Professional Web Applications Themes

Development server Directory Security and cfhttp - Coldfusion - Advanced Techniques

On our development server, we disallowed anonymous access to our sites through IIS (so that users would have the windows prompt to login to access the sites in development). We are building an application which requires us to use cfhttp to call on a page within the development site. Since the site does not allow anonymous access, I get a 'You are not authorized to view this page' error whenever I try to run cfhttp command: <cfhttp method="get" url="dev_site_url"> I also tried adding a username/password but I get the same error: <cfhttp method="get" url="dev_site_url" username="user" password="pass"> Is there a way ...

Sponsored Links
  1. #1

    Default Development server Directory Security and cfhttp

    On our development server, we disallowed anonymous access to our sites through
    IIS (so that users would have the windows prompt to login to access the sites
    in development). We are building an application which requires us to use cfhttp
    to call on a page within the development site. Since the site does not allow
    anonymous access, I get a 'You are not authorized to view this page' error
    whenever I try to run cfhttp command:
    <cfhttp method="get" url="dev_site_url">

    I also tried adding a username/password but I get the same error:
    <cfhttp method="get" url="dev_site_url" username="user" password="pass">

    Is there a way to keep anonymous access off, but still get the cfhttp command
    to work?

    Alternatively, is there a way to set up the websites on the dev server so that
    they are not accessible to strangers, but keep anonymous access on? I can't
    filter the IP since I still have to make the sites available to our clients,
    and I don't want to add CF code to the sites to force a web login. Any ideas?

    Any help would be greatly appreciated!

    F.

    Sponsored Links
    flavio Guest

  2. #2

    Default Re: Development server Directory Security and cfhttp

    Are you running CF under a domain account? Did you try giving the CF account rights to the directory?
    philh Guest

  3. #3

    Default Re: Development server Directory Security and cfhttp

    Please excuse my ignorance, but how would I go about giving the CF account rights to the directory? I also have no idea if I am running CF under a domain account...

    F.
    flavio Guest

  4. #4

    Default Re: Development server Directory Security and cfhttp

    I went through the process of changing the setup so that CF runs as a seperate
    user (http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_17279),
    and I made all the appropriate changes to give the user full access to the
    directory. Still no luck.

    F.

    flavio Guest

  5. #5

    Default Re: Development server Directory Security and cfhttp

    CF account has nothing to do with this. You have to pass credentials with HTTP
    request (authentication header). If you are using Windows integrated security
    with Basic authentication disabled, you cannot use CFHTTP, because CF supports
    only Basic. You have to use a replacement for CFHTTP, like this one:

    http://www.cftagstore.com/tags/cfxhttp5.cfm


    Mr Guest

  6. #6

    Default Re: Development server Directory Security and cfhttp

    I finally got it to work - I just disabled anonymous access, used basic
    authentication and passed the username and password in the cfhttp request:
    <cfhttp method="get" url="dev_site_url" username="user" password="pass">

    I am just curious - is this the way most people secure their development
    servers from the public?

    F.

    flavio Guest

  7. #7

    Default Re: Development server Directory Security and cfhttp

    Flavio,


    NO. Basic Auth is not secure; the user name/ password pair is communicated in plain text.
    philh Guest

  8. #8

    Default Re: Development server Directory Security and cfhttp

    Phil - I understand the this is insecure, but I am not very concerned. This is
    just a development server, and I want to make sure that the sites on this
    server don't get indexed by search engines, and are kept from outside visitors.
    If someone really wanted to get in, I don't really care if they find their way
    in... there aren't any top secret sites in there :-)

    I'm just curious, though - how would you go about making it more secure and
    still allow cfhttp to access the pages?

    F.

    flavio Guest

  9. #9

    Default Re: Development server Directory Security and cfhttp

    You don't. CFHTTP can't negotiate a secure connection. That's why Mr. Black recommended the custom tag, which can handle NTLM authentication (I think).
    philh Guest

  10. #10

    Default Re: Development server Directory Security and cfhttp

    Thanks for the info Phil - I appreciate your time!

    F.
    flavio Guest

Similar Threads

  1. ASP.NET and directory security
    By quintesv in forum ASP.NET Security
    Replies: 3
    Last Post: September 29th, 02:49 AM
  2. WorldPay security / CFHTTP
    By M1ch43L in forum Macromedia ColdFusion
    Replies: 0
    Last Post: March 9th, 03:34 PM
  3. Replies: 9
    Last Post: December 10th, 09:36 AM
  4. Replies: 1
    Last Post: July 4th, 12:23 AM
  5. Replies: 1
    Last Post: May 21st, 03:47 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139