Enabling sandbox security in ColdFusion MX 7.0.1 & 7.0.2
Issue
The Enable ColdFusion Security checkbox on the ColdFusion MX 7.0.1/7.0.2 Administrator Sandbox Security screen does not enable sandbox security. When enabled, ColdFusion does not apply the restrictions of any configured sandbox.
Reason
A Java security manager (java.lang.SecurityManager) is necessary to enforce sandbox security in the ColdFusion MX 7.0.1/7.0.2 Multiserver and J2EE configurations.
Solution
Enable a Java security manager (java.lang.SecurityManager) for the J2EE server and add the following JVM arguments:
-Djava.security.manager -Djava.security.policy="cf_webapp_root/WEB-INF/cfusion/lib/coldfusion.policy" -Djava.security.auth.policy="cf_webapp_root/WEB-INF/cfusion/lib/neo_jaas.policy"
For Multiserver configuration:
- Stop ColdFusion.
- Locate the jvm.config file in jrun_root/bin.
- Back up the file.
- Open the file in a text editor.
- Add the following lines to the java.args section:
-Djava.security.manager -Djava.security.policy="cf_webapp_root/WEB-INF/cfusion/lib/coldfusion.policy" -Djava.security.auth.policy="cf_webapp_root/WEB-INF/cfusion/lib/neo_jaas.policy"
- Save and close the file.
- Restart ColdFusion.
For other J2EE configurations, consult your server documentation for enabling a Java security manager and configure the following JVM arguments:
-Djava.security.manager -Djava.security.policy="cf_webapp_root/WEB-INF/cfusion/lib/coldfusion.policy" -Djava.security.auth.policy="cf_webapp_root/WEB-INF/cfusion/lib/neo_jaas.policy"
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
