Charlie,
I agree with most of your answer, but I'd really hesitate to use HTTP
BASIC authentication due to its clear-text nature. HTTP Digest is a
bit better, but I'd be hard pressed to find a reason not to integrate
this with your standard authentication system.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Jul 23, 2007, at 4:42 PM, Charlie Arehart wrote:
Doug, I don't know the answer, but here's a thought: the roles are
set by the CFLOGINUSER tag, and there's nothing that says that has
to be set in application.cfm/cfc. Also, the CFLOGIN can also get
its authentication from web server basic security, and since
invocation of web services can pass in such username/passwords, it
seems possible that one could leverage roles even in a web-service
invocation of a CFFUNCTION. Just a thought. Someone may know better.
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas
Knudsen
Sent: Monday, July 23, 2007 3:08 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC
are roles actually invoked when a cfc is set to remote access?
Since application.cfc/cfm are NOT invoked, I thought perhaps the
roles would be useless for this.
DK
On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote:
Lance, naturally Sat morning is going to be a slow point on the
list. You'll probably get some more responses on monday. If not re-
post then.
There are attributes to cffunction to restrict access on a cfc
method and thereby provides a form of security: roles,access,output.
Output: works just like the cfsilent tag and keeps the code from
outputing any information. I prefer my functions/methods to simply
take in data and provide return data not to do any cfoutput stuff.
That could expose info about the method.
Access: There types here: remote,public,package,private.
Webservices have to be remote. Site-wide methods would normally be
public. Methods exposed only within the cfc should be private.
Package access allows the method to be expose to any other cfc's
that extends your cfc. Very nice stuff here and it should be used.
Too many people just make it public and never like it again.You'll
go a long way to take some time to review and tune up your access
points.
Roles: Also a rarely used attribute. You can define roles that can
access the cfc. If you use the cflogin tags, then this option flows
straight from that and provides another security level over the
access option. If used, a person would need to match his role and
access to properly access a cfc method which is very good.
Hope this helps,
John
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------