Accessibility

TechNote (Archived)

ColdFusion 5: How to set up Advanced Security to secure RDS access to data sources

This TechNote will step through setting up a User Directory, Security Context, Rules and a Policy on a ColdFusion 5 server to restrict access to data sources through Remote Development Service (RDS). For information on User Directories, Security Contexts, Rules and Policies, please refer to Chapter 5, Configuring Advanced Security of the "Advanced ColdFusion Administration" documentation.

For the best results in configuring and using Advanced Security, it is strongly recommended that you migrate your Policy Store data from the default Microsoft Access database it is shipped in to an enterprise-level solution, such as SQL Server, Oracle, or an LDAP server. For a list of TechNotes providing instructions on how to migrate your Policy Store, please visit the Advanced Security section of the ColdFusion Support Center.

The following example assumes that three NT domain users named"dev1", "dev2", and "dev3" exist. For information about setting up users, please refer to your Operating System documentation. The example also requires two data sources named "dsdev1" and "dsdev2". For information on setting up data sources, please refer to Chapter 6, Managing Data Sources of the "Installing and Configuring ColdFusion Server" documentation.

In the following example, we will restrict access to the"dsdev1" data source for all users except user "dev1" and restrict access to the "dsdev2" data source for all users except user"dev2". User "dev3" will have no access to either data source.

A. Set up the User Directory. The User Directory is a listing of users and their passwords that you will authenticate against.

  1. In the ColdFusion Administrator, click "Security > Security Configuration".
  2. Check the "Use Advanced Security" check box on the "Advanced Security" page.
  3. Click "Submit Changes".
  4. At the top of the page, click "User Directories".
  5. Enter "ntdirectory" in the "Connect Directory" field.
  6. Click "Connect Directory".
  7. Select "Windows NT" from the "Namespace" drop-down select box.
  8. In the "Location" field, input the domain name where you want users dev1, dev2 and dev3 to be authenticated.
  9. At the bottom of the page, click "Add".
  10. Click the arrow button to return to the "Advanced Security" page.

B. Set up the Security Context. The Security Context allows you to create rules and users to limit access to specific data sources.

  1. At the top of the page, click "Security Contexts".
  2. Enter "dscontext" in the "Add Security Context" field.
  3. Click "Add Security Context".
  4. On the "New Security Context Page" check the "Protect all resources by default", "Add Existing User Directories" check boxes and select "DataSource" from the "Enable Security for Resource Types".
  5. Click "Add".

C. Create the Rule for the "dev1_dsn" data source.

  1. Click "Rules".
  2. On the "Resource Rules for Security Context "dscontext" page, enter "dev1_dsn" in the "Rule Name" textfield, select "DataSource" from the drop-down select box and click "Add".
  3. On the "New Resource Rule of Type DataSource" page, enter"dsdev1" in the "DataSource" textfield and select "All" from the"Restrict SQL" radio button.
  4. Click "Add" and click "Back".

D. Set up a Policy.

  1. On the "Edit Security Context" page, Click "Policies".
  2. On the "Resource Policies for Security Context "dscontext" page, enter "dev1_policy" in the "Policy Name" text field and click"Add".
  3. Click "Add" again.

E. Add the Rule for the "dev1_dsn" data source to the Policy.

  1. On the "Resource Policies for Security Context "dscontext" page, click on "dev1_policy".
  2. On the "Edit Security Policy" page, click on the "Rules" button.
  3. On the "Resource Rules for Policy "dev1_policy" page, click"Add/Remove".
  4. Highlight "dev1_dsn" in the "Available Rules" column and click the left arrow button ( <== ). "dev1_dsn" now appears in the"Current Rules" column.
  5. Click "Back".
  6. Click "Back" again.

F. Add User "dev1" to the Policy.

  1. On the "Edit Security Policy" page, click "Users".
  2. On the "Users for Policy "dev1_policy" select "ntdirectory" from the "User Directory" drop-down select box.
  3. Click "Add/Remove"
  4. In the "or Enter User" text field enter "dev1".
  5. Click "Add". (dev1 appears in the "Current Users" column.)
  6. Verify Advanced Security setup by choosing Security > Security Configuration > Security Map. The Security Map should read:

G. Configure ColdFusion Server to require ColdFusion Studio authentication.

  1. Click the "Security Configuration" link under "Advanced Security".
  2. On the "Advanced Security" page, at the bottom of the page, select "dscontext" from the "Security Context" drop-down select box under the section containing "Use ColdFusion Studio Authentication."
  3. Check the "Use ColdFusion Studio Authentication" check box.
  4. Click "Submit Changes".
  5. Stop and restart all of the following services:

    ColdFusion Application Server Service
    ColdFusion Executive Service
    ColdFusion RDS Service
    SiteMinder Authentication Service
    SiteMinder Authorization Service

H. Configure ColdFusion Studio or HomeSite+ to require authentication.

  1. Open ColdFusion Studio or HomeSite+.
  2. Select the Files tab from the resource window pane.
  3. Click the drop-down box in the drive listing pane, and select"Macromedia FTP & RDS."
  4. Right-click and select "Properties" for your RDS connection to your server. Ensure that both the "User Name" and "Password" fields are empty. Check the Prompt for Password checkbox. Click OK.

    NOTE: ColdFusion Studio and the Server cache authentication information so if you authenticate with user dev1, then user Dev1's information will be cached and will always display in Studio until all of the above services are restarted and the user name and password for the RDS connection are cleared in the properties dialog for that RDS connection in Studio.
  5. You will be prompted to "Enter RDS Security Information." Enter dev1 in the "User Name" field, the password for the user dev1 in the "Password" field and click "OK".
  6. Select the Database tab from the resource window pane.
  7. From the drop-down select box, select your RDS connection.
  8. You will again be prompted to "Enter RDS Security Information." Enter dev1 in the "User Name" field, the password for the user dev1 in the "Password" field and click "OK". You should see the "dsdev1" data source only.
  9. Close ColdFusion Studio/HomeSite+.

I. Create the Rule for the "dev2_dsn" data source.

  1. In the ColdFusion Administrator on the "Registered Security Contexts for Security Server "CFSM"" page (Security Configuration> Security Contexts) click on "dscontext."
  2. Click "Rules".
  3. On the "Resource Rules for Security Context "dscontext"" page, enter "dev2_dsn" in the "Rule Name" textfield, select "DataSource" from the drop-down select box and click "Add."
  4. On the "New Resource Rule of Type "DataSource"" page, enter"dsdev2" in the "DataSource" textfield and select "All" from the"Restrict SQL" radio button.
  5. Click "Add" and click "Back".

J. Set up a Policy.

  1. On the "Edit Security Context" page, click "Policies."
  2. On the "Resource Policies for Security Context "dscontext" page, enter "dev2_policy" in the "Policy Name" text field and click"Add."
  3. Click "Add" again.

K. Add the Rule for the "dev2_dsn" data source to the Policy.

  1. On the "Resource Policies for Security Context "dscontext" page, click on "dev2_policy".
  2. On the "Edit Security Policy" page, click on the "Rules" button.
  3. On the "Resource Rules for Policy "dev2_policy" page, click"Add/Remove".
  4. Highlight "dev2_dsn" in the "Available Rules" column and click the left arrow button ( <== ). dev2_dsn appears in the "Current Rules" column.
  5. Click "Back"
  6. Click "Back" again.

L. Add User "dev2" to the Policy.

  1. On the "Edit Security Policy" page, click "Users".
  2. On the "Users for Policy "dev2_policy" select "ntdirectory" from the "User Directory" drop-down select box.
  3. Click "Add/Remove".
  4. In the "or Enter User" text field enter "dev2".
  5. Click "Add". (dev2 appears in the "Current Users" column.)
  6. Verify Advanced Security setup by choosing Security > Security Configuration > Security Map. The Security Map should read:
  7. Stop and restart all of the following services:

    ColdFusion Application Server Service
    ColdFusion Executive Service
    ColdFusion RDS Service
    SiteMinder Authentication Service
    SiteMinder Authorization Service

M. Test dev2 and dev3 user access.

  1. Open ColdFusion Studio or HomeSite+.
  2. Select the Database tab from the resource window pane.
  3. From the drop-down select box, select your RDS connection.
  4. You will be prompted to "Enter RDS Security Information." Enter dev2 in the "User Name" field, the password for user dev2 in the"Password" field and click "OK". You should see the "dsdev2" data source only.
  5. From the drop down select box, select your RDS connection.(You will be prompted to "Enter RDS Security Information").
  6. Enter dev3 in the "User Name" field, the password for user dev3 in the "Password" field and click "OK".
  7. You should see no data sources listed.
  8. Close ColdFusion Studio/HomeSite+.


Additional Information

Related TechNotes:


AlertThis content requires Flash

To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.

Download the free Flash Player now!

Get Adobe Flash Player

Creative Commons License

Search Support


Document Details

ID:tn_18669
Browser:Chrome
Internet Explorer
Netscape
Opera
Safari
Firefox
Database:DB2
Informix
MySQL
Oracle
SQL Server
Sybase
MS Access

Products Affected: