IIS can be configured to not do anything with authorization headers. If you enable allow anonymous access users will not be prompted for username and password and IIS will pass any authorization headers though to CF. You can then send a 401 response via CF to any request that does not have a authorization header prompting the user/service requester for username and password if not already provided. See examples/presentation from the link in my previous post on how to send 401 Reponses for CFC.
Daniel D. -----Original Message----- From: Nat Papovich [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 4:15 PM To: [EMAIL PROTECTED] Subject: RE: [CFCDev] web services authentication Ben - Cookie values are passed in the http header - that's how they get to the web server. The problem is that the cfinvoke tag does not allow sending cookie values. The only thing you can send in the header using the cfinvoke tag is explicitly-passed values for username and password, which get combined into the "authorization" header, which is the standard way to transport authentication credentials. (This is the same way an NT-style username and password prompt appears when you apply directory security to a folder in IIS or make use of the .htaccess files in Apache.) So yes, you are right on the ball about making use of http headers for sending authentication credentials via the authorization header in a web service request. The only problem is that IIS attempts authentication based on any available authorization header against Windows accounts. So if you pass a username and password in your cfinvoke tag that doesn't match up with a Windows account on the server, then IIS returns a 401 error - not authorized. Apparently, there is no way around this "feature". Apache however, does not automatically attempt to authenticate if a request includes an authorization header, unless the directory is secured. One other way to get the job done would be to pass a custom SOAP header, and use getHTTPRequestData() on the target to look at the credentials. The only problem with THAT is that cfinvoke doesn't let you pass custom SOAP headers, AFAIK. Does anyone other than Barney secure their web service-published CFCs? NAT > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Ben Curtis > Sent: Monday, April 12, 2004 12:48 PM > To: [EMAIL PROTECTED] > Subject: Re: [CFCDev] web services authentication > > > > Can't webservices, being delivered over HTTP, make use of > cookies, and the session values stored therein? Then you > only need to program the service consumer to recognize > set-cookie headers, and send cookie headers with each request. > > I haven't used webservices outside of the built-in flash > remoting stuff, which supports sessions via cookies. Are > cookies verboten in more standardized webservices? > > ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [EMAIL PROTECTED] with the words 'unsubscribe cfcdev' in the message of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by Mindtool, Corporation (www.mindtool.com). An archive of the CFCDev list is available at www.mail-archive.com/[EMAIL PROTECTED] ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [EMAIL PROTECTED] with the words 'unsubscribe cfcdev' in the message of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by Mindtool, Corporation (www.mindtool.com). An archive of the CFCDev list is available at www.mail-archive.com/[EMAIL PROTECTED]
