Jim,
I you have a remote method, then it can be used by anyone (no RDS
password is needed). The RDS password is to view the CFC documentation.
They can view the WSDL for the file by just appending ?wsdl to the
CFC in the URL.
I would suggest that you don't make any of the methods in your core
CFCs remote. That just opens up your application far too much.
Instead, create a facade CFC (or multiple facade CFCs) that can
access your main CFCs and have the methods of that facade CFC be
remote. This will allow you greater control over what can be accessed
remotely as well as provide a public API that need not match your
internal API (as you may find that your API needs are a bit different
in different circumstances).
Definitely be careful with what you allow to be done via remote
methods - this potentially provides a great deal of power to anyone
that can guess or determine your API.
Steve
At 04:51 PM 2/15/2007, Jim Cassata wrote:
very helpful Steve, thanks. As for the function access I have been
setting this to "remote" anyway as after I move the business logic
into the CFCs I plan on making some Flex front-end(s) to access
them, and they require an access="remote" setting. But now you have
me wondering if they would be accessible from anywhere what security
implications this would have. I know that to browse to a cfc I need
the RDS password (or CFAdmin password?), is there more t consider to
securing flash remoting access?
You are subscribed to cfcdev. To unsubscribe, please follow the instructions at
http://www.cfczone.org/listserv.cfm
CFCDev is supported by:
Katapult Media, Inc.
We are cool code geeks looking for fun projects to rock!
www.katapultmedia.com
An archive of the CFCDev list is available at
www.mail-archive.com/[email protected]
