Charlie,I agree with most of your answer, but I'd really hesitate to use HTTP BASIC authentication due to its clear-text nature. HTTP Digest is a bit better, but I'd be hard pressed to find a reason not to integrate this with your standard authentication system.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Jul 23, 2007, at 4:42 PM, Charlie Arehart wrote:
Doug, I don't know the answer, but here's a thought: the roles are set by the CFLOGINUSER tag, and there's nothing that says that has to be set in application.cfm/cfc. Also, the CFLOGIN can also get its authentication from web server basic security, and since invocation of web services can pass in such username/passwords, it seems possible that one could leverage roles even in a web-service invocation of a CFFUNCTION. Just a thought. Someone may know better./charlieFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas KnudsenSent: Monday, July 23, 2007 3:08 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] security in CFCare roles actually invoked when a cfc is set to remote access? Since application.cfc/cfm are NOT invoked, I thought perhaps the roles would be useless for this.DK On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote:Lance, naturally Sat morning is going to be a slow point on the list. You'll probably get some more responses on monday. If not re- post then.There are attributes to cffunction to restrict access on a cfc method and thereby provides a form of security: roles,access,output.Output: works just like the cfsilent tag and keeps the code from outputing any information. I prefer my functions/methods to simply take in data and provide return data not to do any cfoutput stuff. That could expose info about the method.Access: There types here: remote,public,package,private. Webservices have to be remote. Site-wide methods would normally be public. Methods exposed only within the cfc should be private. Package access allows the method to be expose to any other cfc's that extends your cfc. Very nice stuff here and it should be used. Too many people just make it public and never like it again.You'll go a long way to take some time to review and tune up your access points.Roles: Also a rarely used attribute. You can define roles that can access the cfc. If you use the cflogin tags, then this option flows straight from that and provides another security level over the access option. If used, a person would need to match his role and access to properly access a cfc method which is very good.Hope this helps, John ------------------------------------------------------------- Annual Sponsor - Figleaf Software To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink -------------------------------------------------------------
