Of course, Dean. :-) I was just sayin', not recommendin'. :-) The thing is, I don't know if web service invocations can use digest auth, so I didn't want to go there. (Should have thought to say, "but you ought not use basic auth for real security practices". /charlie
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Monday, July 23, 2007 4:45 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] security in CFC Charlie, I agree with most of your answer, but I'd really hesitate to use HTTP BASIC authentication due to its clear-text nature. HTTP Digest is a bit better, but I'd be hard pressed to find a reason not to integrate this with your standard authentication system. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Jul 23, 2007, at 4:42 PM, Charlie Arehart wrote: Doug, I don't know the answer, but here's a thought: the roles are set by the CFLOGINUSER tag, and there's nothing that says that has to be set in application.cfm/cfc. Also, the CFLOGIN can also get its authentication from web server basic security, and since invocation of web services can pass in such username/passwords, it seems possible that one could leverage roles even in a web-service invocation of a CFFUNCTION. Just a thought. Someone may know better. /charlie ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------