hf801-00002 Breaks ColdFusion

Report · Feb 24, 2011

I have a ColdFusion 8.0.1 server with Cumulative Hot Fix 4 installed. I installed the hotfix for APSB11-04 yesterday and now any use of the cfNTauthenticate tag generates errors.

I have a CFM that contains only the following code:

When I try to execute the CFM I get a "JRun Servlet Error" with a stack trace that starts like this:

ROOT CAUSE: 
java.lang.NoClassDefFoundError: Could not initialize class coldfusion.security.NTAuthentication
     at coldfusion.tagext.security.NTAuthenticateTag.doStartTag(NTAuthenticateTag.java:161)
     at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2661)

I then created a separate CFM with the following code:

Which executes without generating any errors. If I remove hf801-00002.jar from {cf-root}/lib/updates and restart the ColdFusion service then the cfNTauthenticate example above will execute without any problem. The only other JAR in my {cf-root}/lib/updates folder is chf8010004.jar. Enabling or disabling the "Disable access to internal ColdFusion Java components" option in ColdFusion Administrator does not affect the situation. Nor does using the latest JRE versus the JRE that shipped with CF8.0.1.

I have a custom tag that uses jrun.security.NTAuth to recreate cfNTauthenticate's functionality in place as a workaround at the moment, but I would like to know if there's anything I can do to resolve this issue.

Report · Feb 24, 2011

Some further notes. The very first time I try to run code with cfNTauthenticate after the CF service is restarted I get the following stack trace:

ROOT CAUSE: 
java.lang.ExceptionInInitializerError
     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
     at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
     at coldfusion.runtime.java.JavaProxy.CreateObject(JavaProxy.java:168)
     at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:75)
     at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2272)
.
.
.
Caused by: java.security.AccessControlException: access denied (java.io.FilePermission C:\ColdFusion8\runtime\..\lib\cfwindowslogin.dll read)
     at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
     at java.security.AccessController.checkPermission(AccessController.java:546)
     at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
     at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
     at java.io.File.exists(File.java:731)
     at coldfusion.bootstrap.BootstrapClassLoader.findLibrary(BootstrapClassLoader.java:165)
     at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1705)
     at java.lang.Runtime.loadLibrary0(Runtime.java:823)
     at java.lang.System.loadLibrary(System.java:1028)
     at coldfusion.security.NTAuthentication.<clinit>(NTAuthentication.java:147)
     ... 37 more

After the first attempt, all future attempts generate the error given in my previous post.

I went back into the ColdFusion Administrator and disabled sandbox security and restarted the service. This time my cfNTauthenticate tag ran fine without any problems on the server with the hf801-00002 hotfix.

I then reenabled sandbox security and went into the Files/Dir tab and added a rule that allows read access to c:\coldfusion8\lib\cfwindowslogin.dll and restarted the CF service. My cfNTauthenticate code worked.

So now my question is if I have sandbox security enabled, what rules do I need to add to keep ColdFusion working? Is there any documentation on that?

In the past I've had to add rules for c:\coldfusion8\runtime\servers\coldfusion\server-inf\temp\- (where file uploads are temporarily stored) and C:\ColdFusion8\wwwroot\- and c:\coldfusion8\customtags\. I'm trying to keep the server as locked down as possible, which is why I'm trying to avoid a rule to just allow read access to everything in c:\coldfusion8\. Any suggestions would be appreciated.