Thanks Byron. I found "Adobe® ColdFusion® 9 Server Lockdown Guide" and will go through that. It looks pretty comprehensive.
Thanks Jochem. What you say about the security layers, and the RMI policy overriding the previous .policy files, makes sense. Yes, this was related to our attempts to make the T3/RMI call to WebLogic. We ended up switching to WebServices to get around the whole issue. Regards, Chris On Fri, Sep 21, 2012 at 4:45 AM, Jochem van Dieten <joch...@gmail.com> wrote: > > On Thu, Sep 20, 2012 at 12:52 AM, Chris wrote: >> So ... a client wants to know just how risky it is to temporarily >> allow java.security.AllPermission ? > > I presume this is a followup to your Weblogic / RMI problem? > > >> It's clear it's not good, but how bad is it? What exactly could >> someone do to a server that's behind firewalls and load balancers? > > Probably it is inconsequential in the big picture. > > As always there is a layered security model. The access of the server > running CF to other systems is limited by firewalls. The access of the > JVM instance to the server is limited by the Windows account. The > access of CF to the JVM instance is limited by the java.security.* > security permissions. > > What I presume is happening is that by default CF runs with > java.security.AllPermission already. (Have a look at the security > policy in /WEB-INF/cfusion/lib/coldfusion.policy and > /WEB-INF/cfusion/lib/neo_jaas.policy to see what CF ships with.) Then > when some Weblogic RMI call is ran, some other security policy that is > much more restricted is loaded, causing CF to fail. The new > configuration would overrule that security policy and restore the > original security from CF. > > If this presumption is right, you can tel them that from a CF > perspective you are just restoring the original configuration. The > only additional risk is not CF, but the Weblogic RMI running with > additional proivileges. > > Jochem > > > -- > Jochem van Dieten > http://jochem.vandieten.net/ > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352712 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
