As an additional level of security, you can set up your services-config.xml to create a destination that REQUIRES SSL (my-secure-amf or whatever) - this goes to an entirely different servlet-mapping than normal remoting requests that will fail requests not using SSL. Combined with your SSL cert, that's some pretty good due-diligence re: security of remote objects.
Jeff -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Battershall, Jeff Sent: Friday, February 08, 2008 10:06 AM To: [email protected] Subject: RE: [flexcoders] Re: Remote Object Security I'm using setRemoteCredentials() successfully in a couple of applications along with CFLOGIN in Application.cfc. Using Cairngorm ServiceLocator makes this easier as you can create a persistent instance of a remote object, set credentials on it after the user successfully logs in, and then continue to use it without fear of any session timeout. If for any reason the remote credentials are no longer available, they can be reset by the CFLOGIN code block in your Application.cfc. Seems to work great and is way, way better than using sessions on the server-side. Additionally you then have the ability to set up roles based security for your remote object (CFC) methods. I wouldn't say this approach is hacker-proof because that's an assertion that is 'made to be broken' but it does assume that the remote accessor at least has some valid credentials before prooeeding. Using good old SSL would be reccommended of course. Jeff -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Chiverton Sent: Friday, February 08, 2008 9:46 AM To: [email protected] Subject: Re: [flexcoders] Re: Remote Object Security On Friday 08 Feb 2008, slash_n_rose wrote: > I'm just trying to use setRemoteCredentials("myUserName", > "myPassword"); method in each remote object call and check > usrename/password in my Application.cfc using <cflogin>. Is there any > problem with this? Not as such, no, assuming it works. -- Tom Chiverton Helping to advantageously architect total infomediaries on: http://thefalken.livejournal.com **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links
