Protecting remote CFCs from unauthorized access

[SEJ-69]

Now that I'm working with Flex I've discovered that I no longer have session
variables to maintain access to a site. How do I protect my Coldfusion CFC's
from unauthorized access?

I'm working on a site that requires user authentication. While the actual
user authentication in flex is easy, this doesn't protect my Coldfusion CFCs
from someone that knows how to hook up directly to my site which would bypass
the interface security.

I'm also coding an Adobe Air application to go along with the website.

TIA.

[Etienne]

That's a good question...

Anyone has an awnser ?

Etienne

[Ian Skinner]

Have you investigated the CFC username/password properties?

Have you investigated session use with flex applications? I understand
they are still possible, just not as intuitive as with an HTML application.

[samunplugged]

One of my task involved publishing a secured web service to be consumed by any
client/platform. Best and secured way, and you'll agree that this is what
Amazon and Google use as well, is that you assign every client an
application-id and security-key.

And here's how client should make requests:
1. SoapHeaders or HTTP_Cookie is sent with every request. Information it will
contain is an encryted text (token) and client id.
Header or cookie will appear something like this:
applicationid=3456&token=wJDKD93o34%^&*$2de4390
2. Encrytion is done by the client using the security-key provided by the
server. Text which is encrypted must contain datetime. Example normal text
could be: myMethod\20080612
3. The security-key itself is never transferred over the network
4. At the server side, the token header value is decrypted using the key for
that applicationid (pick it up from the server.)
5. Server checks If after decryotion of token the datetime is in proper format
and methodName in same as the method called. And if this is true, client is
authenticated.


In simple words, go on encryting any client variable before sending to the
server. If server can decrypt it and finds expected string, respond or else
throw security error.

Why you must also allow access using HTTP_COOKIE is that you dont want to
write your own WSDL files. ColdFusion can not generate a WSDL which can tell
consumers what SoapHeaders your service is expecting. Not allowing cookies
based authentication will eventually lead to a situation where .NET developers
wont be able to consume your service. Its impossible for most .NET pros to
write a code to send custom soap headers - there is so much dependency on VS
Studio web service code stubs.

Sam
Adobe Certified Flash and Adv. ColdFusion Developer
[url]http://www.samunplugged.com[/url]
mumbai users, join other mumbai cf enthsiasts:
[url]http://in.groups.yahoo.com/group/cfexpress/[/url]