- see footer for list info -<
First up, in case you weren't aware, if you hardcode the password in as
you have demo'd below, or create a variable in say the request scope,
and then read it like:
createObject("component","cfide.adminapi.administrator").login(request.mypassword)
then your admin password will show up in plain text when debugging is
enabled, as well as appear as plain text in your class files (assuming
you have Class files turned on in the Administrator).
Obviously you can get around this by not having debugging enabled or by
not generating the class files, but the most secure way is to have the
password read in at runtime from an external (and non-web accessible)
file, e.g. .ini or .xml file.
That being said, you want to restrict the cfide/adminapi directory (just
like you do with the administrator) and limit what adminapi methods are
actually exposed. For example, use a custom build facade, which exposes
in your case, only the necessary datasource.cfc methods. That way your
application can only call the methods you have exposed meaning
runtime.cfc, mail.cfc, security.cfc, etc can't be called at all.
If using a sandbox, only enable access to the AdminAPI from your custom
admin facade, and this only needs read/execute on the cfide/adminapi
files and folders.
I know that didn't answer everything specifically, but hopefully it'll
help.
Andy
Stephen Moretti wrote:
- see footer for list info -<
I'm converting a bit of code from CF5 where datasources are stored in
the registry to CFMX7, so I'm using the adminapi datasource cfc to get
the details.
I've got this all working in a test environment using this :
createObject("component","cfide.adminapi.administrator").login("mypassword");
dsComponent = CreateObject("component", "CFIDE.adminapi.datasource");
dsList = dsComponent.getDatasources();
blah blah blah smugglers cove....
What concerns me is that I have my RDS or admin password in the login
call. I'm not terribly au fait with the new sandbox stuff in MX, so
what I'm wondering is, is there a way using sandboxing to allow an
application access to the datasource cfc in the admin api without
requiring me to log in, whilst leaving the rest of the applications
with the standard security?
Also, does anyone know whether the RDS password is read only on stuff
like the admin api or whether it has full access as the admin password
would give?
Stephen
_______________________________________________
For details on ALL mailing lists and for joining or leaving lists, go
to http://list.cfdeveloper.co.uk/mailman/listinfo
--
CFDeveloper Sponsors:-
- Hosting provided by www.cfmxhosting.co.uk -<
- Forum provided by www.fusetalk.com -<
- DHTML Menus provided by www.APYCOM.com -<
- Lists hosted by www.Gradwell.com -<
- CFdeveloper is run by Russ Michaels, feel free to volunteer your
help -<
--
[EMAIL PROTECTED]
www.creative-restraint.co.uk
www.scottishcfug.com
_______________________________________________
For details on ALL mailing lists and for joining or leaving lists, go to
http://list.cfdeveloper.co.uk/mailman/listinfo
--
CFDeveloper Sponsors:-
- Hosting provided by www.cfmxhosting.co.uk -<
- Forum provided by www.fusetalk.com -<
- DHTML Menus provided by www.APYCOM.com -<
- Lists hosted by www.Gradwell.com -<
- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
