What value does hashing play? A hashed password compromised in this
case is as good as one that is not hashed, they are equals here.
This is essentially the same problem as Digest Authentication, which
also passes an unsalted password hash. Compromise the hash and you
have access, no need to compromise the original password.
You should have the remote system pass the password directly - which
poses a storage problem on the remote side - which is then salted and
hashed to compare to the salted hash in the DB or use a client-side
certificate for authentication.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or
that we are to stand by the president right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the American
public."
-- Theodore Roosevelt
On Jul 23, 2007, at 8:43 PM, John Mason wrote:
No, not at present. Here's what I normally would do. I have my
webservices set to only go over SSL. You have to import the SSL
cert to the jvm on the server making the webservice for this to
work properly. Then the ip ranges are also restricted down to only
those that should have access. Then I use the attributes on the WS
to pass over the authentication info which is of course hashed.
Inside the webservice cfc. It simply calls another cfc that handles
the authentication. If it matches then the cfc does it's process.
If not, it fails and logs the failure. I monitor my logs through
other scripting to scan for brute force attempts.
Now that I think about it, you could have like a gateway cfc that
handles all and only the webservice calls. The gateway could
execute the cfloginuser tag based on the info presented by the call
and then simply make the necessary calls to the others cfcs thereby
using the roles attributes.
John
[EMAIL PROTECTED]
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie
Arehart
Sent: Monday, July 23, 2007 6:47 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC
Sure, and given what Dean said, let's do hear how you do it. I was
just connecting dots between roles, cfloginuser, cflogin, and web
services. I wasn't proposing a best practice, just proposing how
roles could indeed be useful even for remote calls. Is the way you
do web service security something that CFLOGIN could leverage? Now
that I think about it, you could skip using that and just
CFLOGINUSER only after doing any sort of roll-your-own authentication.
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason
Sent: Monday, July 23, 2007 4:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC
>CFLOGIN can also get its authentication from web server basic
security
Interesting, I actually handle the security on my web services
differently but I hadn't thought of that.
John
[EMAIL PROTECTED]
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie
Arehart
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC
Doug, I don't know the answer, but here's a thought: the roles are
set by the CFLOGINUSER tag, and there's nothing that says that has
to be set in application.cfm/cfc. Also, the CFLOGIN can also get
its authentication from web server basic security, and since
invocation of web services can pass in such username/passwords, it
seems possible that one could leverage roles even in a web-service
invocation of a CFFUNCTION. Just a thought. Someone may know better.
/charlie
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------