XStandard Web Services And ColdFusion Security
Posted July 21, 2006 at 8:36 AM by Ben Nadel
I was having a bit of trouble with security at one point while implementing the ColdFusion web services of XStandard. XStandard calls ColdFusion (.cfm) pages for my version of the web services. Below are some examples of the web service URLs:
- <!--- Attachment library. --->
- <param
- name="AttachmentLibraryURL"
- value="#strXSDirectory#xs_attachment_library.cfm"
- />
-
- <!--- Image library. --->
- <param
- name="ImageLibraryURL"
- value="#strXSDirectory#xs_image_library.cfm"
- />
Since these go through .cfm pages, they are subject to the same security as any other page of my content management system (CMS). This is good for me, bad for XStandard. See, when XStandard calls the web service, it doesn't use the browser's current session (at least not in FireFox... I think it might in IE). To get around this, I updated my security settings to allow anonymous access to files starting with "xs_" which stands for XStandard (ie. I am not checking permissions on file access when the file name beings with "xs_").
This never made me feel good as it opened up holes in my security. I didn't think much harm could come of it, but still, not a good practice. Then the other day, it hit me like a lightening bolt!! Why not force XStandard to send the session information with the web service calls?
Think about the CFLocation tag. One of the attributes is "AddToken". The reason for this is that if you send the CFID and the CFTOKEN in a URL, the ColdFusion server will use this session information for the resultant page call. Moving this idea over to the XStandard web service calls, we get:
- <!--- Attachment library. --->
- <param
- name="AttachmentLibraryURL"
- value="#strXSDirectory#xs_attachment_library.cfm?cfid=#SESSION.CFID#&cftoken=#SESSION.CFTOKEN#"
- />
-
- <!--- Image library. --->
- <param
- name="ImageLibraryURL"
- value="#strXSDirectory#xs_image_library.cfm?cfid=#SESSION.CFID#&cftoken=#SESSION.CFTOKEN#"
- />
I am now forcing XStandard to send the current user's session information into the web service calls. Not only does this allow me to remove my security hole (because the web service pages now integrate with the user security), it allows the web services to take information from the user's session information (if it needs to) thereby, more fully integrating with the ColdFusion application.
