How to Secure Railo 3.1 Admin in IIS 6

I recently setup my new VPS with the awesome Railo 3.1 on Server 2003 and I soon started thinking about the security of the admin URL. With Adobe Coldfusion it's good practice to either move the administrator so it only runs on a non-standard port with IP filtering or protect it with a username and password via web server security.

I decided that I would go the route of securing the Railo admin path via IIS directory security, however I soon realised that in Railo the admin URL is not a physical path. I.E. It is not created as either a virtual directory or a real directory within the webroot of each website hosted on the server.

The Railo admin URL is as follows:

The way this URL is processed is that the ISAPI filter which Railo uses looks out for any call to railo-context and forwards it to the correct place within the Railo system. This is all done outside of IIS.

So how do we protect the URL?

The answer is actually pretty simple although you will have to do it on every virtual site setup on the server.

All we have to do is to create two physical folders within the webroot of the website we want to protect as follows:


Once this is created we can then go into the IIS 6 manager, locate the 'admin' folder, right click and select 'properties'. Within 'Directory Security' it is then possible to either restrict accces via IP or via authentication and access control.

If using username and password security go into the 'Authentication Methods' panel and uncheck 'Enable anonymous access' and leave 'Integrated Windows authentication' ticked.

Now, whenever you access the railo admin URL you can log in via an account on the server (e.g administrator). It's recommended that you create a special windows account that will only be used for admin access. You could then only give that user permissions to access the '/railo-context/admin' - though this would need to be done on each folder in each web root. In a hosted scenario this would be a good idea anyway as each customer should really have their own web user account to ensure they can only access their resources on the system.

Note: If you do decide to just log in using the administrator account on the server I recommend you do this over SSL ONLY. If you do it over http:// it would be possible for a user on the same network (e.g wifi access point) to sniff your http packets and determine your admin password - not good.


Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
Eric Cobb's Gravatar Thanks for this post James, it is exactly what I was looking for!

However, I do have one question. When you create the railo-context/admin directories in IIS, do you use virtual directories to point them to the actual Railo admin directories on the server or is it just a matter of IIS intercepting the request, enforcing security, then the ISAPI filter taking over and doing its thing?
# Posted By Eric Cobb | 10/23/09 8:50 PM
James Allen's Gravatar Hi Eric,

I don't use virtual directories but actual physical directories within the web root of the site. I create railo-content/admin and then secure railo-context using IIS directory permissions. Just thinking about it, it might just be enough to create railo-context and secure that (I can't remember if I tested that or not).

Your right in your thinking that IIS deals with the initial access to the folder but then the ISAPI filter kicks in to actually handle the request.

Quite a nice way to sort out securing the Railo admin although slightly hackish.
# Posted By James Allen | 10/27/09 1:30 AM
Ed's Gravatar Anyone done this with IIS7? It was straightforward with IIS6 but now I'm finding it difficult to do this.
# Posted By Ed | 4/18/10 5:29 PM
andrew's Gravatar Thanks for posting this, I've been struggling for hours to get the admin secured with resin and windows 2008 (IIS7)..... using resin (ip-constraint) and could not make it work, however you gave me a brainwave!

In Information Services Manager I downloaded the module "IPv4 address and domain restrictions", created an empty directory "railo-context" in root and then using the module allow "" and disallow all others. This works because all requests are handled by IIS before being passed to resin/railo.

# Posted By andrew | 2/10/11 1:08 AM
James Allen's Gravatar Hey there Andrew,

Thanks for posting that. I haven't used IIS 7 yet but heard that it uses quite a different setup to IIS 6 in many ways. Great that you used a similar technique to what I'm using to get it to work.

It's not something that seems that obvious until you do it and feels odd to create a directory that is only a mapping in Railo. But like you say, as IIS handles that URL request first then passes it to Railo - which still treats it as a mapping - you can secure it using an IIS configuration.

Sorted. :)
# Posted By James Allen | 3/1/11 12:02 AM
Steve Chandler's Gravatar Sorry to resurrect an old article but I thought that this might be useful for securing the admin on IIS7 (since it's linked from hackmycf).

Just add the following into the <configuration> node of web.config in your webroot. I've set it up for basic authentication (a popup login box) but it can be easily changed to others.

<location path="railo-context/admin">
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
# Posted By Steve Chandler | 1/10/12 2:37 PM
James Allen's Gravatar Ah that's brilliant - thanks Steve.
Elegant solution and easy to implement. I'll be looking at that myself when I move to IIS7.
# Posted By James Allen | 1/10/12 2:40 PM
Dave Hatz's Gravatar James,
Great article, exactly what I was looking for. And it works great. But, I have run into a problem with setting up a sub-domain. For example

I am trying to secure this so it can not be accessed from outside the firewall. I have this folder /tomcat/webapps/ROOT/dave. I have created folder /dave/railo-context/admin.

I have gone into my IIS6 Manager and selected my /dave/railo-context/admin and set up Directory Security, just I did for my main domain site.

But, the Railo Admin page still comes up. I am running IIS6 on Windows 2003 using Railo beta.

Any ideas how to lock this down from my sub-domain?
# Posted By Dave Hatz | 8/28/12 4:49 AM
James Allen's Gravatar Hi Dave,

I'm not quite sure how you've got the sub domain setup but can't it be it's own virtual site in IIS just like with the www. domain?

Or is it setup to be an alias on the main virtual site which you then detect in code to redirect to the right templates?

If it was setup like this though and you have already got a /railo-context/admin setup and secured that should work anyway.

Could you let me know exactly how the sub domain is setup in IIS? The ideal would be as it's own virtual site and then just set up /railo-context/admin again and secure it.
# Posted By James Allen | 8/28/12 6:22 PM
Will B.'s Gravatar I liked the post, with "Posted By andrew | 2/10/11 1:08 AM"

Simple, easy to do. No having to really think, which is nice to save brain cycles for the real work! :)
# Posted By Will B. | 8/3/14 9:12 PM
Dawesi's Gravatar Why can't railo automatically do this?

Perhaps an optional checkbox in adming : 'secure admin directories'? yes / no
# Posted By Dawesi | 6/23/15 6:55 PM
© 2016 James Allen | Contact Me
This blog runs on the awesome power of BlogCFC - created by Raymond Camden. This blog is running version 5.9.