I think Chris needs to give these "Java developers" the smackdown. Don't you love it when people who have no idea what they are talking about start spouting complete BS as if it were completely true? It never ceases to amaze me. Go read any post involving CF on Slashdot or Digg and have your mind blown as people who clearly have never used ColdFusion spout utterly false nonsense. Apparently, if you phrase a complete lie in such a way that it sounds like you know what you are talking about, everyone else believes it. There's probably a PhD thesis in there somewhere.
On 9/24/07, Ben Forta <[EMAIL PROTECTED]> wrote: > > If what they want is to separate ColdFusion from the web server, then > sure, > it is called "distributed mode". While I am not sure I buy into the > assumption that this is more secure, it will do exactly what they want. > So, > yes, CF can do, and has done it for years. > > --- Ben > > > -----Original Message----- > From: Christopher Jordan [mailto:[EMAIL PROTECTED] > Sent: Monday, September 24, 2007 1:57 PM > To: CF-Talk > Subject: Security Questions > > Hi folks, > > I need some advice. One of our bigger clients has a handful of Java > developers working for them who don't particularly like ColdFusion. While > their initial complaints were that it wasn't open source and that you're > tied to one particular company (thoughts which I quickly squashed), now > they're whispering in the ear of the decision makers that Cold Fusion > won't > do "Three Tiered Security". > > I just now think I remember asking the group about this once before, but > it's probably worth talking about again. Their idea of the three tiered > security model is that there's a web server, an application server, and a > database server. The web server contains no code, no passwords, and can > only > communicate to the application server by virtue of the web server's IP > address, and because the web server is the only machine that knows where > the > application server is. Sounds a bit like "security through obscurity" to > me, > but what do I know? > > Anyway, these Java developers are telling the decision makers at this > client > that ColdFusion just isn't secure because it can't do this three tiered > security stuff, but Java can. So they're saying, "why don't you just let > us > rewrite everything in Java for you?" > > Well, while my little company has never run CF as anything but a windows > service, using CF Standard. We figure that it's written in Java so we > ought > to be able to make CF run in this sort of three tiered environment too. > > So my questions are: > > * Are these developer's right? Is CF not capable of running this Three > Tiered model, and are we less safe for it? > * If in fact, CF *can* run in this Three Tiered model, will we need to > upgrade to CF Enterprise to do it? > * Lots of our code is proceedural, though we've been switching to using > CFCs slowly (not really OO, but rather storing related queries, and > functions in CFCs) > * What arguments can we make to our client on this subject? > * Can anyone point me to any articles or other materials online > concerning this topic specific to CF? > > Thanks for any help guys and gals. I'm going to cross-this to CF-Talk, so > I > apologize in advance for any duplication I may cause. > > Chris > > -- > http://cjordan.us > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289346 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
