Background: My team is moving to asp.net mvc 5 but we still have many applications we need to support written in ColdFusion. We have implemented an Asp.net MVC 5 application that will serve as the main point of entry to access all our ColdFusion applications and we have dropped each ColdFusion application inside a folder inside our MVC application like this
MVCApp
-- InternalApps
-----ColdfusionApp1
-----ColdfusionApp2
We are trying to control access to the Coldfusion applications by means of roles. In other words, if you have ColfusionApp1 role then you can access files inside MVCApp/InternalApps/ColdfusionApp1, all other users will be denied access to the ColdfusionApp1 directory and its containing files.
We implemented access control to the coldfusion directories and files inside directories by specifying rules in our MVC’s web.config like in this post ( Url Authorization with MVC and ASP.NET Identity ), and we made a slight modification to the previous solution because we want to control access by roles as in https://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
In IIS the MVCApp is a Website and under the MVCApp Website the directory MVCApp/InternalApps/ColdfusionApp1 contains the Coldfusion code which becomes accessible once you run the Adobe ColdFusion Webserver Configuration Application that configures IIS to server ColdFusion files.
Problem: The solution seems to work just fine if instead of Coldfusion files we put a static html file inside the ColdFusion directories, but the moment we drop the ColdFusion files and configure these files to be served by IIS using the wsconfig.exe (Adobe ColdFusion Webserver Configuration Application) then even if you specify authorization rules for ColdFusion files .cfm these files are still served to unauthorized users. Below is the navigation url patterns that work as expected and the one that fail to work as expected.
https://localhost/InternalApps/ColdfusionApp1 (block access to unauthorized users and redirects to login page)
https://localhost/InternalApps/ColdfusionApp1/index.cfm (lets any unauthorized user access this file)
We think that the problem we are having has to do with the order in which modules and handlers are configured. It seems that for .cfm files there is a handler or module that processes this request before the authorization rules can be applied.
Conclusion:
Role based authorization rules using the location tag in web.config work fine to prevent users from accessing a directory, but it does not work to prevent access to the ColdFusion files inside that directory.
Environment:
MS Server 2012 R2 with IIS 8.5
Visual Studio 2015 (Asp.net MVC 5, Asp.net Identity 2)
Oracle 12c Database
ColdFusion 2016
Snippet from web.config:
<system.web>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<location path="InternalApps/ColdfusionApp1">
<system.web>
<authorization>
<allow roles="ColdfusionApp1"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
<handlers>
<add name="HtmlScriptHandler" path="*.html" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
<add name="CfmScriptHandler" path="*.cfm" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
</handlers>
</system.webServer>
