RE: [ACFUG Discuss] Securing CFCs

2008-07-27 Thread Clarke Bishop
To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Securing CFCs On Mon, Jul 21, 2008 at 4:06 PM, Clarke Bishop [EMAIL PROTECTED] wrote: Cameron, you mentioned sessions will be available in both your CFM pages and CFCs as long as they share a common Application.cfc file. So, you'd put the CFC

[ACFUG Discuss] Securing CFCs

2008-07-21 Thread Clarke Bishop
I have one remaining problem to solve in my adventure with CF/Ajax. The CFCs have to have access=remote. But, this means anyone can access the methods. What I built is a master/detail, CRUD thing for administering users. So, I obviously don't want some unauthorized person deleting my users or

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Dean H. Saxe
All access must be authorized. Only expose those methods required by the external system. Your CFC methods are performing authorization already, aren't they? ;-) If not, now is a great time to add appropriate authorization controls to your system before exposing such APIs. -dhs Dean

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Cameron Childress
This is actually one of the biggest security problems on the internet right now, unprotected web services, remoting services, AJAX services. You can actually solve this a number of different ways. You might check out the Securing Web Services section in the docs first:

re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Mischa Uppelschoten ext 10
Jul 2008 10:46:09 -0400 SUBJECT: [ACFUG Discuss] Securing CFCs I have one remaining problem to solve in my adventure with CF/Ajax. The CFCs have to have access=remote. But, this means anyone can access the methods. What I built is a master/detail, CRUD thing for administering users. So, I

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Howard Fore
Chat: http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN -- Original Message -- FROM: Clarke Bishop [EMAIL PROTECTED] TO:discussion@acfug.org DATE: Mon, 21 Jul 2008 10:46:09 -0400 SUBJECT: [ACFUG Discuss] Securing CFCs I have one remaining

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Cameron Childress
On Mon, Jul 21, 2008 at 10:52 AM, Mischa Uppelschoten ext 10 [EMAIL PROTECTED] wrote: That is a really good question and I'm curious about the input from the group. Maybe use permissions on a webserver/file level? All legit requests would be coming from localhost/127.0.0.1/server's IP address,

re[2]: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Mischa Uppelschoten ext 10
rsX.comFollow this link for Instant Web Chat:http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN --- Original Message --- From:"Howard Fore" [EMAIL PROTECTED] To:discussion@acfug.org Date:Mon, 21 Jul 2008 11:23:31 -0400 Subject:Re: [ACF

RE: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Clarke Bishop
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cameron Childress Sent: Monday, July 21, 2008 11:01 AM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Securing CFCs This is actually one of the biggest security problems on the internet right now, unprotected

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Dean H. Saxe
. But, is there a better way to test something like this? Thanks again to everyone for your help! Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cameron Childress Sent: Monday, July 21, 2008 11:01 AM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Securing