Dick Applebaum wrote: > On Monday, November 25, 2002, at 01:43 AM, Jochem van Dieten wrote: > > > >And especially from the point of view of security built-in tags are > >better. All those JSP tags and Java classes are nice, but on a shared > >server you need to disable them anyway because the same mechanism > >that is used to access them can be used to break out of the sandbox. > > Is this true for CFMXJ2ee on JRun, Websphere or whatever?
Depends on the built-in functionality. IIRC when you run JRUN Enterprise Edition you can configure multiple websites/applications to run under different OS accounts. That would make it possible to do this securely. But how many hosting providers would you expect to run JRUN Enterprise + CF for J2EE? > I thought that one of the advantages of CFMXJ2ee on a J2ee-compliant > app server, is the ability to interoperate between CF and Java programs. Technically it is possible, but the function CreateObject() and tags like cfobject need to be disabled in a shared hosting environment because you can't guarantee any security with them. The CF MX Administrator is based on these, and allowing them pretty much gives administrator priviledges to anybody on the server. > For the DatabaseMetaData example, I would prefer the CF tag approach. http://www.macromedia.com/support/email/wishform/?6213=3 Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
