secure webservice

Report · Apr 09, 2008

How to secure webservice. I try using coldfusion administrator . I mean when i register webservice i put userid and password. But it doesn't work. Is there any other way to secure it

Report · Apr 09, 2008

The user and password in the CFIDE administrator are used for accessing web services which require basic authentication.

To secure web services you are publishing you should rely on the authentication mechanisms (such as basic authentication or Windows authentication) supported by your web server (IIS or Apache). See your web servers documentation or Chapter 48 of the ColdFusion Developer’s Guide under and the topic "Securing your web services". Note that basic authentication is the most commonly supported type and can be used by Windows and *nix systems.

http://livedocs.adobe.com/coldfusion/8/cf8_devguide.pdf

Report · Apr 11, 2008

But if some one calling my webservice then how can i pass userid and password. Because they are not using coldfusion. Let say they are using .Net how they can pass userid and password, which i am passing in cfinvoke.

Report · Apr 11, 2008

Basic authentication is platform agnostic. A .NET program could authenticate by using a NetworkCredential object to create an HTTP request that has the authentication information.

NetworkCredential class (.NET)
http://msdn2.microsoft.com/en-us/library/system.net.networkcredential.aspx

Example of consuming web services in .NET, includes basic authentication using NetworkCredential object
http://authors.aspalliance.com/QuickStart/aspplus/default.aspx?url=/quickstart/aspplus/doc/secureser...

Overview of basic authentication
http://en.wikipedia.org/wiki/Basic_authentication

Report · Apr 12, 2008

Hi,
As of now, we do not have native methods to secure Webservices. One think you can do is to pass the userid and password as parameters and then validate that in each of the functions inside the CFC.

-Prasanth

Report · Apr 17, 2008

so you mean if I pass in cfinvoke userid and password that count as basic authentication. I think in order to pass in cfinvoke i have to set up into the linux server and create userid and password for that webservice and use it in cfinvoke.

If i am wrong do you have any example of set up basic authentication and use it in coldfusion..

thanks

Report · Apr 17, 2008

quote:

Originally posted by: Nick201
so you mean if I pass in cfinvoke userid and password that count as basic authentication. I think in order to pass in cfinvoke i have to set up into the linux server and create userid and password for that webservice and use it in cfinvoke.

If i am wrong do you have any example of set up basic authentication and use it in coldfusion..

thanks

See this article for a discussion of securing web services.
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=webservices_22.html

To setup authentication for your web service you have two options

1. Configure basic authentication for your web site according to your web server's documentation.
This is probably your best bet for making your services available to other platforms such as .NET.

2. Use cflogin in your Application.cfc, I have not used this in production, so I'm not sure if it is cross-platform or for ColdFusion requests only.

Report · Apr 12, 2008

quote:

Originally posted by: Nick201
How to secure webservice. I try using coldfusion administrator . I mean when i register webservice i put userid and password. But it doesn't work. Is there any other way to secure it

Secure it against what?

Report · Apr 18, 2008

How can I use this code in coldfusion for websecurity.

<soap:Envelope xmlns:soap=" http://schemas.xmlsoap.org/soap/
envelope/">
<soap:Header>
<AuthHeader xmlns=" http://tempuri.org/">
<UserName>jeff</UserName>
<Password>imbatman</Password>
</AuthHeader>
</soap:Header>
<soap:Body>
<GetQuote xmlns=" http://tempuri.org/">
<symbol>msft</symbol>
</GetQuote>
</soap:Body>
</soap:Envelope>

Report · Apr 18, 2008

Take a look at some of the SOAP related functions such as AddSOAPRequestHeader and GetSOAPResponseHeader

http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions-pt0_21.html#3468770

Report · Apr 18, 2008

What do I have to do for basic authentication. I am new to webservice.
Aslo how to use cflogin for webservice. any good example. thanks

Report · Apr 18, 2008

quote:

Originally posted by: Nick201
What do I have to do for basic authentication. I am new to webservice.
Aslo how to use cflogin for webservice. any good example. thanks

Nick201,

Please clarify your question. Do you wish to protect a web service you are using with basic authentication or do you wish to consume a web service that requires basic authentication? To add basic authentication to your own server you will need to consult your web server's documentation. An authenticated user's login information will be included in the CGI variable scope. To consume a web service protected by basic authentication use the username and password attributes of cfinvoke when calling the service.

An example of using cflogin can be found on livedocs, basic authentication is also covered.
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=webservices_22.html

Report · Apr 18, 2008

Basically, I want to secure my webserivce. so no one can access without providing userid and password. I also would like to know where do i speicfy this userid and password so i can access this webservice and return value.

Thanks

Report · May 30, 2008

Nick,
As I have suggested before, give a user name and password arguments for the functions that you require. When the web service is called, you can check the Database for the valid combination and return the data accordingly.

-Prasanth

Report · Jun 02, 2008

Nick,

I have just finished a project with similar requirement. The problem here is that it appears almost impossible to specify soap-headers you want to accept in your WSDL.

If I am not wrong, thats what the problem you are facing?

Adobe Community

secure webservice