Greetings, Thanks for the response to the question. It was exactly what I was looking for.
Thanks Again, Cliff On Aug 24, 11:38 pm, Dennis Clark <[email protected]> wrote: > The Model-Glue framework itself does not get involved in any requests that > do not go through its index.cfm. However the Model-Glue application template > has a views/Application.cfm file that contains a <cfabort/>. This file stops > the processing of any direct requests for CFML files under the views > directory, so a blank response is returned. It sounds like your application > has this same views/Application.cfm file protecting the views directory. > > Other directories in your Model-Glue application may also need securing. In > particular, if your ModelGlue and ColdSpring configuration files use a *.xml > extension, they may be vulnerable to direct access by a browser and exposure > of sensitive information about your application. Ideally you should set up > your Web server's security to block any access to your application's config > directory, but if that's not an option you can rename the config files to > use *.xml.cfm extensions and then use the Application.cfm technique > mentioned above to protect the config directory. A side-effect of changing > the file extension is that you will likely lose your editor's XML support > features while working on those files. > > -- Dennis > > On Tue, Aug 24, 2010 at 11:01 PM, Clifford Moon > <[email protected]>wrote: > > > > > Greeting > > > I've found several tutorials out there on various ways of securing > > certain pages in modelglue and followed Dans suggestion from a past > > email, but I've seen non model glue security implemented and whenever > > one requested a page, it immediately threw up the login page. The way > > I've currently got my pages secured doesn't automatically throw up a > > login page as im using the event handler and multiple event types to > > only secure certain pages (model glue.XML snippet below), and I'm > > pleased with the way it's working. > > > Administrator Events --> > > <event-handler name="admin" type="secure,templatedPage"> > > <!-- > > <broadcasts> > > <message name="needHonorsList" /> > > </broadcasts> > > --> > > <views> > > <include name="primary" template="default.cfm"> > > </include> > > </views> > > </event-handler> > > > <event-handler name="adminList" type="secure,templatedPage"> > > <views> > > <include name="mymenu" template="layout/ > > dspMyMenu.cfm"> > > <value name="whichMenuIsCurrent" > > value="admin" /> > > </include> > > <include name="primary" > > template="dspViewAdmins.cfm"> > > </include> > > </views> > > </event-handler> > > > <event-handler name="honorshome" type="templatedPage"> > > <views> > > <include name="mymenu" template="layout/ > > dspMyMenu.cfm"> > > <value name="whichMenuIsCurrent" > > value="home" /> > > </include> > > <include name="primary" > > template="dspViewNews.cfm"> > > </include> > > </views> > > </event-handler> > > > My quandry is this, and this may just be the way that Model Glue > > handles handing off a page without going through the event=?? method. > > > If I have a file in my views directory called bleh.cfm, and I spell > > out the entire path http://<server>/<appdir>/views/bleh.cfm, I get a > > blank page returned. Is this the expected functionality. What should > > one expect to happen if the security was coded perfectly. > > > I ask this as my boss is expecting to secure the entire directory, but > > as it is, it only requests authentication when the event type is > > "secure,??", and this to me is cool as I can only protect a few files > > and leave the others public. > > > I hope I've made sense on this, but I'm still unclear as to what I > > should expect, and what is considered the standard for security in > > Model-Glue. > > > Thanks in Advance, > > > Cliff > > > -- > > Model-Glue Sites: > > Home Page:http://www.model-glue.com > > Documentation:http://docs.model-glue.com > > Bug Tracker:http://bugs.model-glue.com > > Blog:http://www.model-glue.com/blog > > > You received this message because you are subscribed to the Google > > Groups "model-glue" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected]<model-glue%2bunsubscr...@googlegrou > > ps.com> > > For more options, visit this group at > >http://groups.google.com/group/model-glue?hl=en -- Model-Glue Sites: Home Page: http://www.model-glue.com Documentation: http://docs.model-glue.com Bug Tracker: http://bugs.model-glue.com Blog: http://www.model-glue.com/blog You received this message because you are subscribed to the Google Groups "model-glue" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/model-glue?hl=en
