Re: Protecting remote CFCs from unauthorized access

["samunplugged" <webforumsuser@xxxxxxxxxxxxxx>]

One of my task involved publishing a secured web service to be consumed by any 
client/platform. Best and secured way, and you'll agree that this is what 
Amazon and Google use as well, is that you assign every client an 
application-id and security-key. 

 And here's how client should make requests: 
 1. SoapHeaders or HTTP_Cookie is sent with every request. Information it will 
contain is an encryted text (token) and client id.
  Header or cookie will appear something like this:  
applicationid=3456&token=wJDKD93o34%^&*$2de4390
 2. Encrytion is done by the client using the security-key provided by the 
server. Text which is encrypted must contain datetime. Example normal text 
could be: myMethod\20080612
 3. The security-key itself is never transferred over the network
 4. At the server side, the token header value is decrypted using the key for 
that applicationid (pick it up from the server.)
 5. Server checks If after decryotion of token the datetime is in proper format 
and methodName in same as the method called. And if this is true, client is 
authenticated.


 In simple words, go on encryting any client variable before sending to the 
server. If server can decrypt it and finds expected string, respond or else 
throw security error.

 Why you must also allow access using HTTP_COOKIE is that you dont want to 
write your own WSDL files. ColdFusion can not generate a WSDL which can tell 
consumers what SoapHeaders your service is expecting. Not allowing cookies 
based authentication will eventually lead to a situation where .NET developers 
wont be able to consume your service. Its impossible for most .NET pros to 
write a code to send custom soap headers - there is so much dependency on VS 
Studio web service code stubs.

 Sam
 Adobe Certified Flash and Adv. ColdFusion Developer
 http://www.samunplugged.com 
 mumbai users, join other mumbai cf enthsiasts: 
http://in.groups.yahoo.com/group/cfexpress/