Difference between revisions of "Security"

From ADF Docs
Jump to: navigation, search
(Overview)
Line 1: Line 1:
 
== Overview ==
 
== Overview ==
The ADF security framework contains measures to restrict direct access and remote component access.
+
In general, the ADF security framework is designed to help control calls to potentially dangerous components. The largest threat to the calls to the components within the ADF is through the web.  We are not offering any functionality that is not already available to a developer with access to your CommonSpot installation.
  
Security Measures include:
+
== Security Measures ==
# As a rule of thumb, none of the component methods within the ADF library have functions with methods with "remote" access
+
# As a rule of thumb, none of the component methods within the ADF library have functions with methods with "remote" access.  This prevents direct web calls to any components within the ADF
# Direct access to the ADF files are restricted to only valid, logged in CommonSpot users.  This is controlled through the ADF root Application.cfc.  In the ''onRequestStart'' function, logic is run to verify the user accessing the file directly is a logged in CommonSpot user.
+
# The Application.cfc located within the root of the ADF directory contains code within the onRequestStart method that prevents direct calls to scripts or code by anyone who is _not_ a CommonSpot contributor.
 
# Remote access to component methods are requested through an [[Ajax Proxy| Ajax Proxy]] that essentially allows access to methods in the ADF via a [[ Proxy White List | Proxy White List]].
 
# Remote access to component methods are requested through an [[Ajax Proxy| Ajax Proxy]] that essentially allows access to methods in the ADF via a [[ Proxy White List | Proxy White List]].
 +
 +
== Recommendations ==
 +
Each CommonSpot site has a configuration directory (/mySite/_cs_apps/config/) which may contain specific information about your site that you may not want accessible by the general web community within your organization.
 +
 +
Some of this data may be contained within a .xml file which can't easily be protected by ColdFusion security measures.  As a result of this challenge, we recommend that you prevent web access to this directory (/mySite/_cs_apps/config/) at the web server level.
  
 
[[Category: Security]]
 
[[Category: Security]]

Revision as of 03:31, 6 April 2010

Overview

In general, the ADF security framework is designed to help control calls to potentially dangerous components. The largest threat to the calls to the components within the ADF is through the web. We are not offering any functionality that is not already available to a developer with access to your CommonSpot installation.

Security Measures

  1. As a rule of thumb, none of the component methods within the ADF library have functions with methods with "remote" access. This prevents direct web calls to any components within the ADF
  2. The Application.cfc located within the root of the ADF directory contains code within the onRequestStart method that prevents direct calls to scripts or code by anyone who is _not_ a CommonSpot contributor.
  3. Remote access to component methods are requested through an Ajax Proxy that essentially allows access to methods in the ADF via a Proxy White List.

Recommendations

Each CommonSpot site has a configuration directory (/mySite/_cs_apps/config/) which may contain specific information about your site that you may not want accessible by the general web community within your organization.

Some of this data may be contained within a .xml file which can't easily be protected by ColdFusion security measures. As a result of this challenge, we recommend that you prevent web access to this directory (/mySite/_cs_apps/config/) at the web server level.