CFML/ColdFusion · Linux · Railo · Server

Secure Railo Administration (railo-context) On Your Railo Server.


Updated August 2014: Tested to work with the latest Railo and UrlRewriteFilter versions.

In this example I will show you how to quickly and dynamically lock down your server to block access to the Railo administration features that are enabled by default. This modification will require an additional download and the restarting of each Railo web server you wish to protect.

You will require the popular UrlRewriteFilter by Paul Tuckey (http://tuckey.org/urlrewrite/) to be installed on your server.

The install instructions and download link for the filter application can be found at http://tuckey.org/urlrewrite/#install.

If you are using Railo Express you need to create a /lib sub-directory in the webapps/www/WEB-INF directory and place urlrewritefilter-4.0.3.jar in there. Both web.xml and urlwrite.xml need to be created and placed in webapps/www/WEB-INF.

Copy and insert this code below into your web.xml. It will tell your server to load the UrlRewriteFilter and to rescan the urlwrite.xml every 60 seconds for any changes. This is important in case in the future you need to re-enable the Railo administration without the need of restarting the server.

The GitHub repository of the XML entries used in this article https://github.com/bengarrett/devtidbits/tree/master/post_321.

<?xml version="1.0" encoding="utf-8"?>

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">

<!-- UrlRewriteFilter -->
    <filter>
        <filter-name>UrlRewriteFilter</filter-name>
        <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
        <!-- set the amount of seconds the conf file will be checked for reload
        can be a valid integer (0 denotes check every time,
        empty/not set denotes no reload check) -->
        <init-param>
            <param-name>confReloadCheckInterval</param-name>
            <param-value>60</param-value>
         </init-param>
         <!-- you can disable status page if desired
         can be: true, false (default true) -->
         <init-param>
            <param-name>statusEnabled</param-name>
            <param-value>false</param-value>
         </init-param>
     </filter>
     <filter-mapping>
        <filter-name>UrlRewriteFilter</filter-name>
        <url-pattern>/*</url-pattern>
     </filter-mapping>
</web-app>

Now edit your urlwrite.xml to look something like this.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN"
        "http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd">
<!--
    Configuration file for UrlRewriteFilter
    http://tuckey.org/urlrewrite/
-->
<urlrewrite>

    <rule enabled="true">
        <name>Disable Railo</name>
        <from>^/railo-context/admin/(.*)$</from>
        <to>null</to>
        <!-- HTTP Status code 404 equals Not found -->
        <!-- You could also change it to 401 = Unauthorized or 403 = forbidden -->
        <set type="status">403</set>
    </rule>

</urlrewrite>

You can now restart your server and then try to access http://www.example.com/railo-context/admin/web.cfm or http://www.example.com/railo-context/admin/server.cfm. Hopefully if all went well both pages will return a HTTP status 403. If you need to re-enable these pages, edit your urlwrite.xml and change the rule enabled attribute value to false.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s