Sure, and given what Dean said, let's do hear how you do it. I was just connecting dots between roles, cfloginuser, cflogin, and web services. I wasn't proposing a best practice, just proposing how roles could indeed be useful even for remote calls. Is the way you do web service security something that CFLOGIN could leverage? Now that I think about it, you could skip using that and just CFLOGINUSER only after doing any sort of roll-your-own authentication. /charlie
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason Sent: Monday, July 23, 2007 4:59 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] security in CFC >CFLOGIN can also get its authentication from web server basic security Interesting, I actually handle the security on my web services differently but I hadn't thought of that. John [EMAIL PROTECTED] _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart Sent: Monday, July 23, 2007 4:43 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] security in CFC Doug, I don't know the answer, but here's a thought: the roles are set by the CFLOGINUSER tag, and there's nothing that says that has to be set in application.cfm/cfc. Also, the CFLOGIN can also get its authentication from web server basic security, and since invocation of web services can pass in such username/passwords, it seems possible that one could leverage roles even in a web-service invocation of a CFFUNCTION. Just a thought. Someone may know better. /charlie ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------