CFIDE.adminapi.security
Component security (security)


Manages passwords, RDS, and sandbox security.


hierarchy: WEB-INF.cftags.component
      CFIDE.adminapi.base
            CFIDE.adminapi.security
path: /opt/coldfusion/cfusion/wwwroot/CFIDE/adminapi/security.cfc
serializable: Yes
properties:
final: false
abstract: false
methods: checkAdminPassword, checkRdsPassword, createDefaultSandboxes, deleteAllowedIPAddresses, deleteDisabledCFFunction, deleteDisabledCFTag, deleteDisabledDatasource, deleteSecuredFolder, deleteSecuredIPPort, deleteSecuritySandbox, deleteUser, disableRDSServlet*, disableSecureProfile, enableRDSServlet*, enableSecureProfile, formatPort*, getAllAdminRoles, getAllExposedServices, getAllowedIPList, getAllRuntimePermissions, getAllSecureProfileSettings, getAllSecureProfileSettingsInArray, getCFIDEDirectory*, getDefaultSecuritySandbox*, getDisabledCFFunctions, getDisabledCFTags, getDisabledDatasources, getEnableRDS, getEnableSandboxSecurity, getFunctionPermissionPosition*, getSecurableCFFunctions, getSecurableCFTags, getSecuredFolders, getSecuredIPPorts, getSecuritySandboxes, getTagPermissionPosition*, getUseAdminPassword, getUser, getUseRDSPassword, getUseSingleRDSPassword, getWebInfDirectory*, isAllowConcurrentAdminLogin, isInternalSandBox, isLoginUserIdRequired, isRAMAllFiles*, isSecureProfile, setAdminPassword, setAllowConcurrentAdminLogin, setAllowedIPAddresses, setDefaultFilePermission*, setDisabledCFFunction, setDisabledCFTag, setDisabledDatasource, setEnableRDS, setEnableSandboxSecurity, setLoginUserIdRequired, setRdsEnabled, setRDSPassword, setRdsSecurityEnabled, setSecuredFolder, setSecuredIPPort, setSecuritySandbox, setSeed, setUseAdminPassword, setUser, setUseRDSPassword, setUseSingleRDSPassword, validateDirectory*
inherited methods: dump, getEdition, getInstallType, isAdminUser, logaudit
* - private method

checkAdminPassword
public checkAdminPassword ( required string password, boolean isHashed="false" )

Checks admin password.

Output: suppressed
Parameters:
   password: string, required, password - Administrator password.
   isHashed: boolean, optional, isHashed - Set it to true if the password sent is already hashed once.

checkRdsPassword
public checkRdsPassword ( required string password )

Checks RDS password.

Output: suppressed
Parameters:
   password: string, required, password - Administrator password.

createDefaultSandboxes
public void createDefaultSandboxes ( )

Creates the default sandboxes needed to secure the ColdFusion Administrator and the WEB-INF system folder.

Output: suppressed

deleteAllowedIPAddresses
public void deleteAllowedIPAddresses ( required string debugip )

Removes an IP address from client IP addresses that should be allowed to invoke exposed services.

Output: suppressed
Parameters:
   debugip: string, required, debugip - List of IP addresses to remove.

deleteDisabledCFFunction
public void deleteDisabledCFFunction ( required directory, required functionName )

Remove a function from the list of disabled functions in the sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which the function is enabled.
   functionName: any, required, functionName - Specifies the name of the function to enable.

deleteDisabledCFTag
public void deleteDisabledCFTag ( required directory, required tag )

Removes a tag from the list of disabled tags in the sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which the tag is enabled.
   tag: any, required, tag - Specifies the name of the tag to be enabled.

deleteDisabledDatasource
public void deleteDisabledDatasource ( required directory, required datasource )

Removes a data source from the list of disabled data sources in the sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which the data source is enabled.
   datasource: any, required, datasource - Specifies the name of the data source to enable.

deleteSecuredFolder
public void deleteSecuredFolder ( required directory, required folder )

Makes a folder inaccessible to a secured sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which a folder is disabled.
   folder: any, required, folder - Specifies the path of the folder to be made inaccessible.

deleteSecuredIPPort
public deleteSecuredIPPort ( required directory, required IP, required PORT, portType="single" )

Removes a specified IP address and port from restricted status.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which the restriction is removed.
   IP: any, required, IP - Specifies the target IP address.
   PORT: any, required, PORT - Specifies the target port.
   portType: any, optional, portType - Specifies the port type:
  • single - Single port
  • higher - The specified port and higher
  • lower - The specified port and lower
  • range - Specified range of ports


deleteSecuritySandbox
public void deleteSecuritySandbox ( required directory )

Removes security sandbox restrictions for a directory.

Output: enabled
Parameters:
   directory: any, required, directory - Specifies the directory of the security sandbox to be removed.

deleteUser
public void deleteUser ( required username )

Removes the user.

Output: suppressed
Parameters:
   username: any, required, username - Specifies the username of the user to delete.

disableRDSServlet*
private boolean disableRDSServlet ( )

Disables the servlet that performs RDS processing.

Output: suppressed

disableSecureProfile
public disableSecureProfile ( )

Disables secure profile and reverts all required settings from secure value to default value.

Output: suppressed

enableRDSServlet*
private boolean enableRDSServlet ( )

Enables the servlet that performs RDS processing.

Output: suppressed

enableSecureProfile
public enableSecureProfile ( )

Enables secure profile and applies all required settings for it.

Output: suppressed

formatPort*
private formatPort ( required port, required portType )

Format a port based on the specified range.

Output:
Parameters:
   port: any, required, port - Specifies the port number.
   portType: any, required, portType - Specifies the range designation:
  • single
  • higher
  • lower


getAllAdminRoles
getAllAdminRoles ( )

Output:

getAllExposedServices
getAllExposedServices ( )

Output:

getAllowedIPList
public getAllowedIPList ( )

Returns a list of client IP addresses that should be allowed to invoke exposed services.

Output: suppressed

getAllRuntimePermissions
public array getAllRuntimePermissions ( )

Get array of all runtime permissions

Output: suppressed

getAllSecureProfileSettings
public getAllSecureProfileSettings ( )

Returns all settings from Secure Profile.

Output: suppressed

getAllSecureProfileSettingsInArray
public getAllSecureProfileSettingsInArray ( )

Returns all settings from Secure Profile.

Output: suppressed

getCFIDEDirectory*
private getCFIDEDirectory ( )

Returns full path for CFIDE

Output: suppressed

getDefaultSecuritySandbox*
private getDefaultSecuritySandbox ( required directory )

Create the default structure for a blank sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the directory of the sandbox.

getDisabledCFFunctions
public getDisabledCFFunctions ( required directory )

Returns an array of functions that have been disabled for the sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which disabled functions are returned.

getDisabledCFTags
public getDisabledCFTags ( required directory )

Returns an array of tags that have been disabled for the sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which disabled tags are returned.

getDisabledDatasources
public array getDisabledDatasources ( required directory )

Returns an array of data sources that have been disabled for the sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which disabled data sources are returned.

getEnableRDS
public boolean getEnableRDS ( )

Checks whether RDS is enabled.

Output: suppressed

getEnableSandboxSecurity
public getEnableSandboxSecurity ( )

Checks whether sandbox security is enabled.

Output: suppressed

getFunctionPermissionPosition*
private getFunctionPermissionPosition ( required webapp, required directory )

Returns the index in the function permissions array.

Output: suppressed
Parameters:
   webapp: any, required, webapp - Specifies the name of the web application using the secured sandbox.
   directory: any, required, directory - Specifies the sandbox directory for which the index is returned.

getSecurableCFFunctions
public getSecurableCFFunctions ( )

Returns an array of securable functions.

Output: suppressed

getSecurableCFTags
public getSecurableCFTags ( )

Returns an array of securable tags.

Output: suppressed

getSecuredFolders
public getSecuredFolders ( required directory )

Returns an array of secured folders for the sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which secured folders are returned.

getSecuredIPPorts
public getSecuredIPPorts ( required directory )

Returns an array of secured ports for the sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which secured ports are returned.

getSecuritySandboxes
public getSecuritySandboxes ( directory )

Returns all security sandboxes or a specified sandbox.

Output: suppressed
Parameters:
   directory: any, optional, directory - Sandbox directory to be returned.

getTagPermissionPosition*
private getTagPermissionPosition ( required webapp, required directory )

Returns the index in the permissions array.

Output: suppressed
Parameters:
   webapp: any, required, webapp - Specifies the name of the web application using the secured sandbox.
   directory: any, required, directory - Specifies the sandbox directory for which the index is returned.

getUseAdminPassword
public getUseAdminPassword ( )

Checks whether ColdFusion Administrator security is required.

Output: suppressed

getUser
public struct getUser ( string username )

Get all users or get single user by specifying a username.

Output: suppressed
Parameters:
   username: string, optional, username - Specifies the username of the user to return.

getUseRDSPassword
public getUseRDSPassword ( )

Checks whether a Remote Development Services (RDS) password is required.

Output: suppressed

getUseSingleRDSPassword
public boolean getUseSingleRDSPassword ( )

Indicates whether or not a user is is required in addition to a password for logging in to RDS

Output: suppressed

getWebInfDirectory*
private getWebInfDirectory ( )

Returns full path for WEB-INF

Output: suppressed

isAllowConcurrentAdminLogin
public isAllowConcurrentAdminLogin ( )

Checks whether concurrent login sessions are allowed

Output: suppressed

isInternalSandBox
public isInternalSandBox ( required directory )

Returns true if the sandbox directory is CFIDE or WEB-INF

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the directory of the sandbox.

isLoginUserIdRequired
public isLoginUserIdRequired ( )

Checks whether or not a user id is required in addition to a password in order to login. If this returns true, a user id must be passed to the login function in addition to a password.

Output: suppressed

isRAMAllFiles*
private boolean isRAMAllFiles ( required path )

Checks if the argument is ram:///- or ram://-

Output: suppressed
Parameters:
   path: any, required, path - specifies the path to the ram file

isSecureProfile
public isSecureProfile ( )

Checks whether secure profile is selected while installation

Output: suppressed

setAdminPassword
public setAdminPassword ( required string password, boolean isHashed="false" )

Sets the ColdFusion Administrator password.

Output: suppressed
Parameters:
   password: string, required, password - Administrator password.
   isHashed: boolean, optional, isHashed - Set it to true if the password sent is already hashed once.

setAllowConcurrentAdminLogin
public void setAllowConcurrentAdminLogin ( required boolean adminconclogin )

Specifies whether concurrent login sessions are allowed for ColdFusion Administrator.

Output: suppressed
Parameters:
   adminconclogin: boolean, required, adminconclogin - True or False

setAllowedIPAddresses
public void setAllowedIPAddresses ( required string debugip )

Sets a list of one or more client IP addresses that should be allowed to invoke exposed services.

Output: suppressed
Parameters:
   debugip: string, required, debugip - List of IP addresses.

setDefaultFilePermission*
private void setDefaultFilePermission ( required directory )

Removes the wildcard and sets the permission for only the defined folder.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the directory to receive permission.

setDisabledCFFunction
public void setDisabledCFFunction ( required directory, required functionName )

Disables the use of a function in the sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which the specified function is disabled.
   functionName: any, required, functionName - Specifies the function to disable.

setDisabledCFTag
public void setDisabledCFTag ( required directory, required tag )

Disables use of a tag in the sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which the specified tag is disabled.
   tag: any, required, tag - Specifies the tag to disable.

setDisabledDatasource
public void setDisabledDatasource ( required directory, required datasource )

Disables use of a data source in the sandbox.

Output: enabled
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which the data source is disabled.
   datasource: any, required, datasource - Specifies the name of the data source to disable.

setEnableRDS
public void setEnableRDS ( required boolean flag )

Specifies whether to enable or disable RDS.

Output: suppressed
Parameters:
   flag: boolean, required, flag - Specify true or false.

setEnableSandboxSecurity
public void setEnableSandboxSecurity ( required boolean enable )

Specifies whether to enable sandbox security.

Output: suppressed
Parameters:
   enable: boolean, required, enable - True or False

setLoginUserIdRequired
public setLoginUserIdRequired ( required boolean isUserIdRequired )

Sets whether or not a user id is required for login.

Output: suppressed
Parameters:
   isUserIdRequired: boolean, required, isUserIdRequired

setRdsEnabled
public void setRdsEnabled ( required boolean enabled )

Specifies whether RDS is enabled or not.

Output: suppressed
Parameters:
   enabled: boolean, required, enabled - Specify true or false.

setRDSPassword
public setRDSPassword ( required string password )

Sets the RDS password.

Output: suppressed
Parameters:
   password: string, required, password - RDS password.

setRdsSecurityEnabled
public void setRdsSecurityEnabled ( required boolean useAdminPassword )

Specifies whether RDS security is required.

Output: suppressed
Parameters:
   useAdminPassword: boolean, required, useAdminPassword - Specify true or false.

setSecuredFolder
public void setSecuredFolder ( required directory, required folder, fileRead="true", fileWrite="true", fileExecute="true", fileDelete="true" )

Makes a folder accessible for the secured sandbox.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which the folder is enabled.
   folder: any, required, folder - Specifies the directory path of the folder to be enabled.
   fileRead: any, optional, fileRead - Allow read permission.
   fileWrite: any, optional, fileWrite - Allow write permission.
   fileExecute: any, optional, fileExecute - Allow execute permission.
   fileDelete: any, optional, fileDelete - Allow delete permission.

setSecuredIPPort
public setSecuredIPPort ( required directory, required IP, required PORT, portType="single" )

Restrict the IP addresses and ports that ColdFusion tags can access.

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the sandbox directory for which the IP address and port are secured.
   IP: any, required, IP - Specifies the IP address to restrict.
   PORT: any, required, PORT - Specifies the port to restrict.
   portType: any, optional, portType - Specifies the port type:
  • single - Single port
  • higher - The specified port and higher
  • lower - The specified port and lower
  • range - Specified range of ports


setSecuritySandbox
public void setSecuritySandbox ( required string directory, array sandbox )

Creates a security sandbox for a specified directory.

Output: suppressed
Parameters:
   directory: string, required, directory - Specifies a sandbox directory.
   sandbox: array, optional, sandbox - The sandbox array object, which is an array of structures with each structure being a permission.

setSeed
public setSeed ( required string seed )

Sets the ColdFusion server seed.

Output: suppressed
Parameters:
   seed: string, required, seed - Server seed.

setUseAdminPassword
public void setUseAdminPassword ( required boolean useAdminPassword )

Specifies whether ColdFusion Administrator security is required.

Output: suppressed
Parameters:
   useAdminPassword: boolean, required, useAdminPassword - True or False

setUser
public void setUser ( required string username, required string password, string description="", array roles="[runtime expression]", boolean allowrdsaccess="false", boolean allowadminaccess="false", boolean allowadminapiaccess="false", array services="[runtime expression]", array enabledds="[runtime expression]", array filepermissions="[runtime expression]", boolean isHashed="false", boolean allowclientcertauth="false" )

Add or Update a new user.

Output: suppressed
Parameters:
   username: string, required, username - Specifies the username for this user.
   password: string, required, password - Specifies the password for this user.
   description: string, optional, description - Specifies a description of the user.
   roles: array, optional, roles - Administrative roles assigned to user
   allowrdsaccess: boolean, optional, allowrdsaccess - Specifies whether or not RDS access is allowed for this user.
   allowadminaccess: boolean, optional, allowadminaccess - Specifies whether or not CF Administrator and Admin API access is allowed for this user.
   allowadminapiaccess: boolean, optional, allowadminapiaccess - Specifies whether or not Admin API access is allowed for this user.
   services: array, optional, services - Services user is allowed to access.
   enabledds: array, optional, enabledds - datasources to allowed to access.
   filepermissions: array, optional, filepermissions - Files to allowed to access.
   isHashed: boolean, optional, isHashed - Set it to true if the password sent is already hashed once.
   allowclientcertauth: boolean, optional, allowclientcertauth

setUseRDSPassword
public void setUseRDSPassword ( required boolean useAdminPassword )

Specifies whether RDS security is required.

Output: suppressed
Parameters:
   useAdminPassword: boolean, required, useAdminPassword - Specify true or false.

setUseSingleRDSPassword
public setUseSingleRDSPassword ( required boolean useSingleRDSPassword )

Sets whether or not to allow a user id in addition to a password for logging in to RDS

Output: suppressed
Parameters:
   useSingleRDSPassword: boolean, required, useSingleRDSPassword

validateDirectory*
private validateDirectory ( required directory )

Ensure that the directory starts with / and ends with /*

Output: suppressed
Parameters:
   directory: any, required, directory - Specifies the directory to be secured.