cfml

Secure Railo Administration
(railo-context) on your Railo Server

Reading time of 358 words
2 minutes
Reading time of 358 words ~ 2 minutes


Did you find this article helpful?
Please consider tipping me a coffee as a thank you.
Ko-fi Buy Me a Coffee
Did you find this article helpful? Please consider tipping me a coffee or three as a thank you.
Tip using Ko-fi or Buy Me a Coffee

In this example I will show you how to quickly and dynamically lock down your server to block access to the Railo administration features that are enabled by default. This modification will require an additional download and the restarting of each Railo web server you wish to protect.

You will require the popular UrlRewriteFilter by Paul Tuckey (http://tuckey.org/urlrewrite/) to be installed on your server.

The install instructions and download link for the filter application can be found at http://tuckey.org/urlrewrite/#install.

If you are using Railo Express you need to create a /lib sub-directory in the webapps/www/WEB-INF directory and place urlrewritefilter-4.0.3.jar in there. Both web.xml and urlwrite.xml need to be created and placed in webapps/www/WEB-INF.

Copy and insert this code below into your web.xml. It will tell your server to load the UrlRewriteFilter and to rescan the urlwrite.xml every 60 seconds for any changes. This is important in case in the future you need to re-enable the Railo administration without the need of restarting the server.

The GitHub repository of the XML entries used in this article https://github.com/bengarrett/devtidbits.com/tree/main/post_321.

<?xml version="1.0" encoding="utf-8"?>

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">

<!-- UrlRewriteFilter -->
    <filter>
        <filter-name>UrlRewriteFilter</filter-name>
        <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
        <!-- set the amount of seconds the conf file will be checked for reload
        can be a valid integer (0 denotes check every time,
        empty/not set denotes no reload check) -->
        <init-param>
            <param-name>confReloadCheckInterval</param-name>
            <param-value>60</param-value>
         </init-param>
         <!-- you can disable status page if desired
         can be: true, false (default true) -->
         <init-param>
            <param-name>statusEnabled</param-name>
            <param-value>false</param-value>
         </init-param>
     </filter>
     <filter-mapping>
        <filter-name>UrlRewriteFilter</filter-name>
        <url-pattern>/*</url-pattern>
     </filter-mapping>
</web-app>

Now edit your urlwrite.xml to look something like this.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN"
        "http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd">
<!--
    Configuration file for UrlRewriteFilter
    http://tuckey.org/urlrewrite/
-->
<urlrewrite>

    <rule enabled="true">
        <name>Disable Railo</name>
        <from>^/railo-context/admin/(.*)$</from>
        <to>null</to>
        <!-- HTTP Status code 404 equals Not found -->
        <!-- You could also change it to 401 = Unauthorized or 403 = forbidden -->
        <set type="status">403</set>
    </rule>

</urlrewrite>

You can now restart your server and then try to access http://www.example.com/railo-context/admin/web.cfm or http://www.example.com/railo-context/admin/server.cfm. Hopefully if all went well both pages will return a HTTP status 403. If you need to re-enable these pages, edit your urlwrite.xml and change the rule enabled attribute value to false.

Written by Ben Garrett

Did you find this article helpful?
Please consider tipping me a coffee as a thank you.
Ko-fi Buy Me a Coffee
Did you find this article helpful? Please consider tipping me a coffee or three as a thank you.
Tip using Ko-fi or Buy Me a Coffee