views:

446

answers:

5

One of the great features of CFCs is the ability to reuse the code for both a straight .cfm page and for Flex apps.

One such app that I devleoped uses Flex for it's charting capabilities and needs access to a 'getResults()' function in the cfc.

All of this content is behind an authentication mechanism, but since the cfc will open itself up to a wsdl request:

https://myserver.com/c/functions.cfc?wsdl

and will actually return the results to the browser if the URL query is crafted properly:

https://myserver.com/c/functions.cfc?method=getResults&Term=2009&Course=Anatomy

What techniques have people used to protect the cfc from direct access UNLESS the request is coming directly from the CFML processor OR from Flex Remoting?

+3  A: 

You could utilize some of the CGI scope variables to check where the request is coming from.

ie: CGI.REMOTE_HOST, CGI.REMOTE_ADDR

So, you'd probably construct a new function with a access="public" property which checks the values of those variables against a list of valid values for your server. If it returns true, you would execute the request and if it returns false, you would throw/return some sort of error.

Jason
You could also probably secure the request with some sort of credentials to add another thin wall of annoyance.
Jas Panesar
I think this is the way to go. I'm using CGI.SCRIPT_NAME to test whether the browser is accessing the CFC directly. If they are, they get the boot.
Chris Brandt
A: 

Although a bit old, I dug up Bill Purcell's notes on securing CF apps in general. Securing CFC's have mentioned.

http://www.bpurcell.org/blog/index.cfm?mode=entry&entry=978

Jas Panesar
+2  A: 

I would suggest adding an OnRequestStart handler to your application.cfc file, and perform a check there... what that check is depends on your current model, but some good suggestions would be to check cgi.remote_user (if authenticated) or perhaps storing something in the session scope?

<cfif structKeyExists(session,"empID") and len(session.empid)>
  <!--- user is authenticated, process normally --->
<cfelse>
  <!--- abort request or sending meaningful error message --->
</cfif>
Goyuix
I guess I'm also trying to protect the specific cfc from being manipulated by someone who is already authenticated/authorized
Chris Brandt
A: 

One thing I prefer to do is have only one argument for each method - either XML or Struct - and require a certain node/object name to be present in that XML or Struct.

<cfif NOT StructKeyExists(arguments.myArgs, "requiredParam")>
    <cfxml name="myXML">
         <error>
             <message>Required parameter not found.</message>
         </error>
    </cfxml>

    <cfreturn myXML />
</cfif>

Eric Belair
A: 

What about using the new roles attribute? Everyone that visits your site automatically gets cflogin roles="public".

cf_PhillipSenn