Hi Everyone. I am in the process of deploying my first coldbox app to a production server. The application is hosted at Hostek.
When I try to load the site I am getting this error:
Security: The requested template has been denied access to BeanFactory.cfc.
The following is the internal exception message: access denied (java.io.FilePermission BeanFactory.cfc read)
The error occurred in D:\home\lawyerswarehouse.com\wwwroot\coldbox\system\services\PluginService.cfc: line 337
Called from D:\home\lawyerswarehouse.com\wwwroot\coldbox\system\services\PluginService.cfc: line 72
Called from D:\home\lawyerswarehouse.com\wwwroot\coldbox\system\services\PluginService.cfc: line 129
Called from D:\home\lawyerswarehouse.com\wwwroot\coldbox\system\web\Controller.cfc: line 328
Called from D:\home\lawyerswarehouse.com\wwwroot\coldbox\system\services\LoaderService.cfc: line 77
Called from D:\home\lawyerswarehouse.com\wwwroot\coldbox\system\Coldbox.cfc: line 71
Called from D:\home\lawyerswarehouse.com\wwwroot\Application.cfc: line 66
According to Hostek, the app is trying to access
C:\ColdFusion9\runtime\bin\BeanFactory.cfc,
which is off limits.
This doesn’t seem right. I had the site running as a subdomain of another hostek hosting account earlier.
When I try to load the site I am getting this error:
Security: The requested template has been denied access to BeanFactory.cfc.
The following is the internal exception message: access denied
(java.io.FilePermission BeanFactory.cfc read)
...
337 : if( fileExists(pluginFilePath) ){
...
According to Hostek, the app is trying to access
C:\ColdFusion9\runtime\bin\BeanFactory.cfc,
which is off limits.
I've run into this with Fusebox on shared hosts too. Essentially if
fileExists() would return false, the security sandbox can trip and
think you're requesting a file in the default CF path (but it's
actually something else that is internal to CF). I don't remember the
details but I do remember some people being blocked by this.
It usually indicates the hosting company has got things far too locked
down to be useful and my recommendation is always to find a new
hosting company... or, if it's a business site that actually brings in
any revenue at all, move it off shared hosting. Shared hosting is a
BAD IDEA(tm) for business applications. If you're making money, pay a
little extra for a VPS where you're a) more secure and b) have total
control of the sandbox yourself.
Shared hosting is going away. All the hosting companies admit that.
Don't beat yourself up with the pain of shared hosting...
And I'll say it again: if your application is on the same shared host
as mine, I can read your application variables. If you have passwords
or other sensitive data and your application loads that into
application scope - even via a framework - they I have your passwords.
This has been true for years and I have to keep reminding people about
it. It's a function of how application scope works - each application
is a sub-structure of the unnamed web application context for the
underlying Java container so it's easy to get access to that and then
walk through all the applications running on that server.