Re: IIS permissions on CF files
The directory contains an existing application, and there is resistance to modifications that would need to be re-applied after upgrading. :( ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323110 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: IIS permissions on CF files
Does anyone know why this is the case, and how to fix it? IIS doesn't access the files directly. It hands the request off to the ColdFusion server and it reads the files and returns the content. You would need to disable anonymous access to the file/folder in IIS to ensure the user is authenticated before hitting those pages. -Justin ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323089 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IIS permissions on CF files
Well, the user wont be authenticated, because the point is to block this directory completely on this site (it will be accessed via an entirely different domain/port). But I think the login prompt that displays with anonymous access disabled is a good enough block, (even though a straight 403 would be better). Thanks. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323090 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IIS permissions on CF files
put an Application.cfc in that directory and add code in onRequestStart method in it to check for cgi.server_name or cgi.http_host ( or for getPageContext().getRequest().getServerName() ) and abort the request (and maybe return a 403 header) if the domain the request is coming from is not allowed. Azadi Saryev Sabai-dee.com http://www.sabai-dee.com/ On 02/06/2009 23:58, Peter Boughton wrote: Well, the user wont be authenticated, because the point is to block this directory completely on this site (it will be accessed via an entirely different domain/port). But I think the login prompt that displays with anonymous access disabled is a good enough block, (even though a straight 403 would be better). Thanks. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323099 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
