tags:

views:

368

answers:

3
Q: 

ColdFusion scheduled tasks - how to secure when using <cflogin>?

I have a web-site written in ColdFusion that contains both the usual interactive web pages and some tasks run through the CF scheduler. The dir layout is

/
/app
/scheduledTasks

I'd like the tasks to be able to use all the same settings, etc. created in the application.cfc inside of /app so I'd like to move that entire /scheduledTasks directory into /app. The problem is that that application.cfc uses the cflogin mechanism and my own log in form. The CF scheduler only lets you supply a username and password for HTTP Basic authentication. The scheduled tasks will never get past that. How can I resolve this or is there a better approach to begin with?

I've wondered about looking at some CGI variable in my application.cfc's OnRequestStart such as the user agent, the remote IP, and/or a magic value in the URL param's and if all are there, bypass security since I "know" it's CF's scheduler on the other end. This isn't great security but it may be acceptable.

I've also wondered about creating a new application.cfc in my root that the application.cfc in /app inherits from. I'd leave the tasks where they are and put a new application.cfc there as well that inherits common stuff from the root. This increases complexity though and I've had issues when trying to access the CFCs inside of /app/cfcs from /scheduledTasks.

Has anyone had a similar problem and solved it?

+5  A: 

leave the schedule tasks in their own folder like you currently have it off the root of the site.

create an application.cfc in the scheduletasks folder that extends the one in the apps directory like so:

<cfcomponent extends="/.apps/application">

overload the onrequeststart method and put in your authentication like so:

<cffunction name="onRequestStart" returntype="void" access="public" output="false">
    <cfargument name="targetPage" type="any" required="true">
    <cfif not structkeyexists(url, "access") or not url.access eq application.ApplicationName>
     <cflocation url="/" addtoken="false">
    </cfif>
</cffunction>

this is VERY basic security but will get the job done. customize to your liking.

rip747  2009-11-04 18:42:08
would extends take that? a relative path? shouldn't it be "apps.application" ?
Henry  2009-11-04 20:27:00
No, it won't take that. Given my path layout described, it should be what you (Henry) recommend instead.My preference is actually to move my directory of scheduled tasks inside of /app. For the purposes of the specific question I've asked though, your approach works and is nice and simple. I have another problem it causes though that I'll post in a new question now.
DaveBurns  2009-11-04 22:51:25
That post: http://stackoverflow.com/questions/1677312/
DaveBurns  2009-11-04 23:09:12
good catch henry. i screwed up. it should be<cfcomponent extends="/.app.application">i will update my answer
rip747  2009-11-05 20:26:08
Is the /. prefix documented behavior? I've seen it discussed before but someone usually mentions that it's not officially supported. FWIW, leaving it out works since part of the search path for CFCs includes the webroot. So just 'app.application' resolved to '/app/application.cfc' for me.
DaveBurns  2009-11-06 06:11:38
+1  A: 

Offhand, I would create a custom role for the scheduled application. Then, in your main application, automatically apply it when the request comes from the local server.

Ben Doom  2009-11-04 22:18:03
+1  A: 

ColdFusion scheduled tasks pass in certain data in the CGI information including:

HTTP_USER_AGENT=CFSCHEDULE

Now HTTP_USER_AGENT is fakeable so the next question is to determine how secure you need access to the folder. Do you only want CF to run these tasks? Or do you want to run them from outside as well? Just your computer? Etc. Once that is determined you can code for it and rip747's solution is a good one so I'm not going to suggest anything else! ;)

Sam Farmer  2010-01-27 17:21:16

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security