Enabling sandbox security in ColdFusion MX 7.0.1 & 7.0.2Products affected
Issue
The Enable ColdFusion Security checkbox on the ColdFusion MX 7.0.1/7.0.2 Administrator Sandbox Security screen does not enable sandbox security. When enabled, ColdFusion does not apply the restrictions of any configured sandbox.
Reason
A Java security manager (java.lang.SecurityManager) is necessary to enforce sandbox security in the ColdFusion MX 7.0.1/7.0.2 Multiserver and J2EE configurations.
Solution
Enable a Java security manager (java.lang.SecurityManager) for the J2EE server and add the following JVM arguments:
-Djava.security.manager -Djava.security.policy="cf_webapp_root/WEB-INF/cfusion/lib/coldfusion.policy" -Djava.security.auth.policy="cf_webapp_root/WEB-INF/cfusion/lib/neo_jaas.policy"
For Multiserver configuration:
- Stop ColdFusion.
- Locate the jvm.config file in jrun_root/bin.
- Back up the file.
- Open the file in a text editor.
- Add the following lines to the java.args section:
-Djava.security.manager -Djava.security.policy="cf_webapp_root/WEB-INF/cfusion/lib/coldfusion.policy" -Djava.security.auth.policy="cf_webapp_root/WEB-INF/cfusion/lib/neo_jaas.policy"
- Save and close the file.
- Restart ColdFusion.
For other J2EE configurations, consult your server documentation for enabling a Java security manager and configure the following JVM arguments:
-Djava.security.manager -Djava.security.policy="cf_webapp_root/WEB-INF/cfusion/lib/coldfusion.policy" -Djava.security.auth.policy="cf_webapp_root/WEB-INF/cfusion/lib/neo_jaas.policy"
Doc ID
(343d0d2c)
Last updated
2006-07-11
Products affected
