Store and use ColdFusion templates outside of the web root

Question

I have been tasked with researching the possibility of storing .cfm files outside of the web root as a further security measure. (I'm not talking about CFCs, but the files that will appear in the URL string.)

I figured that I could use the properties of OnRequest() in the Application.cfc to do this, but no luck.

I've tried this:

<cffunction name="OnRequest" access="public" returntype="void" output="true">
  <cfargument name="TargetPage" type="string" required="true"/>

  <cfinclude template="C:/test#arguments.TargetPage#"/>

  <cfreturn/>
</cffunction>

I then put a test.cfm inside C:\test and attempted http://localhost/test.cfm. That gives me a "file not found" error.

So then I created a ColdFusion mapping to C:\test called "test" and changed my CFINCLUDE thusly:

  <cfinclude template="/test#arguments.TargetPage#"/>

Unfortunately I got the same error.

So, is what I'm after even possible? (Windows Server 2008 and IIS in case it matters. ColdFusion 9.)

---

I know that I could put a CFINCLUDE in my index.cfm and pass around URLs like http://www.example.com/?file=test.cfm, but I'd prefer not to do that.

---

Well here's something: If I put an empty test.cfm in my web root then this works. Obviously I'd really rather not put empty stubs for every one of my files (which, for this project, will end up being in the hundreds).

Answer 1

I think you would have better luck using onMissingTemplate rather than onRequest. http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7d2a.html

Answer 2

Rather than spinning your wheels down this path, let me point you in a possible better direction which may solve the original issue, but from a more preferred/best practices standpoint:

ColdFusion Sourceless Deployment

Rather than trying to jimmy-rig the site to read files outside of root, you simply never put the source code out into the world.