>What value does hashing play? I agree not much, just a common practice for me. If the person match up the hash then yes the WS will talk to them. And that is a common problem with hashes, you can find patterns etc. to see what's happening. You don't necessarily have to decrypt it to get what you want. The client-side certificates would certainly be good. Got me thinking about something there with automating the cert creation through openSSL and sending that to the client. That wouldn't be hard to do at all...hmm thanks, John
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Monday, July 23, 2007 8:50 PM To: [email protected] Subject: Re: [ACFUG Discuss] security in CFC What value does hashing play? A hashed password compromised in this case is as good as one that is not hashed, they are equals here. This is essentially the same problem as Digest Authentication, which also passes an unsalted password hash. Compromise the hash and you have access, no need to compromise the original password. You should have the remote system pass the password directly - which poses a storage problem on the remote side - which is then salted and hashed to compare to the salted hash in the DB or use a client-side certificate for authentication. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "To announce that there must be no criticism of the president, or that we are to stand by the president right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public." -- Theodore Roosevelt On Jul 23, 2007, at 8:43 PM, John Mason wrote: No, not at present. Here's what I normally would do. I have my webservices set to only go over SSL. You have to import the SSL cert to the jvm on the server making the webservice for this to work properly. Then the ip ranges are also restricted down to only those that should have access. Then I use the attributes on the WS to pass over the authentication info which is of course hashed. Inside the webservice cfc. It simply calls another cfc that handles the authentication. If it matches then the cfc does it's process. If not, it fails and logs the failure. I monitor my logs through other scripting to scan for brute force attempts. Now that I think about it, you could have like a gateway cfc that handles all and only the webservice calls. The gateway could execute the cfloginuser tag based on the info presented by the call and then simply make the necessary calls to the others cfcs thereby using the roles attributes. John [EMAIL PROTECTED] _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart Sent: Monday, July 23, 2007 6:47 PM To: [email protected] Subject: RE: [ACFUG Discuss] security in CFC Sure, and given what Dean said, let's do hear how you do it. I was just connecting dots between roles, cfloginuser, cflogin, and web services. I wasn't proposing a best practice, just proposing how roles could indeed be useful even for remote calls. Is the way you do web service security something that CFLOGIN could leverage? Now that I think about it, you could skip using that and just CFLOGINUSER only after doing any sort of roll-your-own authentication. /charlie _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason Sent: Monday, July 23, 2007 4:59 PM To: [email protected] Subject: RE: [ACFUG Discuss] security in CFC >CFLOGIN can also get its authentication from web server basic security Interesting, I actually handle the security on my web services differently but I hadn't thought of that. John [EMAIL PROTECTED] _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart Sent: Monday, July 23, 2007 4:43 PM To: [email protected] Subject: RE: [ACFUG Discuss] security in CFC Doug, I don't know the answer, but here's a thought: the roles are set by the CFLOGINUSER tag, and there's nothing that says that has to be set in application.cfm/cfc. Also, the CFLOGIN can also get its authentication from web server basic security, and since invocation of web services can pass in such username/passwords, it seems possible that one could leverage roles even in a web-service invocation of a CFFUNCTION. Just a thought. Someone may know better. /charlie ------------------------------------------------------------- Annual Sponsor - Figleaf Software <http://www.figleaf.com> To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink <http://www.fusionlink.com> ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor - Figleaf Software <http://www.figleaf.com> To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink <http://www.fusionlink.com> ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
