Add built-in predicates and handlers for undertow for easier lockdown

Description

Add the undertow Predicate cf-admin() which returns true if the incoming URL is to the Lucee or ColdFusion admin:
Ex:

Add the undertow Handler block-external() which blocks any request not from localhost with a 404 response code.
Ex:

Add the undertow Handler block-cf-admin() which blocks any request to the Lucee or ColdFusion admin with a 404 response code.
Ex:

Add the following settings to server.json:

  • web.blockCFAdmin - control access to Lucee and Adobe CF admin UI. Possible values are:

    • true - Block ALL access to admin

    • false - Do not block access to admin

    • external - Only block access to requests not coming from localhost

  • web.blockConfigPaths - control access to “special” files such as box.json, server.json, or any path starting with a period. Possible values are:

    • true - Block access to paths

    • false - Do not block access to paths

Assignee

Brad Wood

Reporter

Brad Wood

Labels

None

Affects versions

None

Fix versions

Priority

Major

Components

Configure