Re: [CFCDev] Ensuring CFC calls

[St�phane Bisson]

Sean, Thanks for your answer. What I am really trying to do is find the best way to ensure that only my site is capable of calling me, not somebody else from another domain. I want to make sure that nobody else can sneak through the back door. All calls to me are via mydomain.com Flash Remoting only. I am looking for best tips on how to secure everything.   If ColdFusion can know the domain name that is calling us, I just think that it will be the best solution of security, but I think it's not really possible with Flash MX and ColdFusion MX. Because, if an hacker register in our site and decide to make our site very busy sending emails non stop via a program x... even with cflogin & role I don't think that the hacker will be stop... they are register user in our site... they can login... So if they login with their own Flash MX site... they can do every thing they want... may be I'm wrong to think like this... because I'm not an hacker... but I know that anybody can look at the code inside a Flash MX site... so they can know the gatewayConnection.getService("mydomain.CFCs.MailServiceFacade")... and bingo! I just want no other domain calling me!... What do you think!   Stephane   ----- Original Message ----- From: Sean A Corfield To: [EMAIL PROTECTED] Sent: Friday, August 01, 2003 12:30 PM Subject: Re: [CFCDev] Ensuring CFC calls On Thursday, Jul 31, 2003, at 21:59 US/Pacific, St�phane Bisson wrote: How can I be 100% sure that the caller is only example mydomain.com... and no body else is calling me... All the call to me (ColdFusion MX) are through Flash Remoting only and with mydomain.com site. Any advice to me for how I can lock down my CFCs, my stuff, for security.  Well, there's a lot of options and it really depends on what you're actually trying to achieve. A CFC that has no access="remote" methods in it cannot be called except by your own code so I assume you're talking about Web Services and/or Flash Remoting? Is cflogin can do the job! I don't use cflogin right now... I'm using session scope... You can use cflogin / cfloginuser to set 'roles' for an authenticated user and then use the roles= attribute on cffunction to restrict access to methods. Sean A Corfield -- http://www.corfield.org/blog/ "If you're not annoying somebody, you're not really alive." -- Margaret Atwood