I was successful in securing a webservice call using role based security. Try my examples that I used from my Max presentation http://www.bpurcell.org/blog/index.cfm?mode=entry&ENTRY=978
Brandon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Temm Sent: Thursday, January 29, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [CFCDev] FW: Role based security in CFCs called through web services Hi I have an application which relies on CFCs as a container for business logic. Most methods are locked down with role based security which is pretty granular. For example, I have a Document class with a insert() method for persisting the object to a database. This method is restricted to users with the Document_add method. Methods for accessing various data from an object are restricted to Document_view, etc. Roles for a user are obviously setup at login time using cfloginuser. This requires session management to be turned on in Application.cfm I would like to make some of my methods accessible REMOTEly. The problem is, methods with roles defined do not appear in the WSDL for a component and are not callable over web services. Makes sense, they are supposed to be protected. An application.cfm in the component directory does not get called before instantiating the class. Makes sense too- you can include generic behaviour using component.cfc if you want. My question is this: how do I maintain the state of a series of web services connections from the same client, given that the client probably doesn't have a cookie mechanism and thus won't be able to take advantage of CF's cookie-based session management? I suppose I could make logging in part of the instantiation of any object being called remotely (I remember seeing somewhere a trick to expose whether the call was remote or local- anyone?) by making it part of components.cfc but that seems like a lot of overhead if I wanted to enable multistep processes or build a full remote application, say in Flash or Java. For now I am limited to creating facades for classes/methods I want to expose by impersonating a guest user, but that access level doesn't give access to very many roles (add/editing for example is out). Ideas? Chip Temm Director, Knowledge Architecture Center for Applied Biodiversity Science Conservation International Ste 600 1919 M St NW Washington, DC 20036 USA +1 202 912 1402 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [EMAIL PROTECTED] with the words 'unsubscribe cfcdev' in the message of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by Mindtool, Corporation (www.mindtool.com). An archive of the CFCDev list is available at www.mail-archive.com/[EMAIL PROTECTED] ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [EMAIL PROTECTED] with the words 'unsubscribe cfcdev' in the message of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by Mindtool, Corporation (www.mindtool.com). An archive of the CFCDev list is available at www.mail-archive.com/[EMAIL PROTECTED]
