Professional Web Applications Themes

Using RSA's SecurID fab for Application Authentication - Coldfusion - Advanced Techniques

Hey there, I'm working with a systems guy to get RSA's SecurID working with ColdFusion applications to replace any sort of custom login (i.e. doing away with passwords to use RSA's sercurID fab). I'm running into some weird problems and I was wondering if someone has done this or has any thoughts as to what is going on. We're running ColdFusion 7.0 using JRUN on an apache web server running on Red Hat Linux. We're trying to use RSA's Authentication Agent 5.3 for Web for Apache (URL: [url]https://rsasecurity1.rsc03.net/servlet/campaignrespondent[/url]). This provides a number of Java classes that should be able to ...

  1. #1

    Default Using RSA's SecurID fab for Application Authentication

    Hey there,

    I'm working with a systems guy to get RSA's SecurID working with ColdFusion
    applications to replace any sort of custom login (i.e. doing away with
    passwords to use RSA's sercurID fab). I'm running into some weird problems and
    I was wondering if someone has done this or has any thoughts as to what is
    going on.

    We're running ColdFusion 7.0 using JRUN on an apache web server running on
    Red Hat Linux. We're trying to use RSA's Authentication Agent 5.3 for Web for
    Apache (URL: [url]https://rsasecurity1.rsc03.net/servlet/campaignrespondent[/url]).
    This provides a number of Java classes that should be able to be called from a
    ..cfm web page. I've tried to find a link to a .pdf that RSA provides titled
    RSA Authentication Agent 5.3 for Web Authentication Developer?s Guide for Sun
    Java System Web Server and Apache Web Server , but I cannot find it. If
    someone is kind enough to work on this, I can send the .pdf.

    In short, the RSA agent take the RSA authentication and writes a cookie called
    rsa-local to the user's machine. The RSA's API reads the cookie to check for
    things like time-outs, userIDs and such. Here is a sample cookie:

    rsa-local
    priesrZ00Z002Z0042554EF6Z0042554EF6Z00Z00S.Z3DZ18Z 89ZBAZ89Z5BZF1ZB3Z9EZEFZ8AZF87
    Z224Z16Z19Z04ZA1Z9AZ88YZ273kZ9CNZCBZDEZDC

    I've attached the sample files that I'm trying to get working.

    This page should produce the following output:

    Hello priesr

    The probelm: The RSA API (in the example given above:
    rsaObject.RSAGetUserName) returns a 101 error and claims that it cannot read
    the cookie. When I just try this under an apache in a simple .html page, it
    works every time. After a number of refreshes on the .cfm page, it finally
    does read the cookie, and the RSA API returns what it should. This won't work
    for a login for an application :)

    Ok, One interesting note:

    When I try to read the cookie directly (output cookie.rsa-local) I get the
    following error message: Element RSA is undefined in COOKIE. I noticed that
    the ColdFusion is chopping off the cookie variables at the dash. If I try to
    create a cookie called "a-b" and try to read it back, I will get the error
    message: Element a is undefined in COOKIE. I checked all of the
    doentation in ColdFusion, as well as some of the original RFCs and did not
    fins anything that restricted the use of a "-" in a cookie variable. There
    was lots of notes on not using a period or an underscore, but nothing on a
    dash.

    Does ColdFusion have a bug in reading cookies where it's clipping variable
    names after the "-"? Could this be the source of my probelm?

    I would love to hear from anyone who has this working, or if anyone has any
    ideas as to why what I'm doing will not work.

    Thanks,

    -- Rick P.

    <html>
    <body>
    <cfset rsaObject = createObject("java", "com.rsa.cookieapi.RSACookieAPI")>
    <cfset req = getPageContext().getRequest()>
    <cfset rsaObject.init(req)>
    <cfset pv_username = rsaObject.RSAGetUserName()>
    <cfset err = rsaObject.RSAGetLastError()>
    <cfdump var="#cookie#">
    <cfoutput>
    Hello <strong>#pv_username#</strong>
    </cfoutput>
    <br>
    </body>
    </html>

    Rick Pries Guest

  2. #2

    Default Re: Using RSA's SecurID fab for ApplicationAuthentication

    Did you ever find a solution to this issue? We are having the same problem here. Thanks!
    cwrigley Guest

Similar Threads

  1. authentication not kept when deploying application
    By Nicole Temple via DotNetMonster.com in forum ASP.NET Security
    Replies: 1
    Last Post: April 27th, 05:07 PM
  2. Using RSA's ScurID fab for Application Authentication
    By Rick Pries in forum Coldfusion - Advanced Techniques
    Replies: 0
    Last Post: April 7th, 04:40 PM
  3. Windows authentication for web application
    By Rujuta Gandhi in forum ASP.NET Security
    Replies: 3
    Last Post: January 18th, 02:55 PM
  4. Forms Authentication to protect a cgi application
    By Stephen Davies in forum ASP.NET Security
    Replies: 13
    Last Post: January 9th, 09:35 PM
  5. ASP.NET security and RSA SecurID
    By Alan Chen in forum ASP.NET Security
    Replies: 3
    Last Post: September 16th, 06:52 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139