XStandard Web Services And ColdFusion Security

Posted July 21, 2006 at 8:36 AM by Ben Nadel

Tags: ColdFusion, XStandard WYSIWYG

I was having a bit of trouble with security at one point while implementing the ColdFusion web services of XStandard. XStandard calls ColdFusion (.cfm) pages for my version of the web services. Below are some examples of the web service URLs:

  • <!--- Attachment library. --->
  • <param
  • name="AttachmentLibraryURL"
  • value="#strXSDirectory#xs_attachment_library.cfm"
  • />
  •  
  • <!--- Image library. --->
  • <param
  • name="ImageLibraryURL"
  • value="#strXSDirectory#xs_image_library.cfm"
  • />

Since these go through .cfm pages, they are subject to the same security as any other page of my content management system (CMS). This is good for me, bad for XStandard. See, when XStandard calls the web service, it doesn't use the browser's current session (at least not in FireFox... I think it might in IE). To get around this, I updated my security settings to allow anonymous access to files starting with "xs_" which stands for XStandard (ie. I am not checking permissions on file access when the file name beings with "xs_").

This never made me feel good as it opened up holes in my security. I didn't think much harm could come of it, but still, not a good practice. Then the other day, it hit me like a lightening bolt!! Why not force XStandard to send the session information with the web service calls?

Think about the CFLocation tag. One of the attributes is "AddToken". The reason for this is that if you send the CFID and the CFTOKEN in a URL, the ColdFusion server will use this session information for the resultant page call. Moving this idea over to the XStandard web service calls, we get:

  • <!--- Attachment library. --->
  • <param
  • name="AttachmentLibraryURL"
  • value="#strXSDirectory#xs_attachment_library.cfm?cfid=#SESSION.CFID#&cftoken=#SESSION.CFTOKEN#"
  • />
  •  
  • <!--- Image library. --->
  • <param
  • name="ImageLibraryURL"
  • value="#strXSDirectory#xs_image_library.cfm?cfid=#SESSION.CFID#&cftoken=#SESSION.CFTOKEN#"
  • />

I am now forcing XStandard to send the current user's session information into the web service calls. Not only does this allow me to remove my security hole (because the web service pages now integrate with the user security), it allows the web services to take information from the user's session information (if it needs to) thereby, more fully integrating with the ColdFusion application.



Reader Comments

There are no comments posted for this web log entry.

Post A Comment

Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.

Please review the following issues:

Author Name:
Author Email:
Author Website:
Comment:
Supported HTML tags for formatting: <strong>bold</strong>   <em>italic</em>   <code>code</code>







  • Help Wanted - Find Your Next ColdFusion Job
Ben Nadel's Company - Epicenter Consulting Recent Blog Comments
Ben Nadel
Jun 17, 2013 at 9:45 PM
What If All User Interface (UI) Data Came In Reports?
@Jonah, As I was reading what you wrote, it occurred to me that maybe I do something similar to that in some of my client-side code. In an application I'm working on, there are a bunch of unrelated ... read »
Ben Nadel
Jun 17, 2013 at 9:36 PM
Object Thinking By David West
@Jonah, Please, don't feel bad at all. I appreciate all that you have contributed to the conversation. And, the more points of view I get, the more confident I am that I will some day, some how und ... read »
Ben Nadel
Jun 17, 2013 at 9:32 PM
Object Thinking By David West
@Paul, I definitely have a mental hurdle when it comes to discovering better design over time. My brain has this insane urge to just understand how you do something right the first time :) But, eve ... read »
Ben Nadel
Jun 17, 2013 at 9:29 PM
SOTR 2013 - The Best Conference I Never Went To
I just had to watch this again - amazing :) ... read »
Ben Nadel
Jun 17, 2013 at 9:28 PM
Working With Inherited Collections In AngularJS
@Ali, You are right - it is confusing. I should have just named it "saveForm()" or "submitForm()" or something to that effect. Then, the saveForm() method could have simply vali ... read »
Ben Nadel
Jun 17, 2013 at 9:27 PM
Working With Inherited Collections In AngularJS
@Samuel, Good question - that was also bothering me when I wrote the code. Yes, I could have moved it up into AppController. The reason that I didn't for this demo was that I didn't want the AppCon ... read »
Ben Nadel
Jun 17, 2013 at 9:23 PM
Experimenting With The Amazon Simple Storage Service (S3) API Using ColdFusion
@Josh, My pleasure. It was fun to learn more about this stuff. @Chebby, Will do - we're gonna be moving some stuff over to S3, so I am sure I'll be learning all sorts of interesting things / use ... read »
Chebby
Jun 17, 2013 at 4:21 PM
Experimenting With The Amazon Simple Storage Service (S3) API Using ColdFusion
Thanks Ben. Would love to see more CF/S3 examples! ... read »
InVision App - Prototyping Made Beautiful With Prototyping Tools