1 Reply Latest reply on May 17, 2006 9:52 AM by Newsgroup_User

    Securing Non-Coldfusion Content in Distributed Mode

    sdsinc_pmascari Level 2
      We are in the process of setting up our sites with CFMX7 Enterprise in distributed mode. IIS on one server and our CF instances on another. We have this working fine.

      In our current setup, IIS is set to allow anonymous access to allow access to the public side of our sites. For the password-protected portions we've development our own authentication system and it is working fine.

      However, we have found that in distributed mode, all non-coldfusion material (images, HTML pages, PDFs, etc...) are processed and sent from the IIS server directories and never touches the CF server. CF requests are sent to their respective instance on its separate machine, the results returned to IIS where it then grabs the images and any other non-CF content from itself and serves the page to the user. This appears to be by design and forces us to maintain our directory structure on two machines. We're willing to live with that but is there any way to protect the non-CF content residing on the IIS server? We have some images and PDFs we'd like to keep available only for authorized users but it seems using the built-in ColdFusion tools we can only protect CF material on the CF machine.

      Thoughts or insights?
        • 1. Re: Securing Non-Coldfusion Content in Distributed Mode
          Level 7
          Is there any reason you have CF on a separate server?

          The reason I ask it that I am currently implementing something similar on
          our extranet. Basically we our extranet server and our intranet server.
          Because the extranet has to be more "open" we don't want our "protected"
          pdfs, word docs, etc stored on that server, but some of those items need to
          be accessible to our extranet users. What was decided here was to put all
          our "protected" files on the intranet server and use cfcs (one on the
          extranet, one on the intranet), along with a new page (on the extranet) to
          "pull" the requested file. Basically all links on the extranet that would
          normally point to a document now point to a page that calls the extranet cfc
          and passes the UUID for the document. This cfc does an http request to the
          cfc on the intranet which determines which document is being requested,
          grabs that file and passes it back to the extranet for display. This serves
          a couple of purposes. 1) The user never actually knows where the file is
          stored. 2) We can pass a username and password via the http call for
          authentication.

          We don't have to have multiple copies of directory structure as all our
          non-restricted content can be stored on the extranet. But we do have CF
          installed on both servers.


          --
          Bryan Ashcraft (remove brain to reply)
          Web Application Developer
          Wright Medical Technologies, Inc.
          =============================
          Macromedia Certified Dreamweaver Developer
          Adobe Community Expert (DW) :: http://www.adobe.com/communities/experts/


          "sdsinc_pmascari" <webforumsuser@macromedia.com> wrote in message
          news:e4fg52$e00$1@forums.macromedia.com...
          > We are in the process of setting up our sites with CFMX7 Enterprise in
          > distributed mode. IIS on one server and our CF instances on another. We
          > have
          > this working fine.
          >
          > In our current setup, IIS is set to allow anonymous access to allow access
          > to
          > the public side of our sites. For the password-protected portions we've
          > development our own authentication system and it is working fine.
          >
          > However, we have found that in distributed mode, all non-coldfusion
          > material
          > (images, HTML pages, PDFs, etc...) are processed and sent from the IIS
          > server
          > directories and never touches the CF server. CF requests are sent to
          > their
          > respective instance on its separate machine, the results returned to IIS
          > where
          > it then grabs the images and any other non-CF content from itself and
          > serves
          > the page to the user. This appears to be by design and forces us to
          > maintain
          > our directory structure on two machines. We're willing to live with that
          > but
          > is there any way to protect the non-CF content residing on the IIS server?
          > We
          > have some images and PDFs we'd like to keep available only for authorized
          > users
          > but it seems using the built-in ColdFusion tools we can only protect CF
          > material on the CF machine.
          >
          > Thoughts or insights?
          >