following sections.

Basic Security

This is the initial default security framework for ColdFusion, and it allows you to secure ColdFusion Server with password access. All editions of ColdFusion Server include basic security features. When ColdFusion Server is installed, basic security is activated automatically. You can use three types of mechanisms when working with basic security:

  • Administrative access. Provides a secure access to ColdFusion administrative functions with password protection.

  • Application development. Provides access to various data sources and files with password protection, and blocks access to some sensitive tags.

  • Application deployment. Prevents applications from executing ColdFusion tags that are used to work with server files.

Advanced Security

ColdFusion Server Professional and Enterprise editions include advanced security features. You can use three types of security mechanisms when working with advanced security:

  • Administrative access. Provides various degrees of administrative access to different users.

  • Application development. Controls access to various data sources and files, with password protection for each application developer in the development team. This enables you to coordinate development on shared servers without the fear that sensitive data and applications may be misused.

  • Application deployment. Provides multiple levels of user access from within an application.


Previous page
Table of content
Next page
Macromedia ColdFusion MX. Professional Projects
ColdFusion MX Professional Projects
ISBN: 1592000126
EAN: 2147483647
Year: 2002
Pages: 200
Authors: Rohit Kochar, Parag Rastogi
BUY ON AMAZON
Software Configuration Management
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
101 Microsoft Visual Basic .NET Applications
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy