> Again, sorry if this has been asked and answered, but I > scoured the web and this list as best I could, and didn't > find a suitable answer. > > I would like to apply a username and password to some web > services I'm creating in CFMX 6.1. I naively assumed that > either the <cfcomponent> or <cffunction> tag would have > username/password attributes that would allow me to assign > those values. I figured, hey, there's a username and > password field on the cfinvoke tag that passes those values > to a web service--shouldn't there be the opposite feature on > the web service itself? Obviously, there is not. > > So then I tried assigning a username and password to my test > web service within the CF Admin interface. A very annoying > way to have to do it, but if it works, I can live with it. > > Well, imagine my surprise when I tried to invoke that web > service *without* passing a username and password. I assumed > the service would kick back some kind of error, but instead, > it actually kicked back the data. So, that seems to suggest > that the username/password field within the CF Administrator > is useless. > > Obviously, there's something I'm missing here, but I am at a > loss to figure out what that missing piece is.
The username and password fields in CF Administrator are for when you use CF as a client to that web service, just like the USERNAME and PASSWORD attributes of CFINVOKE. There are a couple of approaches to securing web services. One is to simply use your web server for this, by configuring it to require authentication before allowing you to invoke the web service. When you specify a username and password within CFINVOKE, it provides authentication to the web server presuming that the web server requires it. Alternatively, you can build an authentication mechanism into the web service itself. For example, you may have to get an authentication token of some sort from a "login" web service first, then use that token when invoking other web services. You can probably use CFLOGIN and/or Application.cfm or Application.cfc to force authentication too, although I haven't tried that and I'm not entirely sure how I'd go about doing that. Finally, to be a bit forward-looking, there is a standard called WS-Security that applies to web service security. CFMX's web service implementation doesn't seem to provide any hooks into it, but perhaps they're there and I just don't know how to use them. CFMX uses Apache Axis for its web service functionality, and Axis doesn't directly support WS-Security, but Axis can be used with WSS4J to sign web service requests and responses. I don't know how that would be done through CF's implementation, though. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:204723 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
