ColdFusion provides a number of security-related features. Some of these features let you add login and role-based security mechanisms to your own applications. The options in the Security portion of the ColdFusion Administrator, in contrast, are about securing the server itself so that only the proper people have the ability to administer ColdFusion. You can also lock down various parts of the server (tags, files, data sources, and so on) so that each application only has the right to use its own files and data.
The Administrator Page
The ColdFusion Administrator enables the configuration and management of the ColdFusion server. Therefore, the ColdFusion Administrator should generally be password protected to prevent unauthorized access.
ColdFusion Administrator Authentication
To support a single administration login and password, select the first option. To support multiple administrators, each possibly with a different level of access, select the second option. To allow access without a password, select the third option.
Root Administrator Password
Use this option to change the primary ColdFusion Administrator password.
The RDS Password Page
RDS is used to provide development time access to ColdFusion data sources, files, reporting building, and more. Because RDS can expose sensitive files and data, it should always be secured.
To support a single RDS login and password, select the first option. To support multiple RDS logins, each possibly tied to a different sandbox, select the second option. To allow access without a password, select the third option.
RDS Single Password
Use this option to change the primary RDS password.
The Sandbox Security Page
ColdFusion includes a feature called sandbox security. This feature is mostly aimed at Internet service providers or people running large enterprise-wide servers, where a server may have many different ColdFusion applications written by many different developers. In such a situation, there needs to be some way to keep one set of developers from accessing the data sources that are being used by another set of developers. Similarly, there needs to be some way to keep one application from being able to use <cffile> or <cfdirectory> to read or destroy files that are important to another application.
The User Manager Page
As seen previously, both the ColdFusion Administrator and RDS support single-password logins and multiple logins. To use the latter, you define users using this page.
Click the Add User button to add a user and then define the username, password, and permissions for this user.
For more information, see Chapter 53, "Securing the ColdFusion Administrator," in Volume 3.