Skip to main content
T
tishward
Participating Frequently
March 7, 2014
Answered

Coldfusion ignoring NTFS permissions

  • March 7, 2014
  • 1 reply
  • 2109 views

I have seen a few older posts that have presented this same issue, but there was no resolution in the thread.  I have posted on those threads asking if they found a solution, however thought I would present the issue myself and hopefully someone has a fix/workaround.

CF10, W2008R2, IIS 7.5. Using a group with NTFS permissions and trying to limit the access to the pages.  Anyone can view the page if putting in a username and password in the Windows security popup, click ok and immediately prompted again, click cancel and you can see the page contents.  Tested with an html page and html page is blocked properly.  It is my understanding that IIS passes the control to cf, cf diplays the cfm page. 

Since this is IIS 7.5, the checkbox for check if file exists that was working in IIS6 isn't there any longer, it is now items under Handler Mappings.  I saw in one thread dscussion about editing a wildcard mapping, but it was vague, and didn't have the settings I need to fix this, or I did not understand based on what I see on our server.  I have set the .cfmHandler to "file" , and that did not work. I do not see a wildcard handler in the name column, however there are * in the path column, so it wasn't clear what really is the magic wildcard mapping I am looking for.

I cannot believe this issue has existed since IIS7, and there is no clear guidance on the topic. Someone has to have figured it out... bypassing NTFS permissions and not being able to restrict access to a group is not a small issue, in my opinion anyway. I have searched all over the place, hopefully someone here knows what the magic answer is...

Thanks!

Tanya

This topic has been closed for replies.
Correct answer vishu_13

Tanya,

Drop an e-mail to ColdFusion support team (cf.install@adobe.com)

Thanks

VJ

1 reply

Carl Von Stetten
Carl Von Stetten
Legend
March 7, 2014

Tanya,


This may not be what you want to hear, but I don't think you can get CF to play by NTFS rules with IIS 7+.  Since IIS hands off processing to .cfm/.cfc files to ColdFusion, it can't enforce NTFS permissions.  I think CF developers typically rely on a security system within their ColdFusion application to determine who can access which .cfm files or folders.  So programatically you check the credentials of the user and determine if they are supposed to be able to access a particular .cfm file, and redirect them if they are not.  Some use the <cflogin> features of ColdFusion; others roll their own.

I could be completely off about this, though.  Do you use Application.cfc in your apps, or Application.cfm?  That may have a bearing as well.

-Carl V.

T
tishwardAuthor
Participating Frequently
March 10, 2014

I should be more specific.  I know CF has always been this way. In IIS6 you could force IIS to make sure the file exists and then pass control to CF.  In IIS7.5, that checkbox is gone.  I want IIS to check perms before passing to CF. Has anyone managed to get this to work, and if so, what was the solution?  I am an admin, not a developer. 

Thanks!

vishu_13
vishu_13Correct answer
Inspiring
March 11, 2014

Tanya,

Drop an e-mail to ColdFusion support team (cf.install@adobe.com)

Thanks

VJ

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices