Skip to main content
A
ademd90752149
Participant
February 18, 2025
Answered

Restricting users' access to Coldfusion datasource

  • February 18, 2025
  • 1 reply
  • 362 views

Hi,

There are two different databases on the same server (MSSQL) with a Coldfusion datasource added. How can I restrict access to these databases for two different developers who are developing with Coldfusion? Both users have file systems at a level that only they can access.

For example, only user x can access database a. User y can access database b. User x, who has access to database a, can access the database that he/she does not have permission to by typing

 

<cfquery name="GetAll" datasource="b{coldfusion datasource that he/she does not have permission to}">

...

</cfquery>

Is there a way to prevent this?

Correct answer Charlie Arehart

Yes: that would require you enabling and configuring the ColdFusion "Sandbox Security" feature. While it would be nice if I could leave it at that and point you to some single good resource, but sadly none exists. 

 

It's a feature that been around forever, but few use it--and while I did an overview 20+ years ago, I never updated it (part 1 and part 2). The concepts all apply.

 

But there are some gotchas that have tripped up some.  I'll point you to a more recent forum reply (in the Lucee forums, but discussing this CF Sandbox Security feature), where I offered more details and other resources:

https://dev.lucee.org/t/lucee-sandbox-security/13394/5

 

As you may explore the feature, note this (which I indicate there): while it used to be in cf Enterprise only, that changed with cf11. Many resources fail to acknowledge that, which has discouraged scared many from using it. (There was a more limited variant in Standard before then, called Resource Security. That was replaced with the full sandbox security feature in 11.) 

 

Finally, there is discussion of it buried within this large single doc page on using the cf admin:

https://helpx.adobe.com/coldfusion/configuring-administering/administering-coldfusion-security.html#Usingsandboxsecurity

 

I hope to do a post soon bringing together this info and some more to help people considering it. Until then hope the above helps. Or you can ask more here. Also, I can help directly via remote screenshare consulting (carehart.org/consulting), if you want to accelerate that implementation. 

1 reply

Charlie Arehart
Community Expert
Charlie ArehartCommunity ExpertCorrect answer
Community Expert
February 20, 2025

Yes: that would require you enabling and configuring the ColdFusion "Sandbox Security" feature. While it would be nice if I could leave it at that and point you to some single good resource, but sadly none exists. 

 

It's a feature that been around forever, but few use it--and while I did an overview 20+ years ago, I never updated it (part 1 and part 2). The concepts all apply.

 

But there are some gotchas that have tripped up some.  I'll point you to a more recent forum reply (in the Lucee forums, but discussing this CF Sandbox Security feature), where I offered more details and other resources:

https://dev.lucee.org/t/lucee-sandbox-security/13394/5

 

As you may explore the feature, note this (which I indicate there): while it used to be in cf Enterprise only, that changed with cf11. Many resources fail to acknowledge that, which has discouraged scared many from using it. (There was a more limited variant in Standard before then, called Resource Security. That was replaced with the full sandbox security feature in 11.) 

 

Finally, there is discussion of it buried within this large single doc page on using the cf admin:

https://helpx.adobe.com/coldfusion/configuring-administering/administering-coldfusion-security.html#Usingsandboxsecurity

 

I hope to do a post soon bringing together this info and some more to help people considering it. Until then hope the above helps. Or you can ask more here. Also, I can help directly via remote screenshare consulting (carehart.org/consulting), if you want to accelerate that implementation. 

/Charlie (troubleshooter, carehart. org)
    A
    ademd90752149Author
    Participant
    February 20, 2025

    Hi Charlie,

    Thank you very much for your answer and detailed information. I defined two different directories in Coldfusion Sandbox Security. One is the real environment (C:\W3\PROD) and the other is the test environment (C:\W3\TEST). I limited the required datasource permissions for each directory and some extra CFTag etc. parameters for the test environment. As a result,

     

    The code and output that runs in the test environment.

           
     

    If I use a datasource belonging to a real environment that I am not authorized in the code in the test directory,

     

    This really works. Of course, I will need to do some tests. In particular, I will need to examine the methods such as accessing the directories belonging to the real environment with coding in the test environment. After the tests, we will continue the applications with Coldfusion with different developers.

     

    Best regards!

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    February 20, 2025

    Great to hear, and happy to have helped. Yep, you'll almost certainly have more configuration of the sandbox to do. Again, the resources I shared will offer more detail--some beyond what can be discerned form the ui there. 🙂

     

    BTW, could you mark my first reply as the "answer"? That helps future readers of the thread. 

    /Charlie (troubleshooter, carehart. org)
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices