RE: [ACFUG Discuss] security in CFC

[John Mason]

Lance, naturally Sat morning is going to be a slow point on the list. You'll
probably get some more responses on monday. If not re-post then.
 
There are attributes to cffunction to restrict access on a cfc method and
thereby provides a form of security: roles,access,output.
 
Output: works just like the cfsilent tag and keeps the code from outputing
any information. I prefer my functions/methods to simply take in data and
provide return data not to do any cfoutput stuff. That could expose info
about the method.
 
Access: There types here: remote,public,package,private. Webservices have to
be remote. Site-wide methods would normally be public. Methods exposed only
within the cfc should be private. Package access allows the method to be
expose to any other cfc's that extends your cfc. Very nice stuff here and it
should be used. Too many people just make it public and never like it
again.You'll go a long way to take some time to review and tune up your
access points.
 
Roles: Also a rarely used attribute. You can define roles that can access
the cfc. If you use the cflogin tags, then this option flows straight from
that and provides another security level over the access option. If used, a
person would need to match his role and access to properly access a cfc
method which is very good.
 
Hope this helps,
 
John
[EMAIL PROTECTED]
 
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lance Knight
Sent: Saturday, July 21, 2007 9:40 AM
To: discussion@acfug.org
Cc: [EMAIL PROTECTED]
Subject: [ACFUG Discuss] security in CFC 



Any One 

 

   I'm looking for any documentation on how to handle security in CFC and
webservices ,best practices stuff

 

Thk

Lance

 


- 
Annual Sponsor - Figleaf Software   

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[John Mason]

Sorry about the wording. I'm multitasking as usual and should have proof
read this.
 
John
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason
Sent: Saturday, July 21, 2007 12:52 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC 


Lance, naturally Sat morning is going to be a slow point on the list. You'll
probably get some more responses on monday. If not re-post then.
 
There are attributes to cffunction to restrict access on a cfc method and
thereby provides a form of security: roles,access,output.
 
Output: works just like the cfsilent tag and keeps the code from outputing
any information. I prefer my functions/methods to simply take in data and
provide return data not to do any cfoutput stuff. That could expose info
about the method.
 
Access: There types here: remote,public,package,private. Webservices have to
be remote. Site-wide methods would normally be public. Methods exposed only
within the cfc should be private. Package access allows the method to be
expose to any other cfc's that extends your cfc. Very nice stuff here and it
should be used. Too many people just make it public and never like it
again.You'll go a long way to take some time to review and tune up your
access points.
 
Roles: Also a rarely used attribute. You can define roles that can access
the cfc. If you use the cflogin tags, then this option flows straight from
that and provides another security level over the access option. If used, a
person would need to match his role and access to properly access a cfc
method which is very good.
 
Hope this helps,
 
John
[EMAIL PROTECTED]
 
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lance Knight
Sent: Saturday, July 21, 2007 9:40 AM
To: discussion@acfug.org
Cc: [EMAIL PROTECTED]
Subject: [ACFUG Discuss] security in CFC 



Any One 

 

   I'm looking for any documentation on how to handle security in CFC and
webservices ,best practices stuff

 

Thk

Lance

 


- 
Annual Sponsor - Figleaf Software <http://www.figleaf.com>  

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 
- 
Annual Sponsor - Figleaf Software <http://www.figleaf.com>  

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] security in CFC

[Douglas Knudsen]

are roles actually invoked when a cfc is set to remote access?  Since
application.cfc/cfm are NOT invoked, I thought perhaps the roles would be
useless for this.

DK

On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote:


 Lance, naturally Sat morning is going to be a slow point on the list.
You'll probably get some more responses on monday. If not re-post then.

There are attributes to cffunction to restrict access on a cfc method and
thereby provides a form of security: roles,access,output.

Output: works just like the cfsilent tag and keeps the code from outputing
any information. I prefer my functions/methods to simply take in data and
provide return data not to do any cfoutput stuff. That could expose info
about the method.

Access: There types here: remote,public,package,private. Webservices have
to be remote. Site-wide methods would normally be public. Methods exposed
only within the cfc should be private. Package access allows the method to
be expose to any other cfc's that extends your cfc. Very nice stuff here and
it should be used. Too many people just make it public and never like it
again.You'll go a long way to take some time to review and tune up your
access points.

Roles: Also a rarely used attribute. You can define roles that can access
the cfc. If you use the cflogin tags, then this option flows straight from
that and provides another security level over the access option. If used, a
person would need to match his role and access to properly access a cfc
method which is very good.

Hope this helps,

John
[EMAIL PROTECTED]




 --
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Lance
Knight
*Sent:* Saturday, July 21, 2007 9:40 AM
*To:* discussion@acfug.org
*Cc:* [EMAIL PROTECTED]
*Subject:* [ACFUG Discuss] security in CFC

 Any One



   I'm looking for any documentation on how to handle security in CFC and
webservices ,best practices stuff



Thk

Lance



-
Annual Sponsor - Figleaf Software 

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink 
-

-
Annual Sponsor - Figleaf Software 

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink 
-





--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[John Mason]

Yes, that is a good point. If the access is set to remote then naturally the
roles attribute would effectively become useless. 
 
John
[EMAIL PROTECTED]
 
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen
Sent: Monday, July 23, 2007 3:08 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC


are roles actually invoked when a cfc is set to remote access?  Since
application.cfc/cfm are NOT invoked, I thought perhaps the roles would be
useless for this.

DK


On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote: 

Lance, naturally Sat morning is going to be a slow point on the list. You'll
probably get some more responses on monday. If not re-post then.
 
There are attributes to cffunction to restrict access on a cfc method and
thereby provides a form of security: roles,access,output.
 
Output: works just like the cfsilent tag and keeps the code from outputing
any information. I prefer my functions/methods to simply take in data and
provide return data not to do any cfoutput stuff. That could expose info
about the method.
 
Access: There types here: remote,public,package,private. Webservices have to
be remote. Site-wide methods would normally be public. Methods exposed only
within the cfc should be private. Package access allows the method to be
expose to any other cfc's that extends your cfc. Very nice stuff here and it
should be used. Too many people just make it public and never like it
again.You'll go a long way to take some time to review and tune up your
access points.
 
Roles: Also a rarely used attribute. You can define roles that can access
the cfc. If you use the cflogin tags, then this option flows straight from
that and provides another security level over the access option. If used, a
person would need to match his role and access to properly access a cfc
method which is very good.
 
Hope this helps,
 
John
[EMAIL PROTECTED] 
 
 
 

  _  

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] 
On
Behalf Of Lance Knight
Sent: Saturday, July 21, 2007 9:40 AM
To: discussion@acfug.org
Cc: [EMAIL PROTECTED]
Subject: [ACFUG Discuss] security in CFC 




Any One 

 

   I'm looking for any documentation on how to handle security in CFC and
webservices ,best practices stuff

 

Thk

Lance

 


- 
Annual Sponsor - Figleaf Software <http://www.figleaf.com>  

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform
<http://www.acfug.org?fa=login.edituserform> 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 

- 
Annual Sponsor - Figleaf Software <http://www.figleaf.com>  

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 




-- 
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it? 
- 
Annual Sponsor - Figleaf Software <http://www.figleaf.com>  

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[Charlie Arehart]

Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.
 
/charlie
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen
Sent: Monday, July 23, 2007 3:08 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC


are roles actually invoked when a cfc is set to remote access?  Since
application.cfc/cfm are NOT invoked, I thought perhaps the roles would be
useless for this.

DK


On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote: 

Lance, naturally Sat morning is going to be a slow point on the list. You'll
probably get some more responses on monday. If not re-post then.
 
There are attributes to cffunction to restrict access on a cfc method and
thereby provides a form of security: roles,access,output.
 
Output: works just like the cfsilent tag and keeps the code from outputing
any information. I prefer my functions/methods to simply take in data and
provide return data not to do any cfoutput stuff. That could expose info
about the method.
 
Access: There types here: remote,public,package,private. Webservices have to
be remote. Site-wide methods would normally be public. Methods exposed only
within the cfc should be private. Package access allows the method to be
expose to any other cfc's that extends your cfc. Very nice stuff here and it
should be used. Too many people just make it public and never like it
again.You'll go a long way to take some time to review and tune up your
access points.
 
Roles: Also a rarely used attribute. You can define roles that can access
the cfc. If you use the cflogin tags, then this option flows straight from
that and provides another security level over the access option. If used, a
person would need to match his role and access to properly access a cfc
method which is very good.
 
Hope this helps,
 
John




-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] security in CFC

[Dean H. Saxe]

Charlie,

I agree with most of your answer, but I'd really hesitate to use HTTP  
BASIC authentication due to its clear-text nature.  HTTP Digest is a  
bit better, but I'd be hard pressed to find a reason not to integrate  
this with your standard authentication system.


-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson


On Jul 23, 2007, at 4:42 PM, Charlie Arehart wrote:

Doug, I don't know the answer, but here's a thought: the roles are  
set by the CFLOGINUSER tag, and there's nothing that says that has  
to be set in application.cfm/cfc. Also, the CFLOGIN can also get  
its authentication from web server basic security, and since  
invocation of web services can pass in such username/passwords, it  
seems possible that one could leverage roles even in a web-service  
invocation of a CFFUNCTION. Just a thought. Someone may know better.


/charlie


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas  
Knudsen

Sent: Monday, July 23, 2007 3:08 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC

are roles actually invoked when a cfc is set to remote access?   
Since application.cfc/cfm are NOT invoked, I thought perhaps the  
roles would be useless for this.


DK

On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote:
Lance, naturally Sat morning is going to be a slow point on the  
list. You'll probably get some more responses on monday. If not re- 
post then.


There are attributes to cffunction to restrict access on a cfc  
method and thereby provides a form of security: roles,access,output.


Output: works just like the cfsilent tag and keeps the code from  
outputing any information. I prefer my functions/methods to simply  
take in data and provide return data not to do any cfoutput stuff.  
That could expose info about the method.


Access: There types here: remote,public,package,private.  
Webservices have to be remote. Site-wide methods would normally be  
public. Methods exposed only within the cfc should be private.  
Package access allows the method to be expose to any other cfc's  
that extends your cfc. Very nice stuff here and it should be used.  
Too many people just make it public and never like it again.You'll  
go a long way to take some time to review and tune up your access  
points.


Roles: Also a rarely used attribute. You can define roles that can  
access the cfc. If you use the cflogin tags, then this option flows  
straight from that and provides another security level over the  
access option. If used, a person would need to match his role and  
access to properly access a cfc method which is very good.


Hope this helps,

John

-
Annual Sponsor - Figleaf Software

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-

RE: [ACFUG Discuss] security in CFC

[John Mason]

>CFLOGIN can also get its authentication from web server basic security
 
Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.
 
John
[EMAIL PROTECTED]
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.
 
/charlie
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen
Sent: Monday, July 23, 2007 3:08 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC


are roles actually invoked when a cfc is set to remote access?  Since
application.cfc/cfm are NOT invoked, I thought perhaps the roles would be
useless for this.

DK


On 7/21/07, John Mason <[EMAIL PROTECTED]> wrote: 

Lance, naturally Sat morning is going to be a slow point on the list. You'll
probably get some more responses on monday. If not re-post then.
 
There are attributes to cffunction to restrict access on a cfc method and
thereby provides a form of security: roles,access,output.
 
Output: works just like the cfsilent tag and keeps the code from outputing
any information. I prefer my functions/methods to simply take in data and
provide return data not to do any cfoutput stuff. That could expose info
about the method.
 
Access: There types here: remote,public,package,private. Webservices have to
be remote. Site-wide methods would normally be public. Methods exposed only
within the cfc should be private. Package access allows the method to be
expose to any other cfc's that extends your cfc. Very nice stuff here and it
should be used. Too many people just make it public and never like it
again.You'll go a long way to take some time to review and tune up your
access points.
 
Roles: Also a rarely used attribute. You can define roles that can access
the cfc. If you use the cflogin tags, then this option flows straight from
that and provides another security level over the access option. If used, a
person would need to match his role and access to properly access a cfc
method which is very good.
 
Hope this helps,
 
John


- 
Annual Sponsor - Figleaf Software <http://www.figleaf.com>  

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[Charlie Arehart]

Of course, Dean. :-) I was just sayin', not recommendin'. :-) The thing is,
I don't know if web service invocations can use digest auth, so I didn't
want to go there. (Should have thought to say, "but you ought not use basic
auth for real security practices".
 
/charlie

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Monday, July 23, 2007 4:45 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC


Charlie, 


I agree with most of your answer, but I'd really hesitate to use HTTP BASIC
authentication due to its clear-text nature. HTTP Digest is a bit better,
but I'd be hard pressed to find a reason not to integrate this with your
standard authentication system.


-dhs





Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism." 
--Thomas Jefferson


On Jul 23, 2007, at 4:42 PM, Charlie Arehart wrote:


Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.

/charlie







-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[Charlie Arehart]

Sure, and given what Dean said, let's do hear how you do it. I was just
connecting dots between roles, cfloginuser, cflogin, and web services. I
wasn't proposing a best practice, just proposing how roles could indeed be
useful even for remote calls. Is the way you do web service security
something that CFLOGIN could leverage? Now that I think about it, you could
skip using that and just CFLOGINUSER only after doing any sort of
roll-your-own authentication.
 
/charlie
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason
Sent: Monday, July 23, 2007 4:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


>CFLOGIN can also get its authentication from web server basic security
 
Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.
 
John
[EMAIL PROTECTED]
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.
 
/charlie



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[John Mason]

No, not at present. Here's what I normally would do. I have my webservices
set to only go over SSL. You have to import the SSL cert to the jvm on the
server making the webservice for this to work properly. Then the ip ranges
are also restricted down to only those that should have access. Then I use
the attributes on the WS to pass over the authentication info which is of
course hashed. Inside the webservice cfc. It simply calls another cfc that
handles the authentication. If it matches then the cfc does it's process. If
not, it fails and logs the failure. I monitor my logs through other
scripting to scan for brute force attempts.
 
Now that I think about it, you could have like a gateway cfc that handles
all and only the webservice calls. The gateway could execute the cfloginuser
tag based on the info presented by the call and then simply make the
necessary calls to the others cfcs thereby using the roles attributes.
 
John
[EMAIL PROTECTED]
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 6:47 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Sure, and given what Dean said, let's do hear how you do it. I was just
connecting dots between roles, cfloginuser, cflogin, and web services. I
wasn't proposing a best practice, just proposing how roles could indeed be
useful even for remote calls. Is the way you do web service security
something that CFLOGIN could leverage? Now that I think about it, you could
skip using that and just CFLOGINUSER only after doing any sort of
roll-your-own authentication.
 
/charlie
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason
Sent: Monday, July 23, 2007 4:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


>CFLOGIN can also get its authentication from web server basic security
 
Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.
 
John
[EMAIL PROTECTED]
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.
 
/charlie

- 
Annual Sponsor - Figleaf Software <http://www.figleaf.com>  

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] security in CFC

[Dean H. Saxe]

What value does hashing play?  A hashed password compromised in this  
case is as good as one that is not hashed, they are equals here.   
This is essentially the same problem as Digest Authentication, which  
also passes an unsalted password hash.  Compromise the hash and you  
have access, no need to compromise the original password.


You should have the remote system pass the password directly - which  
poses a storage problem on the remote side - which is then salted and  
hashed to compare to the salted hash in the DB or use a client-side  
certificate for authentication.


-dhs

Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or  
that we are to stand by the president right or wrong, is not only  
unpatriotic and servile, but is morally treasonable to the American  
public."

-- Theodore Roosevelt


On Jul 23, 2007, at 8:43 PM, John Mason wrote:

No, not at present. Here's what I normally would do. I have my  
webservices set to only go over SSL. You have to import the SSL  
cert to the jvm on the server making the webservice for this to  
work properly. Then the ip ranges are also restricted down to only  
those that should have access. Then I use the attributes on the WS  
to pass over the authentication info which is of course hashed.  
Inside the webservice cfc. It simply calls another cfc that handles  
the authentication. If it matches then the cfc does it's process.  
If not, it fails and logs the failure. I monitor my logs through  
other scripting to scan for brute force attempts.


Now that I think about it, you could have like a gateway cfc that  
handles all and only the webservice calls. The gateway could  
execute the cfloginuser tag based on the info presented by the call  
and then simply make the necessary calls to the others cfcs thereby  
using the roles attributes.


John
[EMAIL PROTECTED]


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie  
Arehart

Sent: Monday, July 23, 2007 6:47 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC

Sure, and given what Dean said, let's do hear how you do it. I was  
just connecting dots between roles, cfloginuser, cflogin, and web  
services. I wasn't proposing a best practice, just proposing how  
roles could indeed be useful even for remote calls. Is the way you  
do web service security something that CFLOGIN could leverage? Now  
that I think about it, you could skip using that and just  
CFLOGINUSER only after doing any sort of roll-your-own authentication.


/charlie


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason
Sent: Monday, July 23, 2007 4:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC

>CFLOGIN can also get its authentication from web server basic  
security


Interesting, I actually handle the security on my web services  
differently but I hadn't thought of that.


John
[EMAIL PROTECTED]


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie  
Arehart

Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC

Doug, I don't know the answer, but here's a thought: the roles are  
set by the CFLOGINUSER tag, and there's nothing that says that has  
to be set in application.cfm/cfc. Also, the CFLOGIN can also get  
its authentication from web server basic security, and since  
invocation of web services can pass in such username/passwords, it  
seems possible that one could leverage roles even in a web-service  
invocation of a CFFUNCTION. Just a thought. Someone may know better.


/charlie

-
Annual Sponsor - Figleaf Software

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-
-
Annual Sponsor - Figleaf Software

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-

Re: [ACFUG Discuss] security in CFC

[Douglas Knudsen]

What I have heard others do for web service security was after a
authentication step, pass a token in every call after.  This token can be
sent inside the soap header.  Why not send the cfid/cftoken, eh? So, a
facade/gateway styled cfc wrapper would be a good thing.

DK

On 7/23/07, John Mason <[EMAIL PROTECTED]> wrote:


 No, not at present. Here's what I normally would do. I have my
webservices set to only go over SSL. You have to import the SSL cert to the
jvm on the server making the webservice for this to work properly. Then the
ip ranges are also restricted down to only those that should have access.
Then I use the attributes on the WS to pass over the authentication info
which is of course hashed. Inside the webservice cfc. It simply calls
another cfc that handles the authentication. If it matches then the cfc does
it's process. If not, it fails and logs the failure. I monitor my logs
through other scripting to scan for brute force attempts.

Now that I think about it, you could have like a gateway cfc that handles
all and only the webservice calls. The gateway could execute the cfloginuser
tag based on the info presented by the call and then simply make the
necessary calls to the others cfcs thereby using the roles attributes.

John
[EMAIL PROTECTED]


 --
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Charlie
Arehart
*Sent:* Monday, July 23, 2007 6:47 PM
*To:* discussion@acfug.org
*Subject:* RE: [ACFUG Discuss] security in CFC

 Sure, and given what Dean said, let's do hear how you do it. I was just
connecting dots between roles, cfloginuser, cflogin, and web services. I
wasn't proposing a best practice, just proposing how roles could indeed be
useful even for remote calls. Is the way you do web service security
something that CFLOGIN could leverage? Now that I think about it, you could
skip using that and just CFLOGINUSER only after doing any sort of
roll-your-own authentication.

/charlie


 --
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *John Mason
*Sent:* Monday, July 23, 2007 4:59 PM
*To:* discussion@acfug.org
*Subject:* RE: [ACFUG Discuss] security in CFC

 >CFLOGIN can also get its authentication from web server basic security

Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.

John
[EMAIL PROTECTED]


 --
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Charlie
Arehart
*Sent:* Monday, July 23, 2007 4:43 PM
*To:* discussion@acfug.org
*Subject:* RE: [ACFUG Discuss] security in CFC

 Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication
from web server basic security, and since invocation of web services can
pass in such username/passwords, it seems possible that one could leverage
roles even in a web-service invocation of a CFFUNCTION. Just a thought.
Someone may know better.

/charlie

-
Annual Sponsor - Figleaf Software <http://www.figleaf.com>

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-

-
Annual Sponsor - Figleaf Software <http://www.figleaf.com>

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-





--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?



-
Annual Sponsor FigLeaf Software - http://www.figleaf.com

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] security in CFC

[John Mason]

>What value does hashing play?
 
I agree not much, just a common practice for me. If the person match up the
hash then yes the WS will talk to them. And that is a common problem with
hashes, you can find patterns etc. to see what's happening. You don't
necessarily have to decrypt it to get what you want.
 
The client-side certificates would certainly be good. Got me thinking about
something there with automating the cert creation through openSSL and
sending that to the client. That wouldn't be hard to do at all...hmm
 
thanks,
John
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Monday, July 23, 2007 8:50 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] security in CFC


What value does hashing play? A hashed password compromised in this case is
as good as one that is not hashed, they are equals here. This is essentially
the same problem as Digest Authentication, which also passes an unsalted
password hash. Compromise the hash and you have access, no need to
compromise the original password. 

You should have the remote system pass the password directly - which poses a
storage problem on the remote side - which is then salted and hashed to
compare to the salted hash in the DB or use a client-side certificate for
authentication.


-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or that we
are to stand by the president right or wrong, is not only unpatriotic and
servile, but is morally treasonable to the American public."
-- Theodore Roosevelt


On Jul 23, 2007, at 8:43 PM, John Mason wrote:


No, not at present. Here's what I normally would do. I have my webservices
set to only go over SSL. You have to import the SSL cert to the jvm on the
server making the webservice for this to work properly. Then the ip ranges
are also restricted down to only those that should have access. Then I use
the attributes on the WS to pass over the authentication info which is of
course hashed. Inside the webservice cfc. It simply calls another cfc that
handles the authentication. If it matches then the cfc does it's process. If
not, it fails and logs the failure. I monitor my logs through other
scripting to scan for brute force attempts.

Now that I think about it, you could have like a gateway cfc that handles
all and only the webservice calls. The gateway could execute the cfloginuser
tag based on the info presented by the call and then simply make the
necessary calls to the others cfcs thereby using the roles attributes.

John
[EMAIL PROTECTED]



  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 6:47 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Sure, and given what Dean said, let's do hear how you do it. I was just
connecting dots between roles, cfloginuser, cflogin, and web services. I
wasn't proposing a best practice, just proposing how roles could indeed be
useful even for remote calls. Is the way you do web service security
something that CFLOGIN could leverage? Now that I think about it, you could
skip using that and just CFLOGINUSER only after doing any sort of
roll-your-own authentication.

/charlie



  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason
Sent: Monday, July 23, 2007 4:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


>CFLOGIN can also get its authentication from web server basic security

Interesting, I actually handle the security on my web services differently
but I hadn't thought of that.

John
[EMAIL PROTECTED]



  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Arehart
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] security in CFC


Doug, I don't know the answer, but here's a thought: the roles are set by
the CFLOGINUSER tag, and there's nothing that says that has to be set in
application.cfm/cfc. Also, the CFLOGIN can also get its authentication from
web server basic security, and since invocation of web services can pass in
such username/passwords, it seems possible that one could leverage roles
even in a web-service invocation of a CFFUNCTION. Just a thought. Someone
may know better.

/charlie

- 
Annual Sponsor - Figleaf Software <http://www.figleaf.com>  

To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 
- 
Annual Sponsor - Figleaf Software <http://www.figl