If you are challenged for a username and password, this is from the CF Administrator.
What I mean is that CB allows for the conventions to be different to what it says is the norm, and even if you you don’t change the the cfc will only ever be available to the administrator.
This maybe different if your are not using SES.
But lets say you have your models in the default convention, and you have a service in there called userService. If you try the following URL
www.mydomain.com/model/
You will get an exception error for an invalid event.
If you try
www.mydomain.com/model/userService.cfc
you will also get an invalid event
So by convention you are protected.
Now views are different, but again by convention you don’t have to follow the standar nameing convention, I don’t and nobody but I knows what these directories are, but even if someone does then again it is by convention. Just place an application.cfm in the views with a and you are protected.
I must admit this comes up every now and then, and I am convinced people think that because the cfc’s are not underneath the webroot they are not protected…
Wrong!!!
Even if you don’t use SES they are heavily protected, because any cfc that is loaded will be loaded through the application.cfc, the first thing it does is load up ColdBox and try to see if it is a known handler/action, and if it is not then bingo you get an exception error.
Views are different, but as I said you can very easily put an application.cfm in there with a and nobody will know the difference, or you could send the user anywhere you want, or just throw and error in your application.cfm
But the point is you don’t need to worry about the components or views being accessible…
So if you read threads going back almost 2 years, I made this clear then and it stands today.
And it is not security by obscurity in anyway shape or form, so why would you think it is?