How to protect access="remote" functions in CFCs from snoopers?

D

6

One of the great features of CFCs is the ability to reuse the code for both a straight .cfm page and for Flex apps.

One such app that I devleoped uses Flex for its charting capabilities and needs access to a 'getResults()' function in the cfc.

All of this content is behind an authentication mechanism, but since the cfc will open itself up to a wsdl request:

https://myserver.com/c/functions.cfc?wsdl

and will actually return the results to the browser if the URL query is crafted properly:

https://myserver.com/c/functions.cfc?method=getResults&Term=2009&Course=Anatomy

What techniques have people used to protect the cfc from direct access UNLESS the request is coming directly from the CFML processor OR from Flex Remoting?

Declare answered 22/5, 2009 at 22:58 Comment(0)

P

4

You could utilize some of the CGI scope variables to check where the request is coming from.

ie: CGI.REMOTE_HOST, CGI.REMOTE_ADDR

So, you'd probably construct a new function with a access="public" property which checks the values of those variables against a list of valid values for your server. If it returns true, you would execute the request and if it returns false, you would throw/return some sort of error.

Pickmeup answered 22/5, 2009 at 23:26 Comment(2)

You could also probably secure the request with some sort of credentials to add another thin wall of annoyance. – Naevus 22/5, 2009 at 23:47

I think this is the way to go. I'm using CGI.SCRIPT_NAME to test whether the browser is accessing the CFC directly. If they are, they get the boot. – Declare 26/5, 2009 at 19:52

V

3

I would suggest adding an OnRequestStart handler to your application.cfc file, and perform a check there... what that check is depends on your current model, but some good suggestions would be to check cgi.remote_user (if authenticated) or perhaps storing something in the session scope?

<cfif structKeyExists(session,"empID") and len(session.empid)>
  <!--- user is authenticated, process normally --->
<cfelse>
  <!--- abort request or sending meaningful error message --->
</cfif>

Vasculum answered 23/5, 2009 at 17:16 Comment(1)

I guess I'm also trying to protect the specific cfc from being manipulated by someone who is already authenticated/authorized – Declare 26/5, 2009 at 19:51

C

2

What about using the new roles attribute? Everyone that visits your site automatically gets cflogin roles="public".

Cubit answered 28/5, 2009 at 1:19 Comment(0)

T

1

One thing I prefer to do is have only one argument for each method - either XML or Struct - and require a certain node/object name to be present in that XML or Struct.

<cfif NOT StructKeyExists(arguments.myArgs, "requiredParam")>
    <cfxml name="myXML">
         <error>
             <message>Required parameter not found.</message>
         </error>
    </cfxml>

    <cfreturn myXML />
</cfif>

Tupi answered 26/5, 2009 at 13:24 Comment(0)

N

0

Although a bit old, I dug up Bill Purcell's notes on securing CF apps in general. Securing CFC's have mentioned.

http://www.bpurcell.org/blog/index.cfm?mode=entry&entry=978

Naevus answered 22/5, 2009 at 23:48 Comment(0)

I

0

Just came across this question whilst looking for something else and thought I'd add my 2p:

I have an app using a remote CFC that I only want to be available to logged in 'admin' users. In this case, the CGI variable check would still pass for guest users of the app.

When an admin user logs in, I take a hash of their session ID and login time and store that in the database and the session scope. When I hit the remote CFC, I pass the hash as a variable and check it against the database of admin users.

If a record comes back, I know the current user is admin and I continue with the request.

Ithaman answered 20/6, 2012 at 11:31 Comment(0)

Recommended topics

Hot tags