Martin, let me elaborate a bit more. The point here is that if a user is deploying his own EAR with the CFIDE files included he is deploying his OWN SEPARATE instance of ColdFusion which is different than any other instances currently running on the server. The user's instance of CF Administrator has its own password.properties, its own data sources, its own mappings, its own settings... get the picture? That instance of CF Admin is running in its own instance of the JVM and doesn't have access to any of the settings that may be stored in any other instances of CF running on the same server. So, if you have a shared hosting environment that allows users to deploy their own EARS and WARS that may contain a copy of the administrator, first of all-- they are going to already know the password, secondly when they log into it, it will be their own little separate copy of the administrator that only applies to their app. A server with 15 WARs deployed on it could very well have 15 different administrators running-- one for each instance.
~Brad -------- Original Message -------- Subject: Re: Shared Hosting Lockdown - Q1 On Tue, Apr 28, 2009 at 5:53 PM, Martin Thomas wrote: > Does anyone know how to prevent a CF user deploying the admin application as > part of an EAR or WAR to your server Why do you care? If they deploy an EAR or a WAR they deploy WEB-INF as well. If they deploy WEB-INF, they deploy password.properties. If they can deploy their own password.properties, why care about whether they have the admin application? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322072 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
