A couple of months ago I installed CFMX7 with the great expectation on being able to use the new multiserver version with it's inbuilt instance manager to cut down on the amount of work required in the creation of the semi-dedicated hosting plans we provide over at CFMX Hosting. All seemed to be great, until I realised that security sandboxes didn't work at all in this type of installation. Further testing uncovered the fact that this was also true of CFMX6 as well. As has become an all to common occurrence of late, I had hit a problem that NO-ONE else seemed to have experience of, even the gurus. (NB: One of the problems with being a so-called GURU, who do you go to for help?) In this case I resorted to opening a support ticket with Macromedia as I considered this to be a bug. Annoyingly you have to give over your creditcard details to open a support incident, even if it's a bug, but thankfully you don't get charged if you prove the fault is Macromedia's :-) It turned out it does actually say in the CF docs somewhere that sandboxing will not work with J2EE installations, but even the MM support guy didn't know this and found out from someone else. Alas there was not also a working solution in the docs to get it working. It provided a workaround that was essentially useless as whenever you restarted the service it would revert to the old settings. Anyway it has been a long and painful process getting this working as I moved house in the middle of this process and was offline for 3 weeks. After much pissing about, numerous emails with MM support and eventually a breeze meeting I got it solved. MM did publish a tech-note on this after our discussion, but unfortunately they got it wrong. Hopefully they have since posted it with my corrections, which does include fixing the windows service to run the instance with the correct config settings. When I find the technote i'll post the link. Basically you have to add some entries into your jvm.config file to enable the sandbox security (and they are very picky about how you enter them), but this has certain repercutions. It can affect standard (non CF) jrun instances, so you need to really create custom jvm.config files for each instance and then edit your windows service to start the jrun server using this .config file. You will also need to modify all the paths in each new jvm.config, note that the original paths are "cfusion_ear", but in new instances they are "cfusion.ear", it took me ages to spot this difference, and the instance wont start if the paths are wrong.

IMPORTANT NOTE:

One other thing to consider is that you can only restart an instance that uses its own JVM.config via the windows service or via the jrun command passing the required attreibute. If you restart it via the CFADMIN instance manager or via the JRUN Management Console, it will be started using the default jvm.config. Update 29/04/2006: MM have finally posted a technote on this problem, its only taken a year. CLICK HERE