What I have heard others do for web service security was after a
authentication step, pass a token in every call after. This token can be
sent inside the soap header. Why not send the cfid/cftoken, eh? So, a
facade/gateway styled cfc wrapper would be a good thing.
DK
On 7/23/07, John Mason <[EMAIL PROTECTED]> wrote:
No, not at present. Here's what I normally would do. I have my
webservices set to only go over SSL. You have to import the SSL cert to the
jvm on the server making the webservice for this to work properly. Then the
ip ranges are also restricted down to only those that should have access.
Then I use the attributes on the WS to pass over the authentication info
which is of course hashed. Inside the webservice cfc. It simply calls
another cfc that handles the authentication. If it matches then the cfc does
it's process. If not, it fails and logs the failure. I monitor my logs
through other scripting to scan for brute force attempts.
Now that I think about it, you could have like a gateway cfc that handles
all and only the webservice calls. The gateway could execute the cfloginuser
tag based on the info presented by the call and then simply make the
necessary calls to the others cfcs thereby using the roles attributes.
John
[EMAIL PROTECTED]
------------------------------
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Charlie
Arehart
*Sent:* Monday, July 23, 2007 6:47 PM
*To:* discussion@acfug.org
*Subject:* RE: [ACFUG Discuss] security in CFC
Sure, and given what Dean said, let's do hear how you do it. I was just
connecting dots between roles, cfloginuser, cflogin, and web services. I
wasn't proposing a best practice, just proposing how roles could indeed be
useful even for remote calls. Is the way you do web service security
something that CFLOGIN could leverage? Now that I think about it, you could
skip using that and just CFLOGINUSER only after doing any sort of
roll-your-own authentication.
/charlie
------------------------------
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *John Mason
*Sent:* Monday, July 23, 2007 4:59 PM
*To:* discussion@acfug.org
*Subject:* RE: [ACFUG Discuss] security in CFC
>CFLOGIN can also get its authentication from web server basic security
Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.
John
[EMAIL PROTECTED]
------------------------------
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Charlie
Arehart
*Sent:* Monday, July 23, 2007 4:43 PM
*To:* discussion@acfug.org
*Subject:* RE: [ACFUG Discuss] security in CFC
Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication
from web server basic security, and since invocation of web services can
pass in such username/passwords, it seems possible that one could leverage
roles even in a web-service invocation of a CFFUNCTION. Just a thought.
Someone may know better.
/charlie
-------------------------------------------------------------
Annual Sponsor - Figleaf Software <http://www.figleaf.com>
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software <http://www.figleaf.com>
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-------------------------------------------------------------
--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
