>CFLOGIN can also get its authentication from web server basic security Interesting, I actually handle the security on my web services differently but I hadn't thought of that. John [EMAIL PROTECTED]
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart Sent: Monday, July 23, 2007 4:43 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] security in CFC Doug, I don't know the answer, but here's a thought: the roles are set by the CFLOGINUSER tag, and there's nothing that says that has to be set in application.cfm/cfc. Also, the CFLOGIN can also get its authentication from web server basic security, and since invocation of web services can pass in such username/passwords, it seems possible that one could leverage roles even in a web-service invocation of a CFFUNCTION. Just a thought. Someone may know better. /charlie _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen Sent: Monday, July 23, 2007 3:08 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] security in CFC are roles actually invoked when a cfc is set to remote access? Since application.cfc/cfm are NOT invoked, I thought perhaps the roles would be useless for this. DK On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote: Lance, naturally Sat morning is going to be a slow point on the list. You'll probably get some more responses on monday. If not re-post then. There are attributes to cffunction to restrict access on a cfc method and thereby provides a form of security: roles,access,output. Output: works just like the cfsilent tag and keeps the code from outputing any information. I prefer my functions/methods to simply take in data and provide return data not to do any cfoutput stuff. That could expose info about the method. Access: There types here: remote,public,package,private. Webservices have to be remote. Site-wide methods would normally be public. Methods exposed only within the cfc should be private. Package access allows the method to be expose to any other cfc's that extends your cfc. Very nice stuff here and it should be used. Too many people just make it public and never like it again.You'll go a long way to take some time to review and tune up your access points. Roles: Also a rarely used attribute. You can define roles that can access the cfc. If you use the cflogin tags, then this option flows straight from that and provides another security level over the access option. If used, a person would need to match his role and access to properly access a cfc method which is very good. Hope this helps, John ------------------------------------------------------------- Annual Sponsor - Figleaf Software <http://www.figleaf.com> To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink <http://www.fusionlink.com> ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------