web.config in CF 2021?

Report · Apr 27, 2021

I've installed the CF 2021 developer edition on my machine which uses apache tomcat. I then followed the guide below under the "Configure IIS for ColdFusion in Windows" section:

https://helpx.adobe.com/coldfusion/user-guide.html/coldfusion/installing/configuring-your-system.ug....

My site now appears to be using IIS. I can browse to it under localhost and access cfm pages under my CF installation directory. If I stop the IIS site, then my site is no longer available. My question is where can I place a web.config file to make configuration changes to the site or is this even possible? Putting a web.config file in the IIS wwwroot or the CF installation wwwroot seems to do nothing to the configuration. For example I tried to restrict access to anonymous users in this web.config file and all users still had access. If I restrict anonymous users in IIS management console, then it does work.

Report · Apr 27, 2021

The CF installation web root will not use web.config. So don't bother with that.

When you use the IIS management console, you are creating a .config file somewhere. If you're editing the configuration for a single site, it's usually creating (or editing) web.config right in that web root for you. I would strongly recommend you check carefully for this, maybe from the command line instead of Windows Explorer.

I would have to look carefully at your system to see exactly what config file is edited where, when you're using the IIS Management Console, and also see what the difference is between that one and what you're creating in a text editor, but that's really all the IIS Management Console is - a way to edit .config files for IIS.

Dave Watts, Eidolon LLC

Report · Apr 27, 2021

With further testing it does look like the web.config in the IIS wwwroot is working after all. The authentication settings in IIS management console do not always create an entry though in web.config which is why I was confused. However, if you add authorization rules it will create them in the web.config file and this will be applied to files in the IIS wwwroot.

Authorization rules, however, do not get applied to the CF site. For example "<deny users='*'>" does nothing. So it would seem that certain settings in web.config do not get applied to CF. Is there a list somewhere of web.config settings that will apply to CF?

My whole goal of this was to see if I could implement Windows Authentication via web.config and perhaps restrict access to a specific directory/app in ColdFusion. It looks like this will not be possible and that instead I'll need to use the CFLDAP tag in my application.cfc to connect with active directory. Now that I know this is there a way to restrict access to files in the file system that are not cfm/cfml/cfc files which will not be caught by application.cfc?

Report · Apr 27, 2021

Malcom, there's no aspect of cf that would influemce whether iis settings like that would work or not. Those apply in iis before any request to cf, not vice-versa.

But here is one possibility: features in iis are controlled by "modules", as tracked in the modules feature viewable at the site or server level, and where the order can be controlled at the server level.

It may be that the authorization module is after the isapi filters module, and the latter is what passes requests to cf (along with handler mappings).

If that's so and you are tempted, you could put the auth module above the isapi filters. It's easily reverted if it doesn't help.

/Charlie (troubleshooter, carehart.org)

Report · Apr 28, 2021

Thank you Charlie for the idea. That might be a bit more than what I want to do.

Adobe Community

web.config in CF 2021?