Difference between revisions of "Security"
(→Overview) |
|||
Line 1: | Line 1: | ||
== Overview == | == Overview == | ||
− | + | In general, the ADF security framework is designed to help control calls to potentially dangerous components. The largest threat to the calls to the components within the ADF is through the web. We are not offering any functionality that is not already available to a developer with access to your CommonSpot installation. | |
− | Security Measures | + | == Security Measures == |
− | # As a rule of thumb, none of the component methods within the ADF library have functions with methods with "remote" access | + | # As a rule of thumb, none of the component methods within the ADF library have functions with methods with "remote" access. This prevents direct web calls to any components within the ADF |
− | + | # The Application.cfc located within the root of the ADF directory contains code within the onRequestStart method that prevents direct calls to scripts or code by anyone who is _not_ a CommonSpot contributor. | |
# Remote access to component methods are requested through an [[Ajax Proxy| Ajax Proxy]] that essentially allows access to methods in the ADF via a [[ Proxy White List | Proxy White List]]. | # Remote access to component methods are requested through an [[Ajax Proxy| Ajax Proxy]] that essentially allows access to methods in the ADF via a [[ Proxy White List | Proxy White List]]. | ||
+ | |||
+ | == Recommendations == | ||
+ | Each CommonSpot site has a configuration directory (/mySite/_cs_apps/config/) which may contain specific information about your site that you may not want accessible by the general web community within your organization. | ||
+ | |||
+ | Some of this data may be contained within a .xml file which can't easily be protected by ColdFusion security measures. As a result of this challenge, we recommend that you prevent web access to this directory (/mySite/_cs_apps/config/) at the web server level. | ||
[[Category: Security]] | [[Category: Security]] |
Revision as of 03:31, 6 April 2010
Overview
In general, the ADF security framework is designed to help control calls to potentially dangerous components. The largest threat to the calls to the components within the ADF is through the web. We are not offering any functionality that is not already available to a developer with access to your CommonSpot installation.
Security Measures
- As a rule of thumb, none of the component methods within the ADF library have functions with methods with "remote" access. This prevents direct web calls to any components within the ADF
- The Application.cfc located within the root of the ADF directory contains code within the onRequestStart method that prevents direct calls to scripts or code by anyone who is _not_ a CommonSpot contributor.
- Remote access to component methods are requested through an Ajax Proxy that essentially allows access to methods in the ADF via a Proxy White List.
Recommendations
Each CommonSpot site has a configuration directory (/mySite/_cs_apps/config/) which may contain specific information about your site that you may not want accessible by the general web community within your organization.
Some of this data may be contained within a .xml file which can't easily be protected by ColdFusion security measures. As a result of this challenge, we recommend that you prevent web access to this directory (/mySite/_cs_apps/config/) at the web server level.