Bay Area ColdFusion User Group Message Board › Windows security denies sccess to all files except CF files
|A former member||
My setup is IIS7 with ColdFusion 9 on a virtual server, using windows authentication at the folder level to control access to files.
Adobe's manual describes the process:
How does the ColdFusion service interact with IIS in terms of security?
CF runs as a separate service, but it also integrates with IIS using an ISAPI extension. The ISAPI extension runs in-process with IIS, just like the ASP engine, and when a request is received that is mapped to the file extension associated with the ISAPI extension (typically .cfm and .dbm, although those can be changed in the IIS management console), the request is forwarded to the CF service for processing.
IIS and NT security are used to determine whether the user can request the file in the first place. This happens before the request is forwarded to the CF service**. So, you'll generally follow the same procedure for securing CF applications with ACLs that you would with an ASP application.
**I think this is where the problem is.
We have used this successfully on non virtual servers and using the previous version of IIS. IIS7 denys .css, .js, .asp, .htm and all graphic formats but allowing .cfm file information to be displayed.
Is there a setting in IIS that I am overlooking? From the description above, IIS should not be passing on documents to CF.
|Carl Von S.||
When you say "ColdFusion 9 on a virtual server", what are you referring to specifically (a Windows Hypervisor or VMWare vSphere virtual server, or something else)? Might help focus the replies...
Edited by Carl Von Stetten on Jul 9, 2012 12:49 PM