1

This is a conceptual question, but after goggling and searching through online resources, I cannot find an answer to this small question. Any help would be appreciated. Thanking in advance.

The question came up when I was using the eNOM API to perform multiple operations using the test account they provide.

https://resellertest.enom.com/interface.asp?command=nameofcommand&
uid=yourloginid&pw=yourpassword&
paramname=paramvalue&nextparamname=nextparamvalue

Note: This is just an example Url. The password field here actually an 'api-key'.

The native coldfusion solution of using CFhttp has proved to be beneficial in terms of handling output data easily or passing headers and parameters to a RESTful API. The first question that arises was: does CFhttp encrypts the password fields as supported it CUrl and if not is there any way to implement it?. Secondly, I found this piece of text while reading about CUrl and CFHTTP:

cURL allows you to connect and communicate to many different types of servers with many different types of protocols. Using cURL you can.

  • Implement payment gateways’ payment notification scripts.
  • Download and upload files from remote servers.
  • Login to other websites and access members only sections.

So, are the points no. 1 & 2 possible using CFhttp? and if yes can I have a short idea on how to go about doing it.

Anurag
  • 1,018
  • 1
  • 14
  • 36
  • 2
    Voting to close as it's not reflective of a tangible "issue" to solve. What's the issue that you face that lead to the question? *That* would be the thing to ask about. – Adam Cameron Jan 20 '15 at 09:10
  • Thanks [Adam Cameron](/users/894061/adam-cameron). I re-posted the question to be more specific. Thanks – Anurag Jan 20 '15 at 09:33
  • @AnuragMishra: you need to send the password in url? – Deepak Kumar Padhy Jan 20 '15 at 10:34
  • I've retracted my "close" vote. – Adam Cameron Jan 20 '15 at 11:40
  • Yes password, and highly sensitive data as well, that's why the quesiton. – Anurag Jan 20 '15 at 15:58
  • 1
    If you mean [`--digest` (digest authentication)](http://curl.haxx.se/docs/manpage.html), cfhttp does not support it AFAIK. CF11 [added support for NTLM](http://www.adobe.com/devnet/coldfusion/articles/security-improvements-cf11.html), but there is no mention of any changes for digest authentication. The docs still list it as unsupported: [*"..The cfhttp tag does not support ... Digest Authentication."*](https://wikidocs.adobe.com/wiki/display/coldfusionen/cfhttp). – Leigh Jan 20 '15 at 16:11
  • That was helpful. Thanks [Leigh](/users/104223/leigh) – Anurag Jan 20 '15 at 16:15

1 Answers1

3

Curl allows you to connect to any https site without having to install the 'required' certificate. Although some might call this insecure, i really like this feature. Besides this feature i do not believe there is much (if anything) you can do with curl which cannot be done with cfhttp somehow.

If you work with https sites a lot curl is easier to work with then CFHTTP (imo).

According to the coldfusion docs the cfhttp tag uses SSL to negotiate secure transactions. (reference http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7ffc.html)

Update: You can monitor if the data is sent encrypted or not using the build in proxy in coldfusion. See http://helpx.adobe.com/coldfusion/kb/coldfusion-mx-monitoring-soap-traffic.html for more details.

Nebu
  • 1,753
  • 1
  • 17
  • 33
  • This I already knew. Thanks by the way. The issue is not at all with https calls. Some APIs don't have an https call support, everything is plain http. So is there any way to encode or encrypt data for the parameters? I can simply use ColdFusion for it but unfortunately, the target API (eNom here) wouldn't understand that it is encrypted and how to deal with it. – Anurag Jan 20 '15 at 16:02
  • It is clear from the`cfhttp` [docs](http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7ffc.html), that the password attrib in cfhttp tag combined with username to form a base64 encoded string that is passed in the Authenticate header. That solves the prob only if the authentication in done the usual way. But what if the username is sent as 'account' and password is passed as an 'api-key'. So if I can somehow encode these to base64 as well that would be awesome. I need some expert advice whether it is even possible or should I go about using some library? – Anurag Jan 20 '15 at 16:13
  • @AnuragMishra maybe you can use `cfhttpparam` to specify your own authentication header. Something like [this answer to a similar question](http://stackoverflow.com/a/14228097/1636917) – Miguel-F Jan 20 '15 at 21:29
  • Yes I can, but is it encoded or sent as is? – Anurag Jan 21 '15 at 03:38
  • 1
    @AnuragMishra You can monitor if the data is sent encrypted or not using the build in proxy in coldfusion. See http://helpx.adobe.com/coldfusion/kb/coldfusion-mx-monitoring-soap-traffic.html for more details. – Nebu Jan 21 '15 at 09:22
  • Thanks for the help Nebu. I did not even know about this proxy. Thanks a ton! – Anurag Jan 21 '15 at 09:54
  • In addition, you can specify the outbound IP address using "--interface". This is something you can't do with either CFHTTP or CFX_HTTP5. https://curl.haxx.se/docs/manpage.html#--interface – James Moberg Sep 21 '16 at 22:53