stackoom
  简体   繁体   中英

How to disable “Component Browser” in ColdFusion?

 原文  2011-11-30 00:41:02       coldfusion/ cfc

Question

Following: http://help.adobe.com/en_US/ColdFusion/9.0/Installing/WSf01dbd23413dda0e-3f89e8d411fae637e44-8000.html

I already commented out the RDS in \\JRun4\\servers\\[name]\\cfusion.ear\\cfusion.war\\WEB-INF\\web.xml

However, the RDS tab is still there in the CF Administrator, and browsing to a CFC still redirect me to /CFIDE/componentutils/cfcexplorer.cfc

How to disable "Component Browser" in ColdFusion?

Thanks

3 answers

solution1
 4  2011-11-30 07:31:36

If you don't want your CFCs to be browseable, don't put them in a directory that's browseable! Only files you intend to be browseable ought to be exposed by the web server.

I think the problem here is not the CFC explorer's functionality, it's that you've got stuff you don't want to be browsed to in a browseable location.

solution2
 3 ACCPTED  2011-11-30 15:53:23

The "Component Browser" cannot be disabled--it is a hard-wired function of ColdFusion, which automatically fires when you make a web request to the full location where a .CFC resides--and is unrelated to RDS, whether it is enabled or not.

You will have to decide upon a methodology that you want to approach to prevent direct access to your CFCs, and implement it that way, instead. Such options are:

  1. Disabling the "auto-documentation" of a CFC, as described in the post provided by Henry above (Source: Ray Camden ).

  2. Remove the /CFIDE virtual mapping from any of your public facing websites, so that a direct .CFC web request results in a HTTP 500 (as cfcexplorer will no longer be accessible).

A slicker option altogether is to make your public-facing websites use a different virtual /CFIDE directory :

  1. Remove the existing /CFIDE mapping for your public-facing site (#2 above)
  2. Create a new folder in your public facing site called "CFIDE".

  3. Within that directory, create a folder called "componentutils". , 4. Within "componentutils", create a single file, "cfcexplorer.cfc", which you will then use to make a single call, and return a 403 (Forbidden) code to the browser:

    <cfheader statuscode="403" statustext="Forbidden" />

This option is good, because you not only hide your CFCs from direct access via the implicit functionality of the Component Browser, you also hide your CF Administrator from the public (which many CF sites often forget about).

solution3
 0  2011-11-30 00:54:23

您不能只是删除/重命名cfcexplorer.cfc吗?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Could not disable HttpOnly flag in browser via ColdFusion How to disable sameformfieldsasarray in ColdFusion 10? How do I disable Coldfusion for one site? How to disable ColdFusion 10 ORM Logging How to stop the default browser of ColdFusion Builder? ColdFusion 2021 - how to browse pages in a browser How to validate a component path name in ColdFusion / Lucee How to debug a coldfusion function defined in a component? ColdFusion - Leverage browser caching coldfusion / browser timeout
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM