Why *can* I hit my remote CFC?

Hello list, I'm running a Flex application locally (served from localhost) and connect to a remoting gateway on a remote server. My CFC on that remote server has a function which looks like this:      <cffunction name="getRoles" access="public" returntype="Query">     <cfquery name="roles" datasource="mydsn">         SELECT * FROM roles     </cfquery>     <cfreturn #roles#>   </cffunction> Note access is set to public, which according to the docs makes this function available 'to a locally executing page or component method'. Why then can my SWF running under localhost connect and retrieve the recordset just fine? I know I should be happy that I can hit it (took me long enough to configure SSL remoting...) but I want to secure my application now. thanks, Stefan

  SWF runs on the client, which is not local the server.   Change access to remote. Stefan Richter wrote: ----- Excess quoted text cut - see Original Post for more ----- -- Jeffry Houser Flex, ColdFusion, AIR AIM: Reboog711  | Phone: 1-203-379-0773 -- Adobe Community Expert <http://www.adobe.com/communities/experts/members/JeffryHouser.html>; My Company: <http://www.dot-com-it.com> My Podcast: <http://www.theflexshow.com> My Blog: <http://www.jeffryhouser.com>

Sorry I don't understand (more of a Flash/Flex person than CF). 'Public' appears to be more locked down than 'remote' so if I can   connect to the CFC while it's marked public then why should I need to   change it to remote? Regards, Stefan On 14 Feb 2008, at 17:03, Jeffry Houser wrote: ----- Excess quoted text cut - see Original Post for more -----

  I am guilty of not reading closely. ;)   Yes, public is [supposed to be] more locked down than remote.From read other posts, the behavior you expect to see is what I'd also expect to see.   I'm not sure why you can access a CFC method named "public" from a Flex swf. Stefan Richter wrote: ----- Excess quoted text cut - see Original Post for more ----- -- Jeffry Houser Flex, ColdFusion, AIR AIM: Reboog711  | Phone: 1-203-379-0773 -- Adobe Community Expert <http://www.adobe.com/communities/experts/members/JeffryHouser.html>; My Company: <http://www.dot-com-it.com> My Podcast: <http://www.theflexshow.com> My Blog: <http://www.jeffryhouser.com>

check on the server the 'method-access-level' in the ColdFusion destination. It should be only 'remote' and not 'public and remote'. -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org

Here's an extract <method-access-level>remote</method-access-level> Given the fact that I can hit a CFC marked as public from a remote   location, what does that tell me? Have I overlooked something? Does   the crossdomain.xml play a role? Here is mine: <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd "> <cross-domain-policy>     <allow-access-from domain="*" secure="false"/> </cross-domain-policy> Regards, Stefan On 14 Feb 2008, at 17:09, João_Fernandes wrote: ----- Excess quoted text cut - see Original Post for more -----

I've never tried to have a Flex SWF use a  CFC on a different server then that which it was served from, though I know its possible.  What I suspect you have to do is create a local copy of the services-config.xml file and point your Flex app to it in the compiler properties with the -services flag in FB and then compile it.  In this local version you'd hardcode these entries in services-config {server.name}:{server.port}{context.root} with your remote server info. I do know that this method-access-level has nothing to do with remotely accessing your CFC   From the services-config file we have <!-- allow "public and remote" or just "remote" methods to be invoked -->                <method-access-level>remote</method-access-level> Assuming the notation there from Adobe is correct, I believe it to be, this tells remoting what access level of  methods in your CFCs it can access. Keep in mind that changing a CFC's method access to remote publishes WSDL for it and makes it available via webservices, not so secure by default, hence the need for public access only.  This describes how Flash remoting accesses your CFC method NOT how your SWF accesses your CFC.  Recall that your SWF does not access any CFC directly, eh?  Rather the access to a CFC is via remoting or WSDL. (or a proxy cfm page for REST) You should also check this setting in services-config <!-- Use the ColdFusion mappings to find CFCs, by default only CFC files under your webroot can be found. --> <use-mappings>false</use-mappings> If you are using mappings to access CFCs not under your webroot, this needs to be true. Some resources on what you are trying to do are: http://weblogs.macromedia.com/lin/archives/2007/01/how_to_access_c.cfm DK On Thu, Feb 14, 2008 at 2:14 PM, Stefan Richter <stefan@flashcomguru.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Stephan, if the access level is set to remote only, you shouldn't be able to invoke public functions at all. Are you sure you are targetting that component and not some other that might have the access="remote" somewhere else? -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org

Hello João, I think you may be mistaken. Remote access *includes* public access according to the docs. #  public: available to a locally executing page or component method. # remote: available to a locally or remotely executing page or   component method, or a remote client through a URL, Flash, or a web   service. Note also that this is specified on a function level and not on a   component. All my functions are marked as public, not remote (which is   why I am confused, I don't think I should be able to invoke them from   a SWF running and served from localhost when the CFC is hosted on   another domain on the net). Cheers Stefan On 14 Feb 2008, at 20:03, João_Fernandes wrote: ----- Excess quoted text cut - see Original Post for more -----

Stefan, I'm still a Flex newbie but if I understand correctly the reason you have access to public methods is because you are using the flash remoting gateway.  The gateway is remotely accessible by your flex program but it invokes your ColdFusion components as if the request were coming from another component on the server. I could be mistaken.  It's happened at least once that I can remember. [Image:Our Hero] David Henry http://ColdFusionPowered.com/ Stefan Richter wrote: ----- Excess quoted text cut - see Original Post for more -----

Ah yes. Now that would make sense. Cheers Stefan On 14 Feb 2008, at 20:49, David Henry wrote: ----- Excess quoted text cut - see Original Post for more -----

Stephan, this is weird because Adobe always spread the word to use access="remote" to have Flex clients invoking CFCs (trough remoting). If accessing public functions was a feature for remoting since it would invoke as local context, why would they put the access level in the first place? Also, it would be really bad that all public functions from all cfcs could be invoked trough remoting. -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org

yeah I agree but it seems to be that way. Note that you need to enable   Remoting in the first place though in CF admin (it may be enabled by   default, I am not sure). Basically it can be turned off. And I think   you also need the crossdomain.xml in place which I have wide open   right now. It can be limited by domain. I find it very hard to find information on securing CFCs and Flex   apps. The next step in my project will involve securing the CFCs to   authorised/logged in users. I know I need to look at session   management but I'm still quite clueless as to what I need to do at   that front... Cheers Stefan On 14 Feb 2008, at 21:35, João_Fernandes wrote: ----- Excess quoted text cut - see Original Post for more -----

On Thu, Feb 14, 2008 at 4:48 PM, Stefan Richter <stefan@flashcomguru.com> wrote: ----- Excess quoted text cut - see Original Post for more ----- There 's a bit of info out there on how folks do this.  They key to keep in mind is RemoteObject calls run over HTTP.  Since they are made from the browser housing your Flex SWF, these calls are really no different then a call to say myPage.cfm from the browser.  These calls pass all cookies back and forth and all.  So, your cfsessionid goes along for the ride. DK ----- Excess quoted text cut - see Original Post for more -----

2008/2/14 João_Fernandes <joaopedromartinsfernandes@gmail.com>: > Stephan, > > this is weird because Adobe always spread the word to use > access="remote" to have Flex clients invoking CFCs (trough remoting). > If accessing public functions was a feature for remoting since it would > invoke as local context, why would they put the access level in the > first place? See my earlier  response,  access="remote" != remoting here.   For the typical setup of Flex SWF served on same server as CF lives, I never set any of the 100+ CFC methods to access="remote", not one, and it all worked fine via RemoteObject. > > Also, it would be really bad that all public functions from all cfcs > could be invoked trough remoting. why? The CrossDomain policy file is used to restrict access to remoting on your domain. DK ----- Excess quoted text cut - see Original Post for more -----

Douglas you might be correct but I don't understand why they set the access level in the Destination configuration: From the remoting-config.xml <!-- define the resolution rules and access level of the cfc being invoked --> <!-- allow "public and remote" or just "remote" methods to be invoked --> As I understand it, it should only allow remote methods to be invoked. So why to put that in there if all public methods accessible? And what 'remote' does then? -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org

Hello, João_Fernandes wrote: > So why to put that in there if all public methods accessible? And what 'remote' does then? >   There seems to be some confusion about what end is being talked about Flex or ColdFusion. With a ColdFusion CFC the definitions mean: private: only available to other functions within the same CFC public: available to any calling CF entity in the same website/domain remote: available as a web service to any http caller Flash Remoting gateway is a CF-specific engine to allow Flash to talk directly to a CFC. The CFC thinks it is being called from a local CF template. So if you connect from a Flex application using the default Flash Remoting the CFCs can be seen if they are set to "public". If you connect as a web service then "public" CFCs cannot be seen, they have to be set to "remote". From a security perspective this means that you have to have appropriate security in your public CFCs as well as your remote CFCs if they can be called from a Flash Remoting Gateway. Does that make sense? -- Kym Kovan, Technical Support, mort bay communications tech@mbcomms.net.au +61.2 9559 2629

Kym I understand that but why then there is that parameter (method-access-level) in the ColdFusion Remoting definition if all public methods are available anyway? ---------------------------------------------------------------------------------------------------------         <properties>             <source>*</source>             <!-- define the resolution rules and access level of the cfc being invoked -->             <access>                 <!-- Use the ColdFusion mappings to find CFCs, by default only CFC files under your webroot can be found. -->                 <use-mappings>false</use-mappings>                 <!-- allow "public and remote" or just "remote" methods to be invoked -->                 <method-access-level>remote</method-access-level>             </access> --------------------------------------------------------------------------------------------------------- -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org

I guess   <method-access-level>remote</method-access-level> in this case means public *and* remote. I may be wrong but that's how I understand it. Since my CFC is set to   public access and my services-config states remote I can access both   CFCs makred as remote and public. Someone please correct me if I am wrong. Cheers Stefan On 14 Feb 2008, at 23:39, João_Fernandes wrote: ----- Excess quoted text cut - see Original Post for more -----

Stephan to have both accessible the value should be 'public and remote'. I had feedback from Adobe staff and this is really a bug, no public method should be accessible trough remoting unless you set the method-access-level to 'public and remote'. -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org

As Kym explained, public works as expected on the cffunction level. A   SWF via Remoting appears to execute CFC functions in the public scope   so that's fine. I also don't think you can set the access to 'public and remote', and   there's no need for that either if remote indeed includes public. I   could be wrong. Basically if 'remote' does *not* include 'public' then   it probably is a bug as I can access public methods fine via Remoting   while I set method-access-level to 'remote'. If 'remote' includes   public in the way that cffunction's access property includes it then   it works as expected. But that's just my interpretation. Anyone got a direct line to the CF   team at Adobe? Stefan On 15 Feb 2008, at 08:55, João_Fernandes wrote: ----- Excess quoted text cut - see Original Post for more -----

Stephan, I did contact the CF Staff and they confirmed that's a bug. When using 'remote' (default value) it will only let flex invoke remote methods trough the remoting gateway. Setting it to 'public and remote' you will be able to invoke both public and remote methods. -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org

Hi João, thanks for clarifying. Cheers Stefan On 15 Feb 2008, at 09:40, João_Fernandes wrote: ----- Excess quoted text cut - see Original Post for more -----

> See my earlier  response,  access="remote" != remoting here.   For the > typical setup of Flex SWF served on same server as CF lives, I never set any > of the 100+ CFC methods to access="remote", not one, and it all worked fine > via RemoteObject. Isn't that because your CF server is configured to allow public and remote classes to be exposed. see services-config.xml <!-- allow "public and remote" or just "remote" methods to be invoked --> <method-access-level>remote</method-access-level> This is how you restrict flex remoting calls to "remote" methods only. The thing that bothered *me* about the default setup (above, including the comment) is that it allows any remote methods to be called as a web service.  I prefer to use access="remote" so people can't call my CFCs via HTTP calls directly. -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark

Hi Rick, I think we may have confirmation that > <method-access-level>remote</method-access-level> allows remote AND public methods to be called. Case in hand, my server   lets me call methods marked as public via Remoting while my services   file is set to remote only. Lastly, if you mark your functions as remote I *can* hit them via   HTTP. Tell me the URL of your CFC and I'll show you. In my case (functions marked public and services config marked remote)   I cannot hit my CFC remotely. Check this: https://secure.muchosmedia.com/brainwaveadministrator/cfc/brainwave.cfc?wsdl&method=getusers So can we confirm that there's a bug somewhere? Or am I still not   understanding this correctly? Regards, Stefan On 15 Feb 2008, at 23:50, Rick Root wrote: ----- Excess quoted text cut - see Original Post for more -----

Stephan, in a general way with <cffunction access="remote" be accessed by HTTP (wsdl, remoting etc) those with <cffunction access="public" can only be accessed by the server itself (some cfc or cfm). Now regarding Flash Remoting only where <method-access-level> is the key, when you set to the value to 'remote', you should **only** be able to invoke methods with <cffunction access="remote" and when setting this value to 'public and remote' you should be able invoke **both** function types. The bug is, right now, even with <method-access-level>remote</method-access-level> you are able to invoke public methods when you shouldn't be able to. Once again, this only concerns  flash remoting. João Fernandes http://www.onflexwithcf.org http://www.riapt.org

Now I get it for sure :-) Cheers Stefan On 16 Feb 2008, at 09:44, João_Fernandes wrote: ----- Excess quoted text cut - see Original Post for more -----

> Hi Rick, ----- Excess quoted text cut - see Original Post for more ----- that *DOES* seem like a bug to me. > Lastly, if you mark your functions as remote I *can* hit them via > HTTP. Tell me the URL of your CFC and I'll show you. I know that.  You don't have to prove it to me.  The whole purpose of "remote" is really for web-services anyway. I think the only way to prevent "remote" cfc methods to be called via http is to put them outside your web root... rick

> I know that.  You don't have to prove it to me.  The whole purpose of > "remote" is really for web-services anyway. I only mentioned it because you stated:   I prefer to use access="remote" so people can't call my CFCs via HTTP calls directly. Cheers Stefan

> > I know that.  You don't have to prove it to me.  The whole purpose of > > "remote" is really for web-services anyway. > > I only mentioned it because you stated: >  I prefer to use access="remote" so people can't call my > CFCs via HTTP calls directly. Here's what I said: > The thing that bothered *me* about the default setup (above, including > the comment) is that it allows any remote methods to be called as a > web service.  I prefer to use access="remote" so people can't call my > CFCs via HTTP calls directly. Clearly my second sentence is in conflict with my first.  What I meant is that I'd prefer to use "access=public" to prevent people from being able to call my CFCs via HTTP. But a suitable solution would be to just move them outside the web root. Of course, in order to do that (via mappings) you have to enable that feature in the remoting config                 <!-- Use the ColdFusion mappings to find CFCs, by default only CFC files under your webroot can be found. -->                 <use-mappings>false</use-mappings> Sorry for confusion in my statement. Rick -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark

Stefan, besides all these CFC issues/topics, the other piece of the puzzle on this thread was just discussed with closure on our local Flex UG list in Atlanta.  You can see the posts here http://www.mail-archive.com/discussion%40affug.com/msg00688.html It talks of using Flourine, but the idea is the same. HTH DK On Mon, Feb 18, 2008 at 1:56 PM, Rick Root <rick.root@webworksllc.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Thanks for the info. I got to agree with Syd in that other thread, things seem to have   gotten much more complex when it comes to Remoting. It was a lot   easier in Flash (and I always used CF for Remoting). And why does the 'old fashioned' way seem to be deprecated? Is it just   to support AMF3? I think this stuff still works:   var nc:NetConnection = new NetConnection();   nc.objectEncoding = flash.net.ObjectEncoding.AMF0;          nc.addEventListener(NetStatusEvent.NET_STATUS, onConnectionStatus);   nc.addEventListener(IOErrorEvent.IO_ERROR, onConnectionError);   nc.addEventListener(SecurityErrorEvent.SECURITY_ERROR,   netSecurityError);          nc.connect("http://localhost:8500");          var responder:Responder = new Responder(ongetNameResult,   ongetNameError);   nc.call("cfc.flex.getname", responder);   To me that's much easier to follow. And no messing with XML and   destinations. Heck, I even set up a secure destination and got it to   work - but only because someone gave me good advice, I dread to think   how long it would have taken otherwise. I guess my point is this: Adobe needs to make this simpler. Stefan On 22 Feb 2008, at 21:49, Douglas Knudsen wrote: ----- Excess quoted text cut - see Original Post for more -----