I have enabled sandbox security for a site. I added the needed data sources and removed the <<ALL FILES>> in the Files/Dirs section and just added the file paths the site requires. When visiting the site, I was getting the error:
Error Executing Database Query.access denied (""java.io.FilePermission"" ""[my cf root]\cfusion\wwwroot\WEB-INF\classes\com\mysql\jdbc\configs\coldFusion.properties"" ""read"")
I noticed that this only affects MySQL and Oracle queries (MS SQL server queries would run fine up to the point that I needed to query a MySQL or Oracle DB.) If I clicked to verify the connections in CF Admin, the site would load and run fine until the server is restarted.
I found this thread: https://forums.adobe.com/thread/2319887 which was almost the same issue I am having that suggested adding: "[cf.root]\cfusion\wwwroot\WEB-INF\classes\" and "[cf.root]\cfusion\wwwroot\WEB-INF\classes\-" with READ permissions.
So I added those two paths and this allowed the site to work fine until the database connection time expires and now I get "Error Executing Database Query.Can't find configuration template named 'coldFusion'" pointing to some MySQL queries. Again, if I verify the connection on the MySQL data source, the site will work fine after that until the connection time expires. Oddly enough, there is no longer an issue with the Oracle data source.
Would this have anything to do with the location I used with the two additional classes for Oracle and MySQL data sources that I reference in the Java & JVM "Coldfusion Class Path" ? I have these two classes stored outside the cf.root.
Can anyone point me to some guidelines for implementing Sandbox security on Files/Dirs? If I re-add "<<ALL FILES>>" to the paths with READ permissions the site works fine but I would like to lock this site down a little more.
BTW, this with CF2016 Update 5 on Windows Server 2016
Update: I moved the Java classes I'm using for Oracle and MySQL data sources into the [cf.root]\cfusion\wwwroot\WEB-INF\classes\ folder and no longer having an issue with just the site's file paths and
defined in Files/Dirs section. Still seems a odd that I need to specify these paths. Any comments on this?