XStandard Web Services And ColdFusion Security

Posted July 21, 2006 at 8:36 AM by Ben Nadel

Tags: ColdFusion, XStandard WYSIWYG

I was having a bit of trouble with security at one point while implementing the ColdFusion web services of XStandard. XStandard calls ColdFusion (.cfm) pages for my version of the web services. Below are some examples of the web service URLs:

  • <!--- Attachment library. --->
  • <param
  • name="AttachmentLibraryURL"
  • value="#strXSDirectory#xs_attachment_library.cfm"
  • />
  •  
  • <!--- Image library. --->
  • <param
  • name="ImageLibraryURL"
  • value="#strXSDirectory#xs_image_library.cfm"
  • />

Since these go through .cfm pages, they are subject to the same security as any other page of my content management system (CMS). This is good for me, bad for XStandard. See, when XStandard calls the web service, it doesn't use the browser's current session (at least not in FireFox... I think it might in IE). To get around this, I updated my security settings to allow anonymous access to files starting with "xs_" which stands for XStandard (ie. I am not checking permissions on file access when the file name beings with "xs_").

This never made me feel good as it opened up holes in my security. I didn't think much harm could come of it, but still, not a good practice. Then the other day, it hit me like a lightening bolt!! Why not force XStandard to send the session information with the web service calls?

Think about the CFLocation tag. One of the attributes is "AddToken". The reason for this is that if you send the CFID and the CFTOKEN in a URL, the ColdFusion server will use this session information for the resultant page call. Moving this idea over to the XStandard web service calls, we get:

  • <!--- Attachment library. --->
  • <param
  • name="AttachmentLibraryURL"
  • value="#strXSDirectory#xs_attachment_library.cfm?cfid=#SESSION.CFID#&cftoken=#SESSION.CFTOKEN#"
  • />
  •  
  • <!--- Image library. --->
  • <param
  • name="ImageLibraryURL"
  • value="#strXSDirectory#xs_image_library.cfm?cfid=#SESSION.CFID#&cftoken=#SESSION.CFTOKEN#"
  • />

I am now forcing XStandard to send the current user's session information into the web service calls. Not only does this allow me to remove my security hole (because the web service pages now integrate with the user security), it allows the web services to take information from the user's session information (if it needs to) thereby, more fully integrating with the ColdFusion application.



Reader Comments

There are no comments posted for this web log entry.

Post A Comment

Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.

Please review the following issues:

Author Name:
Author Email:
Author Website:
Comment:
Supported HTML tags for formatting: <strong>bold</strong>   <em>italic</em>   <code>code</code>







  • Help Wanted - Find Your Next ColdFusion Job
Ben Nadel's Company - Epicenter Consulting Recent Blog Comments
Ben Nadel
May 20, 2013 at 4:38 PM
Using A Dynamic Column Name With ValueList() In ColdFusion
@Dana, Your confusion is well founded, since this is a very confusing features. In fact, it ONLY works if you use array notation. Meaning, that this: arrayToList( query[ "columnName" ] ) ... read »
DanaK
May 20, 2013 at 4:34 PM
Using A Dynamic Column Name With ValueList() In ColdFusion
I was thinking chicken and the egg, I wouldn't have expected it to work in the valuelist going in I guess. Maybe I just need a beer, long day :) ... read »
Ben Nadel
May 20, 2013 at 4:29 PM
Using A Dynamic Column Name With ValueList() In ColdFusion
@Dana, That's if you're trying to reference a specific row. In this case, we're trying to reference the entire query column as one cohesive value. So, you are correct that if you wanted to output a ... read »
DanaK
May 20, 2013 at 4:24 PM
Using A Dynamic Column Name With ValueList() In ColdFusion
I thought when you used array notation to reference queries you always had to have the row or it would throw a similar error as well? ... read »
Jonathan Azulay
May 20, 2013 at 11:45 AM
Using jQuery's Animate() Step Callback Function To Create Custom Animations
This is really useful. I found out that you don't actually have to use a dummy css property (surprisingly). To animate a property in a linear-gradient for instance I did this this.css('someLinearGra ... read »
Ben Nadel
May 20, 2013 at 10:51 AM
Using A Dynamic Column Name With ValueList() In ColdFusion
@Josh, Oh snap! You're totally right! I'm not sure I've ever tried that. I did know that you can call a number of other array-methods on ColdFusion query columns: http://www.bennadel.com/blog/167 ... read »
Josh Siok
May 20, 2013 at 10:45 AM
Using A Dynamic Column Name With ValueList() In ColdFusion
@Ben - I believe you can achieve the same functionality with ColdFusion's built in ArrayToList() function. ArrayToList( users[ "id" ] ); ... read »
prateek sarve
May 20, 2013 at 10:21 AM
My Experience With AngularJS - The Super-heroic JavaScript MVW Framework
Is there any error logging and handling framework in angularjs, if not then in what way I can do this. ... read »
InVision App - Prototyping Made Beautiful With Prototyping Tools