tags:

views:

446

answers:

5
+4  Q: 

How to protect access="remote" funcitons in CFCs from snoopers?

One of the great features of CFCs is the ability to reuse the code for both a straight .cfm page and for Flex apps.

One such app that I devleoped uses Flex for it's charting capabilities and needs access to a 'getResults()' function in the cfc.

All of this content is behind an authentication mechanism, but since the cfc will open itself up to a wsdl request:

https://myserver.com/c/functions.cfc?wsdl

and will actually return the results to the browser if the URL query is crafted properly:

https://myserver.com/c/functions.cfc?method=getResults&Term=2009&Course=Anatomy

What techniques have people used to protect the cfc from direct access UNLESS the request is coming directly from the CFML processor OR from Flex Remoting?

+3  A: 

You could utilize some of the CGI scope variables to check where the request is coming from.

ie: CGI.REMOTE_HOST, CGI.REMOTE_ADDR

So, you'd probably construct a new function with a access="public" property which checks the values of those variables against a list of valid values for your server. If it returns true, you would execute the request and if it returns false, you would throw/return some sort of error.

Jason  2009-05-22 23:26:23
You could also probably secure the request with some sort of credentials to add another thin wall of annoyance.
Jas Panesar  2009-05-22 23:47:37
I think this is the way to go. I'm using CGI.SCRIPT_NAME to test whether the browser is accessing the CFC directly. If they are, they get the boot.
Chris Brandt  2009-05-26 19:52:39
A: 

Although a bit old, I dug up Bill Purcell's notes on securing CF apps in general. Securing CFC's have mentioned.

http://www.bpurcell.org/blog/index.cfm?mode=entry&entry=978

Jas Panesar  2009-05-22 23:48:56
+2  A: 

I would suggest adding an OnRequestStart handler to your application.cfc file, and perform a check there... what that check is depends on your current model, but some good suggestions would be to check cgi.remote_user (if authenticated) or perhaps storing something in the session scope?

<cfif structKeyExists(session,"empID") and len(session.empid)>
  <!--- user is authenticated, process normally --->
<cfelse>
  <!--- abort request or sending meaningful error message --->
</cfif>
Goyuix  2009-05-23 17:16:37
I guess I'm also trying to protect the specific cfc from being manipulated by someone who is already authenticated/authorized
Chris Brandt  2009-05-26 19:51:06
A: 

One thing I prefer to do is have only one argument for each method - either XML or Struct - and require a certain node/object name to be present in that XML or Struct.

<cfif NOT StructKeyExists(arguments.myArgs, "requiredParam")>
    <cfxml name="myXML">
         <error>
             <message>Required parameter not found.</message>
         </error>
    </cfxml>

    <cfreturn myXML />
</cfif>

Eric Belair  2009-05-26 13:24:02
A: 

What about using the new roles attribute? Everyone that visits your site automatically gets cflogin roles="public".

cf_PhillipSenn  2009-05-28 01:19:17

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.