No, not at present. Here's what I normally would do. I have my webservices set to only go over SSL. You have to import the SSL cert to the jvm on the server making the webservice for this to work properly. Then the ip ranges are also restricted down to only those that should have access. Then I use the attributes on the WS to pass over the authentication info which is of course hashed. Inside the webservice cfc. It simply calls another cfc that handles the authentication. If it matches then the cfc does it's process. If not, it fails and logs the failure. I monitor my logs through other scripting to scan for brute force attempts. Now that I think about it, you could have like a gateway cfc that handles all and only the webservice calls. The gateway could execute the cfloginuser tag based on the info presented by the call and then simply make the necessary calls to the others cfcs thereby using the roles attributes. John [EMAIL PROTECTED]
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart Sent: Monday, July 23, 2007 6:47 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] security in CFC Sure, and given what Dean said, let's do hear how you do it. I was just connecting dots between roles, cfloginuser, cflogin, and web services. I wasn't proposing a best practice, just proposing how roles could indeed be useful even for remote calls. Is the way you do web service security something that CFLOGIN could leverage? Now that I think about it, you could skip using that and just CFLOGINUSER only after doing any sort of roll-your-own authentication. /charlie _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason Sent: Monday, July 23, 2007 4:59 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] security in CFC >CFLOGIN can also get its authentication from web server basic security Interesting, I actually handle the security on my web services differently but I hadn't thought of that. John [EMAIL PROTECTED] _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart Sent: Monday, July 23, 2007 4:43 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] security in CFC Doug, I don't know the answer, but here's a thought: the roles are set by the CFLOGINUSER tag, and there's nothing that says that has to be set in application.cfm/cfc. Also, the CFLOGIN can also get its authentication from web server basic security, and since invocation of web services can pass in such username/passwords, it seems possible that one could leverage roles even in a web-service invocation of a CFFUNCTION. Just a thought. Someone may know better. /charlie ------------------------------------------------------------- Annual Sponsor - Figleaf Software <http://www.figleaf.com> To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink <http://www.fusionlink.com> ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
