Sandbox Security in ColdFusion 8

There are certain tags that by default are enabled in ColdFusion that I am never going to use and are a security risk. With this in mind I wanted to disable these CF Tags in a ColdFusion enterprise environment.

We have done this before in the ColdFusion standard edition and it is quite straight black keysforward. So I went ahead and enabled Sandbox Security in a specific CF instance. One of the differences in the Enterprise edition is that you can specify specific directories to define specific permissions. So you can have different permissions on different instances.

I added the directory of the site that I wanted to disable cfexecute and then disabled the cfexecute tag. I was prompted to restart the CF instance and then went to my site. I got an error. I went to CF administrator to change the settings back and it wouldn’t respond! What the…?

Having played around with the guts of ColdFusion and its settings, I knew that I could revert the Sandbox Security by changing the xml file. That file is called neo-security.xml in the \WEB-INF\cfusion\lib folder of the instance that I was updating.

So, what next?

I did a lot of searching on Google. Lo and behold, I found a page in Adobe’s live docs:

The important thing was that I needed to add arguments to the java.args line in the jvm.config file. That file is found in the jrun_root/bin/ folder in our set up.

This is what needed to be added:{application.home}/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/coldfusion.policy{application.home}/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/neo_jaas.policy

Once this was added I re-enabled Sandbox Security and all works nicely now.

This took me a heck of a lot longer to implement that it should have, so hopefully someone else can benefit from me writing this down.

What tips or tricks have you discovered in working with Sandbox Security?