Re: [ACFUG Discuss] Atlanta Flash/Flex UG - New Features in Flex 3 and AIR

[Viswanathan . Jayaraman]

Return Receipt
   
   Your   Re: [ACFUG Discuss] Atlanta Flash/Flex UG - New Features in  
   document:  Flex 3 and AIR   
   
   was[EMAIL PROTECTED]
   received
   by: 
   
   at:07/23/2007 07:33:30 AM   
   






-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

[ACFUG Discuss] cfqueryparam in a sort

[Tepfer, Seth]

We have an MSAccess db, and have a dynamic sort with cfqueryparam. 

 

When I use the actual field (fname), the query sorts correctly. When I
use the cfqueryparam, it does not sort - even though the debug says the
field fname was sent correctly.

 

Does cfqueryparam make sort not work?

Thanks

seth




-

Annual Sponsor FigLeaf Software - http://www.figleaf.com



To unsubscribe from this list, manage your profile @ 

http://www.acfug.org?fa=login.edituserform



For more info, see http://www.acfug.org/mailinglists

Archive @ http://www.mail-archive.com/discussion%40acfug.org/

List hosted by http://www.fusionlink.com

-

RE: [ACFUG Discuss] cfqueryparam in a sort

[Charlie Arehart]

Seth, it may help to show your SQL so we know for sure what you're asking. I
can't see how using CFQUERYPARAM for the value of a WHERE clause would
affect in any way an ability to SORT. Now, are you sorting in the same
CFQUERY using the CFQUERYPARAM? Or might this be a Query of Query sort of
that previous CFQUERY?
 
/charlie
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tepfer, Seth
Sent: Monday, July 23, 2007 12:28 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: [ACFUG Discuss] cfqueryparam in a sort



We have an MSAccess db, and have a dynamic sort with cfqueryparam. 

 

When I use the actual field (fname), the query sorts correctly. When I use
the cfqueryparam, it does not sort - even though the debug says the field
fname was sent correctly.

 

Does cfqueryparam make sort not work?

Thanks

seth




-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Atlanta Flash/Flex UG - New Features in Flex 3 and AIR

[Brooks . Wilson]

Return Receipt
   
   Your   Re: [ACFUG Discuss] Atlanta Flash/Flex UG - New Features in  
   document:  Flex 3 and AIR   
   
   was[EMAIL PROTECTED]
   received
   by: 
   
   at:07/23/2007 01:49:06 PM   
   






-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] cfqueryparam in a sort

[Small, Lewis B.]

SELECT * From Sheet1 where 

number = number



AND fname like






AND lname like






AND dept like






AND type like






AND ocbar like






ORDER BY 

 ASC





 



From: Charlie Arehart [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 23, 2007 1:42 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort

 

Seth, it may help to show your SQL so we know for sure what you're
asking. I can't see how using CFQUERYPARAM for the value of a WHERE
clause would affect in any way an ability to SORT. Now, are you sorting
in the same CFQUERY using the CFQUERYPARAM? Or might this be a Query of
Query sort of that previous CFQUERY?

 

/charlie

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tepfer, Seth
Sent: Monday, July 23, 2007 12:28 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: [ACFUG Discuss] cfqueryparam in a sort

We have an MSAccess db, and have a dynamic sort with cfqueryparam. 

 

When I use the actual field (fname), the query sorts correctly. When I
use the cfqueryparam, it does not sort - even though the debug says the
field fname was sent correctly.

 

Does cfqueryparam make sort not work?

Thanks

seth




-

Annual Sponsor FigLeaf Software - http://www.figleaf.com



To unsubscribe from this list, manage your profile @ 

http://www.acfug.org?fa=login.edituserform



For more info, see http://www.acfug.org/mailinglists

Archive @ http://www.mail-archive.com/discussion%40acfug.org/

List hosted by http://www.fusionlink.com

-

Re: [ACFUG Discuss] security in CFC

[Douglas Knudsen]

are roles actually invoked when a cfc is set to remote access?  Since
application.cfc/cfm are NOT invoked, I thought perhaps the roles would be
useless for this.

DK

On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote:


 Lance, naturally Sat morning is going to be a slow point on the list.
You'll probably get some more responses on monday. If not re-post then.

There are attributes to cffunction to restrict access on a cfc method and
thereby provides a form of security: roles,access,output.

Output: works just like the cfsilent tag and keeps the code from outputing
any information. I prefer my functions/methods to simply take in data and
provide return data not to do any cfoutput stuff. That could expose info
about the method.

Access: There types here: remote,public,package,private. Webservices have
to be remote. Site-wide methods would normally be public. Methods exposed
only within the cfc should be private. Package access allows the method to
be expose to any other cfc's that extends your cfc. Very nice stuff here and
it should be used. Too many people just make it public and never like it
again.You'll go a long way to take some time to review and tune up your
access points.

Roles: Also a rarely used attribute. You can define roles that can access
the cfc. If you use the cflogin tags, then this option flows straight from
that and provides another security level over the access option. If used, a
person would need to match his role and access to properly access a cfc
method which is very good.

Hope this helps,

John
[EMAIL PROTECTED]




 --
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Lance
Knight
*Sent:* Saturday, July 21, 2007 9:40 AM
*To:* discussion@acfug.org
*Cc:* [EMAIL PROTECTED]
*Subject:* [ACFUG Discuss] security in CFC

 Any One



   I'm looking for any documentation on how to handle security in CFC and
webservices ,best practices stuff



Thk

Lance



-
Annual Sponsor - Figleaf Software 

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink 
-

-
Annual Sponsor - Figleaf Software 

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink 
-





--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[John Mason]

Yes, that is a good point. If the access is set to remote then naturally the
roles attribute would effectively become useless. 
 
John
[EMAIL PROTECTED]
 
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen
Sent: Monday, July 23, 2007 3:08 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC


are roles actually invoked when a cfc is set to remote access?  Since
application.cfc/cfm are NOT invoked, I thought perhaps the roles would be
useless for this.

DK


On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote: 

Lance, naturally Sat morning is going to be a slow point on the list. You'll
probably get some more responses on monday. If not re-post then.
 
There are attributes to cffunction to restrict access on a cfc method and
thereby provides a form of security: roles,access,output.
 
Output: works just like the cfsilent tag and keeps the code from outputing
any information. I prefer my functions/methods to simply take in data and
provide return data not to do any cfoutput stuff. That could expose info
about the method.
 
Access: There types here: remote,public,package,private. Webservices have to
be remote. Site-wide methods would normally be public. Methods exposed only
within the cfc should be private. Package access allows the method to be
expose to any other cfc's that extends your cfc. Very nice stuff here and it
should be used. Too many people just make it public and never like it
again.You'll go a long way to take some time to review and tune up your
access points.
 
Roles: Also a rarely used attribute. You can define roles that can access
the cfc. If you use the cflogin tags, then this option flows straight from
that and provides another security level over the access option. If used, a
person would need to match his role and access to properly access a cfc
method which is very good.
 
Hope this helps,
 
John
[EMAIL PROTECTED] 
 
 
 

  _  

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]  ] 
On
Behalf Of Lance Knight
Sent: Saturday, July 21, 2007 9:40 AM
To: discussion@acfug.org
Cc: [EMAIL PROTECTED]
Subject: [ACFUG Discuss] security in CFC 




Any One 

 

   I'm looking for any documentation on how to handle security in CFC and
webservices ,best practices stuff

 

Thk

Lance

 


- 
Annual Sponsor - Figleaf Software   

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform
 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 

- 
Annual Sponsor - Figleaf Software   

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 




-- 
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it? 
- 
Annual Sponsor - Figleaf Software   

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[Charlie Arehart]

Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.
 
/charlie
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen
Sent: Monday, July 23, 2007 3:08 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC


are roles actually invoked when a cfc is set to remote access?  Since
application.cfc/cfm are NOT invoked, I thought perhaps the roles would be
useless for this.

DK


On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote: 

Lance, naturally Sat morning is going to be a slow point on the list. You'll
probably get some more responses on monday. If not re-post then.
 
There are attributes to cffunction to restrict access on a cfc method and
thereby provides a form of security: roles,access,output.
 
Output: works just like the cfsilent tag and keeps the code from outputing
any information. I prefer my functions/methods to simply take in data and
provide return data not to do any cfoutput stuff. That could expose info
about the method.
 
Access: There types here: remote,public,package,private. Webservices have to
be remote. Site-wide methods would normally be public. Methods exposed only
within the cfc should be private. Package access allows the method to be
expose to any other cfc's that extends your cfc. Very nice stuff here and it
should be used. Too many people just make it public and never like it
again.You'll go a long way to take some time to review and tune up your
access points.
 
Roles: Also a rarely used attribute. You can define roles that can access
the cfc. If you use the cflogin tags, then this option flows straight from
that and provides another security level over the access option. If used, a
person would need to match his role and access to properly access a cfc
method which is very good.
 
Hope this helps,
 
John




-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] security in CFC

[Dean H. Saxe]

Charlie,

I agree with most of your answer, but I'd really hesitate to use HTTP  
BASIC authentication due to its clear-text nature.  HTTP Digest is a  
bit better, but I'd be hard pressed to find a reason not to integrate  
this with your standard authentication system.


-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson


On Jul 23, 2007, at 4:42 PM, Charlie Arehart wrote:

Doug, I don't know the answer, but here's a thought: the roles are  
set by the CFLOGINUSER tag, and there's nothing that says that has  
to be set in application.cfm/cfc. Also, the CFLOGIN can also get  
its authentication from web server basic security, and since  
invocation of web services can pass in such username/passwords, it  
seems possible that one could leverage roles even in a web-service  
invocation of a CFFUNCTION. Just a thought. Someone may know better.


/charlie


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas  
Knudsen

Sent: Monday, July 23, 2007 3:08 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC

are roles actually invoked when a cfc is set to remote access?   
Since application.cfc/cfm are NOT invoked, I thought perhaps the  
roles would be useless for this.


DK

On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote:
Lance, naturally Sat morning is going to be a slow point on the  
list. You'll probably get some more responses on monday. If not re- 
post then.


There are attributes to cffunction to restrict access on a cfc  
method and thereby provides a form of security: roles,access,output.


Output: works just like the cfsilent tag and keeps the code from  
outputing any information. I prefer my functions/methods to simply  
take in data and provide return data not to do any cfoutput stuff.  
That could expose info about the method.


Access: There types here: remote,public,package,private.  
Webservices have to be remote. Site-wide methods would normally be  
public. Methods exposed only within the cfc should be private.  
Package access allows the method to be expose to any other cfc's  
that extends your cfc. Very nice stuff here and it should be used.  
Too many people just make it public and never like it again.You'll  
go a long way to take some time to review and tune up your access  
points.


Roles: Also a rarely used attribute. You can define roles that can  
access the cfc. If you use the cflogin tags, then this option flows  
straight from that and provides another security level over the  
access option. If used, a person would need to match his role and  
access to properly access a cfc method which is very good.


Hope this helps,

John

-
Annual Sponsor - Figleaf Software

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-

RE: [ACFUG Discuss] cfqueryparam in a sort

[Tepfer, Seth]

Aren't dynamic ORDER BY variables just as susceptible to SQL injection
as WHERE clauses?

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie
Arehart
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort

 

OK, as I had surmised, you're using the CFQueryParam in the SORT itself.
I know this "works" (doesn't give an error, in 7 or before), but it
doesn't do what you want, right? I ran a test against 7 and found, as
you did, that it did not sort. But guess what, it fails entirely in CF8
(complaining that there is a ? in the SORT). That's what I'd suspect,
really. CFQUERYPARAM is intended for use in a WHERE clause value. From
the CFML reference, regarding the VALUE attribute, it should be a "value
that ColdFusion passes to the right of the comparison operator in a
where clause."

 

Indeed, there are two main purposes for this tag: one is to help prevent
SQL injection, and the other is to cause a bind variable (or
parameterized query) to be passed to the DB. That's what the ? is about.
I suppose some database drivers out there may accept a bind variable for
a column name, but I'm guessing it will be hit and miss. I've found
references that suggest that they're intended just for literals, not DB
objects (tables, columns, etc.)  Again, perhaps it's worked for some.

 

Anyone have more specific experience?

 

/charlie

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Small, Lewis
B.
Sent: Monday, July 23, 2007 2:45 PM
To: Charlie Arehart; discussion@acfug.org
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort



SELECT * From Sheet1 where 

number = number



AND fname like






AND lname like






AND dept like






AND type like






AND ocbar like






ORDER BY 

 ASC





 



From: Charlie Arehart [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 23, 2007 1:42 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort

 

Seth, it may help to show your SQL so we know for sure what you're
asking. I can't see how using CFQUERYPARAM for the value of a WHERE
clause would affect in any way an ability to SORT. Now, are you sorting
in the same CFQUERY using the CFQUERYPARAM? Or might this be a Query of
Query sort of that previous CFQUERY?

 

/charlie

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tepfer, Seth
Sent: Monday, July 23, 2007 12:28 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: [ACFUG Discuss] cfqueryparam in a sort

We have an MSAccess db, and have a dynamic sort with cfqueryparam. 

 

When I use the actual field (fname), the query sorts correctly. When I
use the cfqueryparam, it does not sort - even though the debug says the
field fname was sent correctly.

 

Does cfqueryparam make sort not work?

Thanks

seth


- 
Annual Sponsor - Figleaf Software   

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 


- 
Annual Sponsor - Figleaf Software   

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
-



-

Annual Sponsor FigLeaf Software - http://www.figleaf.com



To unsubscribe from this list, manage your profile @ 

http://www.acfug.org?fa=login.edituserform



For more info, see http://www.acfug.org/mailinglists

Archive @ http://www.mail-archive.com/discussion%40acfug.org/

List hosted by http://www.fusion

Re: [ACFUG Discuss] cfqueryparam in a sort

[Dean H. Saxe]

Yes, Seth, technically you are correct.  But there is a better way  
here.  Instead of passing the sort column name directly from the  
user, send a proxy value for the order by clause.  In other words,  
identify the different order by clauses by numeric value, 1, 2, 3, 4,  
etc.  In the query you would include a  and the cases would  
be the different numeric values.  These would then define what the  
ORDER by value would be.


No more SQL injection and no need to much around with   
here, either.


-dhs

Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Great spirits have often encountered violent opposition from weak  
minds."

--Einstein


On Jul 23, 2007, at 4:46 PM, Tepfer, Seth wrote:

Aren’t dynamic ORDER BY variables just as susceptible to SQL  
injection as WHERE clauses?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie  
Arehart

Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort



OK, as I had surmised, you're using the CFQueryParam in the SORT  
itself. I know this "works" (doesn't give an error, in 7 or  
before), but it doesn't do what you want, right? I ran a test  
against 7 and found, as you did, that it did not sort. But guess  
what, it fails entirely in CF8 (complaining that there is a ? in  
the SORT). That's what I'd suspect, really. CFQUERYPARAM is  
intended for use in a WHERE clause value. From the CFML reference,  
regarding the VALUE attribute, it should be a "value that  
ColdFusion passes to the right of the comparison operator in a  
where clause."




Indeed, there are two main purposes for this tag: one is to help  
prevent SQL injection, and the other is to cause a bind variable  
(or parameterized query) to be passed to the DB. That's what the ?  
is about. I suppose some database drivers out there may accept a  
bind variable for a column name, but I'm guessing it will be hit  
and miss. I've found references that suggest that they're intended  
just for literals, not DB objects (tables, columns, etc.)  Again,  
perhaps it's worked for some.




Anyone have more specific experience?



/charlie





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Small,  
Lewis B.

Sent: Monday, July 23, 2007 2:45 PM
To: Charlie Arehart; discussion@acfug.org
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort



SELECT * From Sheet1 where

number = number



AND fname like  
maxlength="30">






AND lname like  
maxlength="30">






AND dept like  
maxlength="30">






AND type like  
maxlength="30">






AND ocbar like  
maxlength="30">






ORDER BY

maxlength="30"> ASC








From: Charlie Arehart [mailto:[EMAIL PROTECTED]
Sent: Monday, July 23, 2007 1:42 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort



Seth, it may help to show your SQL so we know for sure what you're  
asking. I can't see how using CFQUERYPARAM for the value of a WHERE  
clause would affect in any way an ability to SORT. Now, are you  
sorting in the same CFQUERY using the CFQUERYPARAM? Or might this  
be a Query of Query sort of that previous CFQUERY?




/charlie





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tepfer,  
Seth

Sent: Monday, July 23, 2007 12:28 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: [ACFUG Discuss] cfqueryparam in a sort

We have an MSAccess db, and have a dynamic sort with cfqueryparam.



When I use the actual field (fname), the query sorts correctly.  
When I use the cfqueryparam, it does not sort – even though the  
debug says the field fname was sent correctly.




Does cfqueryparam make sort not work?

Thanks

seth


-
Annual Sponsor - Figleaf Software

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-


-
Annual Sponsor - Figleaf Software

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edit

RE: [ACFUG Discuss] security in CFC

[John Mason]

>CFLOGIN can also get its authentication from web server basic security
 
Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.
 
John
[EMAIL PROTECTED]
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.
 
/charlie
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen
Sent: Monday, July 23, 2007 3:08 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC


are roles actually invoked when a cfc is set to remote access?  Since
application.cfc/cfm are NOT invoked, I thought perhaps the roles would be
useless for this.

DK


On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote: 

Lance, naturally Sat morning is going to be a slow point on the list. You'll
probably get some more responses on monday. If not re-post then.
 
There are attributes to cffunction to restrict access on a cfc method and
thereby provides a form of security: roles,access,output.
 
Output: works just like the cfsilent tag and keeps the code from outputing
any information. I prefer my functions/methods to simply take in data and
provide return data not to do any cfoutput stuff. That could expose info
about the method.
 
Access: There types here: remote,public,package,private. Webservices have to
be remote. Site-wide methods would normally be public. Methods exposed only
within the cfc should be private. Package access allows the method to be
expose to any other cfc's that extends your cfc. Very nice stuff here and it
should be used. Too many people just make it public and never like it
again.You'll go a long way to take some time to review and tune up your
access points.
 
Roles: Also a rarely used attribute. You can define roles that can access
the cfc. If you use the cflogin tags, then this option flows straight from
that and provides another security level over the access option. If used, a
person would need to match his role and access to properly access a cfc
method which is very good.
 
Hope this helps,
 
John


- 
Annual Sponsor - Figleaf Software   

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[Charlie Arehart]

Of course, Dean. :-) I was just sayin', not recommendin'. :-) The thing is,
I don't know if web service invocations can use digest auth, so I didn't
want to go there. (Should have thought to say, "but you ought not use basic
auth for real security practices".
 
/charlie

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Monday, July 23, 2007 4:45 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC


Charlie, 


I agree with most of your answer, but I'd really hesitate to use HTTP BASIC
authentication due to its clear-text nature. HTTP Digest is a bit better,
but I'd be hard pressed to find a reason not to integrate this with your
standard authentication system.


-dhs





Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism." 
--Thomas Jefferson


On Jul 23, 2007, at 4:42 PM, Charlie Arehart wrote:


Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.

/charlie







-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[Charlie Arehart]

Sure, and given what Dean said, let's do hear how you do it. I was just
connecting dots between roles, cfloginuser, cflogin, and web services. I
wasn't proposing a best practice, just proposing how roles could indeed be
useful even for remote calls. Is the way you do web service security
something that CFLOGIN could leverage? Now that I think about it, you could
skip using that and just CFLOGINUSER only after doing any sort of
roll-your-own authentication.
 
/charlie
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason
Sent: Monday, July 23, 2007 4:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


>CFLOGIN can also get its authentication from web server basic security
 
Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.
 
John
[EMAIL PROTECTED]
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.
 
/charlie



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[John Mason]

No, not at present. Here's what I normally would do. I have my webservices
set to only go over SSL. You have to import the SSL cert to the jvm on the
server making the webservice for this to work properly. Then the ip ranges
are also restricted down to only those that should have access. Then I use
the attributes on the WS to pass over the authentication info which is of
course hashed. Inside the webservice cfc. It simply calls another cfc that
handles the authentication. If it matches then the cfc does it's process. If
not, it fails and logs the failure. I monitor my logs through other
scripting to scan for brute force attempts.
 
Now that I think about it, you could have like a gateway cfc that handles
all and only the webservice calls. The gateway could execute the cfloginuser
tag based on the info presented by the call and then simply make the
necessary calls to the others cfcs thereby using the roles attributes.
 
John
[EMAIL PROTECTED]
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 6:47 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Sure, and given what Dean said, let's do hear how you do it. I was just
connecting dots between roles, cfloginuser, cflogin, and web services. I
wasn't proposing a best practice, just proposing how roles could indeed be
useful even for remote calls. Is the way you do web service security
something that CFLOGIN could leverage? Now that I think about it, you could
skip using that and just CFLOGINUSER only after doing any sort of
roll-your-own authentication.
 
/charlie
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason
Sent: Monday, July 23, 2007 4:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


>CFLOGIN can also get its authentication from web server basic security
 
Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.
 
John
[EMAIL PROTECTED]
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.
 
/charlie

- 
Annual Sponsor - Figleaf Software   

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] security in CFC

[Dean H. Saxe]

What value does hashing play?  A hashed password compromised in this  
case is as good as one that is not hashed, they are equals here.   
This is essentially the same problem as Digest Authentication, which  
also passes an unsalted password hash.  Compromise the hash and you  
have access, no need to compromise the original password.


You should have the remote system pass the password directly - which  
poses a storage problem on the remote side - which is then salted and  
hashed to compare to the salted hash in the DB or use a client-side  
certificate for authentication.


-dhs

Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or  
that we are to stand by the president right or wrong, is not only  
unpatriotic and servile, but is morally treasonable to the American  
public."

-- Theodore Roosevelt


On Jul 23, 2007, at 8:43 PM, John Mason wrote:

No, not at present. Here's what I normally would do. I have my  
webservices set to only go over SSL. You have to import the SSL  
cert to the jvm on the server making the webservice for this to  
work properly. Then the ip ranges are also restricted down to only  
those that should have access. Then I use the attributes on the WS  
to pass over the authentication info which is of course hashed.  
Inside the webservice cfc. It simply calls another cfc that handles  
the authentication. If it matches then the cfc does it's process.  
If not, it fails and logs the failure. I monitor my logs through  
other scripting to scan for brute force attempts.


Now that I think about it, you could have like a gateway cfc that  
handles all and only the webservice calls. The gateway could  
execute the cfloginuser tag based on the info presented by the call  
and then simply make the necessary calls to the others cfcs thereby  
using the roles attributes.


John
[EMAIL PROTECTED]


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie  
Arehart

Sent: Monday, July 23, 2007 6:47 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC

Sure, and given what Dean said, let's do hear how you do it. I was  
just connecting dots between roles, cfloginuser, cflogin, and web  
services. I wasn't proposing a best practice, just proposing how  
roles could indeed be useful even for remote calls. Is the way you  
do web service security something that CFLOGIN could leverage? Now  
that I think about it, you could skip using that and just  
CFLOGINUSER only after doing any sort of roll-your-own authentication.


/charlie


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason
Sent: Monday, July 23, 2007 4:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC

>CFLOGIN can also get its authentication from web server basic  
security


Interesting, I actually handle the security on my web services  
differently but I hadn't thought of that.


John
[EMAIL PROTECTED]


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie  
Arehart

Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC

Doug, I don't know the answer, but here's a thought: the roles are  
set by the CFLOGINUSER tag, and there's nothing that says that has  
to be set in application.cfm/cfc. Also, the CFLOGIN can also get  
its authentication from web server basic security, and since  
invocation of web services can pass in such username/passwords, it  
seems possible that one could leverage roles even in a web-service  
invocation of a CFFUNCTION. Just a thought. Someone may know better.


/charlie

-
Annual Sponsor - Figleaf Software

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-
-
Annual Sponsor - Figleaf Software

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-

Re: [ACFUG Discuss] security in CFC

[Douglas Knudsen]

What I have heard others do for web service security was after a
authentication step, pass a token in every call after.  This token can be
sent inside the soap header.  Why not send the cfid/cftoken, eh? So, a
facade/gateway styled cfc wrapper would be a good thing.

DK

On 7/23/07, John Mason <[EMAIL PROTECTED]> wrote:


 No, not at present. Here's what I normally would do. I have my
webservices set to only go over SSL. You have to import the SSL cert to the
jvm on the server making the webservice for this to work properly. Then the
ip ranges are also restricted down to only those that should have access.
Then I use the attributes on the WS to pass over the authentication info
which is of course hashed. Inside the webservice cfc. It simply calls
another cfc that handles the authentication. If it matches then the cfc does
it's process. If not, it fails and logs the failure. I monitor my logs
through other scripting to scan for brute force attempts.

Now that I think about it, you could have like a gateway cfc that handles
all and only the webservice calls. The gateway could execute the cfloginuser
tag based on the info presented by the call and then simply make the
necessary calls to the others cfcs thereby using the roles attributes.

John
[EMAIL PROTECTED]


 --
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Charlie
Arehart
*Sent:* Monday, July 23, 2007 6:47 PM
*To:* discussion@acfug.org
*Subject:* RE: [ACFUG Discuss] security in CFC

 Sure, and given what Dean said, let's do hear how you do it. I was just
connecting dots between roles, cfloginuser, cflogin, and web services. I
wasn't proposing a best practice, just proposing how roles could indeed be
useful even for remote calls. Is the way you do web service security
something that CFLOGIN could leverage? Now that I think about it, you could
skip using that and just CFLOGINUSER only after doing any sort of
roll-your-own authentication.

/charlie


 --
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *John Mason
*Sent:* Monday, July 23, 2007 4:59 PM
*To:* discussion@acfug.org
*Subject:* RE: [ACFUG Discuss] security in CFC

 >CFLOGIN can also get its authentication from web server basic security

Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.

John
[EMAIL PROTECTED]


 --
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Charlie
Arehart
*Sent:* Monday, July 23, 2007 4:43 PM
*To:* discussion@acfug.org
*Subject:* RE: [ACFUG Discuss] security in CFC

 Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication
from web server basic security, and since invocation of web services can
pass in such username/passwords, it seems possible that one could leverage
roles even in a web-service invocation of a CFFUNCTION. Just a thought.
Someone may know better.

/charlie

-
Annual Sponsor - Figleaf Software 

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink 
-

-
Annual Sponsor - Figleaf Software 

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink 
-





--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[John Mason]

>What value does hashing play?
 
I agree not much, just a common practice for me. If the person match up the
hash then yes the WS will talk to them. And that is a common problem with
hashes, you can find patterns etc. to see what's happening. You don't
necessarily have to decrypt it to get what you want.
 
The client-side certificates would certainly be good. Got me thinking about
something there with automating the cert creation through openSSL and
sending that to the client. That wouldn't be hard to do at all...hmm
 
thanks,
John
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Monday, July 23, 2007 8:50 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC


What value does hashing play? A hashed password compromised in this case is
as good as one that is not hashed, they are equals here. This is essentially
the same problem as Digest Authentication, which also passes an unsalted
password hash. Compromise the hash and you have access, no need to
compromise the original password. 

You should have the remote system pass the password directly - which poses a
storage problem on the remote side - which is then salted and hashed to
compare to the salted hash in the DB or use a client-side certificate for
authentication.


-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or that we
are to stand by the president right or wrong, is not only unpatriotic and
servile, but is morally treasonable to the American public."
-- Theodore Roosevelt


On Jul 23, 2007, at 8:43 PM, John Mason wrote:


No, not at present. Here's what I normally would do. I have my webservices
set to only go over SSL. You have to import the SSL cert to the jvm on the
server making the webservice for this to work properly. Then the ip ranges
are also restricted down to only those that should have access. Then I use
the attributes on the WS to pass over the authentication info which is of
course hashed. Inside the webservice cfc. It simply calls another cfc that
handles the authentication. If it matches then the cfc does it's process. If
not, it fails and logs the failure. I monitor my logs through other
scripting to scan for brute force attempts.

Now that I think about it, you could have like a gateway cfc that handles
all and only the webservice calls. The gateway could execute the cfloginuser
tag based on the info presented by the call and then simply make the
necessary calls to the others cfcs thereby using the roles attributes.

John
[EMAIL PROTECTED]



  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 6:47 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Sure, and given what Dean said, let's do hear how you do it. I was just
connecting dots between roles, cfloginuser, cflogin, and web services. I
wasn't proposing a best practice, just proposing how roles could indeed be
useful even for remote calls. Is the way you do web service security
something that CFLOGIN could leverage? Now that I think about it, you could
skip using that and just CFLOGINUSER only after doing any sort of
roll-your-own authentication.

/charlie



  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason
Sent: Monday, July 23, 2007 4:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


>CFLOGIN can also get its authentication from web server basic security

Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.

John
[EMAIL PROTECTED]



  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.

/charlie

- 
Annual Sponsor - Figleaf Software   

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 
- 
Annual Sponsor - Figleaf Software   

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?