Highlighted

CF11 java.security.AccessControlException when Sandboxing enabled

Community Beginner ,
Jan 21, 2020

Copy link to clipboard

Copied

ColdFusion 11 version: 11,0,19,314546

Edition: Enterprise

Operating System: Windows Server 2012 R2

Java Version: 1.8.0_231

 

I'm having a problem with <cfexecute> once I enabled Sandbox Security on my CF11 Enterprise installation.  I have one ApacheCXF webservice client that is executed from withint the application.  I've done the following within this sandbox:

 

  • enabled the cfexecute tag under the sandbox
  • given Execute permission on the folder where the client and calling function reside ( same folder )
  • given execute permission to the Windows user account and the service account on this directory.
  • also tried full control access for user account and service account, as well as execute in sandbox for entire diretory.

 

The error I'm getting is:

An exception occurred when invoking an external process.

The cause of this exception was that: java.security.AccessControlException: access denied ("java.io.FilePermission" "<>" "execute").

 

Any suggestions?

TOPICS
Security, Server administration

Views

741

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

CF11 java.security.AccessControlException when Sandboxing enabled

Community Beginner ,
Jan 21, 2020

Copy link to clipboard

Copied

ColdFusion 11 version: 11,0,19,314546

Edition: Enterprise

Operating System: Windows Server 2012 R2

Java Version: 1.8.0_231

 

I'm having a problem with <cfexecute> once I enabled Sandbox Security on my CF11 Enterprise installation.  I have one ApacheCXF webservice client that is executed from withint the application.  I've done the following within this sandbox:

 

  • enabled the cfexecute tag under the sandbox
  • given Execute permission on the folder where the client and calling function reside ( same folder )
  • given execute permission to the Windows user account and the service account on this directory.
  • also tried full control access for user account and service account, as well as execute in sandbox for entire diretory.

 

The error I'm getting is:

An exception occurred when invoking an external process.

The cause of this exception was that: java.security.AccessControlException: access denied ("java.io.FilePermission" "<>" "execute").

 

Any suggestions?

TOPICS
Security, Server administration

Views

742

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jan 21, 2020 0
LEGEND ,
Jan 21, 2020

Copy link to clipboard

Copied

I don't really work with any of the Java in CF, directly, but I wonder if the CF account that CF is running under has permission to access the CFEXECUTE tag, or anything else related.  It _sounds_ like a permissions issue, to me.

 

HTH,

 

^ _ ^

 

EDIT:  I mean after the sandbox is enabled, of course.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 21, 2020 1
Community Beginner ,
Jan 21, 2020

Copy link to clipboard

Copied

I've even tried giving full control to both the user account and the service account, but still didn't work.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 21, 2020 0
Community Beginner ,
Jan 21, 2020

Copy link to clipboard

Copied

Going to try a file path of <<ALL FILES>> with execute permission on the directory next and see what happens.  Unfortunately, it looks like I have to bounce the server for changes to take effect so will need to wait until after hours.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 21, 2020 0
Adobe Community Professional ,
Jan 21, 2020

Copy link to clipboard

Copied

This is going to be an unsatisfying answer, but there are a bunch of other settings you have to enable within the CF Administrator for sandboxes to do this sort of thing. I don't know what they are, but they're probably documented on the forums here. Look for answers by Russ Michaels, who knew all about sandboxes. Alternatively, review the lockdown guide which might cover this more directly. I just don't use sandboxes, so I can't tell you what the settings actually are, sorry.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 21, 2020 0
Community Beginner ,
Jan 21, 2020

Copy link to clipboard

Copied

I'll look for threads from Russ Michaels, thanks.  Been through the lockdown guide in depth already.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 21, 2020 0
Explorer ,
Jan 21, 2020

Copy link to clipboard

Copied

Try adding this to the sandbox with RWD permissions.

C:/ColdFusion11/cfusion/runtime/work/Catalina/localhost/tmp/-

Back in my CF11 days I remember having to explicitly add that to get certain things to work in the sandbox. 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 21, 2020 1
cf97bob LATEST
Community Beginner ,
Jan 22, 2020

Copy link to clipboard

Copied

Thanks for the suggestion!  Unfortuntely, this didn't make a difference 😞

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 22, 2020 0