4 Replies - 4119 Views - Last Post: 27 January 2011 - 10:53 AM Rate Topic: -----

#1 cyndi104  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 27-January 11

ColdFusion Web Service Security

Posted 27 January 2011 - 08:06 AM

Morning all.

I have been asked to do a web service and they want only our own servers to be able to get to this web service. The question I have is using the web service security in the Administrator it ask for the IP addresses. Is this each customer's IP address or the server that is calling it IP address?

If this is the customer's IP address then it won't work for me. Anyone have any other suggestions?

Thanks in advance for your help.

Cyndi

Is This A Good Question/Topic? 0
  • +

Replies To: ColdFusion Web Service Security

#2 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 2024
  • View blog
  • Posts: 3,609
  • Joined: 13-January 08

Re: ColdFusion Web Service Security

Posted 27 January 2011 - 08:32 AM

Cyndi, welcome to D.I.C.!

I have to say, when you mentioned the Administrator asking for an IP address for "web service security" I had to scratch my head a moment and then go open up my local CF admin to see what you were referring to. I'm still not 100% clear on where you might be in the CF admin where it's prompting you for IP addresses for web service access. The closest I could come was the "Allowed IP Addresses" under security...but those are to restrict access to CF's exposed services like the mail service or the document service or PDF service. Web services wouldn't be affected by that I would think (although since I've never deployed a site with those secured, I'm not entirely sure).

In general, the web service stub you build is exposed to the outside world for pretty much any regular HTTP request. I suppose you CAN set up the web service in a folder and then, using your server OS tools, restrict HTTP access to the contents in that folder to a certain IP address range. However, as you probably know, this isn't 100% foolproof as the incoming CGI variables for a user's requesting IP addy can be spoofed.

If you're using CFOBJECT to create your web service you can specify a username, password and port setting and that should secure it as well as or better than assigning it. Since web services can be built as a component method, you can specify in the cffunction that you build to require the invoking service to pass the IP address and then within the function itself you'd compare that to your allowed IPs or an IP range and then handle the pass/fail internally.

What version of CF are you using and if the above doesn't help out enough, if you could tell us a little more about the web service and how you plan to use it, we can probably help.

Good luck!
Was This Post Helpful? 0
  • +
  • -

#3 cyndi104  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 27-January 11

Re: ColdFusion Web Service Security

Posted 27 January 2011 - 08:39 AM

Thank you, Craig. You are right that I was looking at the exposed services, I didn't realize that was referring to ColdFusion built in services.

I have thought about sending in the cgi.server_name, but as you said that can be spoofed and I am not comfortable with that.

With the username and password how can I pull those from the web service so that I can bounce that off the database, which would be perfectly fine for what I am doing? Instead of validating it is coming from the server I would be validating that it is someone who is authorized to be on our server. We are not using ColdFusion Login we are using our own. I was thinking that passing in the username/password to the service was if you were using the ColdFusion Login.

Thanks again for your help.

Cyndi
Was This Post Helpful? 0
  • +
  • -

#4 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 2024
  • View blog
  • Posts: 3,609
  • Joined: 13-January 08

Re: ColdFusion Web Service Security

Posted 27 January 2011 - 09:23 AM

If you look in the CF admin under Web Services, you'll see where you can register your web service. You notice that you need to provide the WSDL URL to your web service and you have the option of specifying a username and password to it. This would be to secure access to the web service object on your server and someone who wanted to use your web service would need to know not only the WSDL URL (to get to your web service) but also the username and password. If you don't want to do this in the CF admin, you can also do it via the CFOBJECT tag (in the argstruct parameter).

If you're accessing a remote web service via CF you'd use the CFHTTP or CFINVOKE tags to do so and either one gives you the ability to pass a valid username and password so you can get to them. In the case of CFINVOKE you'll want to look at syntax 3 as shown here for an example. Once you have access to the web service object then you pass in the method you're needing and any additional parameters that that method requires. It's there that you can have each method specify an additional security value (password, secret key number, etc) that would be passed in as an attribute and then you'd handle verification and pass/fail within the method itself if you want.
Was This Post Helpful? 0
  • +
  • -

#5 cyndi104  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 27-January 11

Re: ColdFusion Web Service Security

Posted 27 January 2011 - 10:53 AM

Okay, I understand the username/password when calling the web service. But how do I make the web service require a username/password. Going through the Administrator under web service is for when you call the web service the username/password to get to that web service. Not your web service that you created.

Cyndi
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1