This is a windows machine, with commandbox, running cf2023

This is Adobe, not Lucee, right?

If I recall, Adobe redirects the URL to a file inside of the CFIDE directory

A file that I think CommandBox blocks by default based on the

profile

https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/server-profiles Specifically, the

web.blockSensitivePaths

setting, which is enabled by default even in the

development

profile.

however, a 401 doesn't seem familiar as CommandBox tends to return a 404 when blocking sensitive file paths, so it may not be the profile.

Okay, I found something interesting. Any cfc placed in the root folder can be viewed.

<http://127.0.0.1:61261/mycfc.cfc?method=myfunction&identifier=786fgg34-28e8-11ef-8731-0023541e76a2>

I think I have a permissions issue I need to track down

I set

"blockSensitivePaths":false

in my server.json but that didn't change anything.

Depends on where you set it, lol. It goes in the

web

object, not the top of the file.

The easy way to rule out any CommandBox security rules is to add

--trace

to your server start and tail the log files as you hit the request. Any and all server rules which fire will log to the console and will reveal if CommandBox's internal security rules are the issue, or if it's unrelated.

But like I said, CommandBox doesn't return 401 usually for sensitive files, we return 404 (to play dumb and pretend the file doesn't exist) so I'm thinking its something else. 401 is usually used for auth required, which CommandBox would only use if you're enabled its basic auth or client cert security features.