> -----Original Message-----
> From: Joseph Higgins [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, March 22, 2001 7:58 PM
> To: Fusebox
> Subject: Re: Crystal Reports, CF, and Fusebox
>
> I thought we had talked about this before Alan. {redacted}
Oh, and like everybody else doesn't rehash the same stuff! How many
times in the last month have you seen "Uh, does FB interfere with
search-safe URLs?"
Okay, heh, onward... Now in CF 7, at least, yeah, its utterly stupid
that it relies 100% on passing parameters via the URL. I can't believe it
doesn't accept form variables. How lame. I'm wondering if this is fixed in
8.0 or 8.5...
FWIW, I partially overcome this miserable breach of security by
creating a view in SQL for the data desired in the report. The view contains
a reference to a UUID, but not the plain IDs used to identify records. So
the URL looks something like
"report.rpt?uuid=ABCDEEEE-AD20-3096-A576FE302&... "This keeps nosey folks
from simply incrementing an ID number manually. However, the worst, lamest,
stoooooopidest part of it is that CR wants you to pass the username and
password for the ODBC conn via the URL! Hello, anybody home there at
Seagate? This is stupid! I don't have a cure for that other than to have
created a separate ODBC conn to the data for accessing CR data, and the
permissions for that connection is bolted down to select-only, nothing more.
However, the model itself is just plain sucky.
> In CR I have tried to hide the URL string by using frames like so:
{yeah, that doesn't work too well, either.}
> This shows them the name of the report and if they know CR they could just
> paste this into a web browser and add their own sf commands to get at the
> data that they wanted to. Or send them to a friend, or competitor - the
> competitor would have full access to your companies data, or patient
> records
> etc . . .
>
> The question that I want to ask in return is: how do you keep people from
> directories on your server unless they are authenticated. My guess is that
> it depends on your webserver. If you are using IIS then set up NT
> sercurity.
>
I use NT security. Anonymous access is -not- permitted for the CR
stuff, and for most of my web apps. If they ain't a member of our domain,
they ain't viewin' it.
> Does anybody have a factsheet on how to set up NT security with CF? And if
> you did would this stop them from accessing fuses or CR reports? Does the
> CR
> go through the webserver API or via CGI or does it have it's own port?
> Anyway these are my big fusebox related security issues. . . any takers?
>
I am considering setting up a separate server purely for CR
reporting. This server would do nothing else; it wouldn't have CF installed
on it. I'm thinking that in my fusebox apps, when a user requests a CR
report, a new window will spawn, pointing to the appropriate .rpt file, with
all the necessary URL gunk. This way, I can dump the whole problem off to a
separate box.
Another advantage to this idea is that I can use the latest version
of CR on this box; but if they've moved to some sort of rip-off client
licensing model for viewing reports, forget it! If that's the case, I'll
live with 7.0 as being as good as CR is going to get for me.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
