6

One of the great features of CFCs is the ability to reuse the code for both a straight .cfm page and for Flex apps.

One such app that I devleoped uses Flex for its charting capabilities and needs access to a 'getResults()' function in the cfc.

All of this content is behind an authentication mechanism, but since the cfc will open itself up to a wsdl request:

https://myserver.com/c/functions.cfc?wsdl

and will actually return the results to the browser if the URL query is crafted properly:

https://myserver.com/c/functions.cfc?method=getResults&Term=2009&Course=Anatomy

What techniques have people used to protect the cfc from direct access UNLESS the request is coming directly from the CFML processor OR from Flex Remoting?

Shawn Holmes
  • 3,752
  • 22
  • 25
Chris Brandt
  • 948
  • 3
  • 11
  • 22

6 Answers6

4

You could utilize some of the CGI scope variables to check where the request is coming from.

ie: CGI.REMOTE_HOST, CGI.REMOTE_ADDR

So, you'd probably construct a new function with a access="public" property which checks the values of those variables against a list of valid values for your server. If it returns true, you would execute the request and if it returns false, you would throw/return some sort of error.

Jason
  • 1,163
  • 7
  • 10
  • You could also probably secure the request with some sort of credentials to add another thin wall of annoyance. – Jas Panesar May 22 '09 at 23:47
  • I think this is the way to go. I'm using CGI.SCRIPT_NAME to test whether the browser is accessing the CFC directly. If they are, they get the boot. – Chris Brandt May 26 '09 at 19:52
3

I would suggest adding an OnRequestStart handler to your application.cfc file, and perform a check there... what that check is depends on your current model, but some good suggestions would be to check cgi.remote_user (if authenticated) or perhaps storing something in the session scope?

<cfif structKeyExists(session,"empID") and len(session.empid)>
  <!--- user is authenticated, process normally --->
<cfelse>
  <!--- abort request or sending meaningful error message --->
</cfif>
Goyuix
  • 23,614
  • 14
  • 84
  • 128
  • I guess I'm also trying to protect the specific cfc from being manipulated by someone who is already authenticated/authorized – Chris Brandt May 26 '09 at 19:51
2

What about using the new roles attribute? Everyone that visits your site automatically gets cflogin roles="public".

Phillip Senn
  • 46,771
  • 90
  • 257
  • 373
1

One thing I prefer to do is have only one argument for each method - either XML or Struct - and require a certain node/object name to be present in that XML or Struct.

<cfif NOT StructKeyExists(arguments.myArgs, "requiredParam")>
    <cfxml name="myXML">
         <error>
             <message>Required parameter not found.</message>
         </error>
    </cfxml>

    <cfreturn myXML />
</cfif>

Eric Belair
  • 10,574
  • 13
  • 75
  • 116
0

Just came across this question whilst looking for something else and thought I'd add my 2p:

I have an app using a remote CFC that I only want to be available to logged in 'admin' users. In this case, the CGI variable check would still pass for guest users of the app.

When an admin user logs in, I take a hash of their session ID and login time and store that in the database and the session scope. When I hit the remote CFC, I pass the hash as a variable and check it against the database of admin users.

If a record comes back, I know the current user is admin and I continue with the request.

Gary Stanton
  • 1,435
  • 12
  • 28
0

Although a bit old, I dug up Bill Purcell's notes on securing CF apps in general. Securing CFC's have mentioned.

http://www.bpurcell.org/blog/index.cfm?mode=entry&entry=978

Jas Panesar
  • 6,597
  • 3
  • 36
  • 47