Flash Remoting Security.. with CFMX
I have some questions for anyone who has handled selective access to CFC's. And yes I have read up on remoting, as well as from the Macromedia site Securing Access to Cold Fusion from Flash Remoting MX.
This is the process as I understand it:
1. The flash movie sends a userid and password to the remote host (in this case a Cold fusion server that holds my CFC as well as an application.cfm) as well as the call for whatever function it needs results from.
2. The application.cfm captures the userid and password and performs some authentication process (obviously designed by the developer) at that point if the login to the db(where we store the userid and password) is successful, the cfloginuser tag executes and gives the user certain rights based upon their profile.
3. The CFc loads and when the cffunction tag being called attempts to execute, it checks the right of the user to see if they match the logged in users.
4. If the user has been authenticated, the function executes normally, if not it sends an error to flash which can be viewed which states "Current user was not authorized to invoke this method".
This is what I dont understand:
1. What exactly does cold fusion see when it gets the header information from flash? (ie, name and scope of passed params). I have a feeling that I am not referring correctly to the object in my application.cfm code, which is why it does not authenticate the user.
My code is below.
My flash movie does the following:
gatewayConnnection = NetServices.createGatewayConnection();
TrackIT= gatewayConnnection.getService("devCenter.TrackIT", this);
my application.cfm does the following:
<cfif cflogin.name eq "bob">
<cfloginuser name="#cflogin.userid#" password="#cflogin.password#" roles="admin">
my cfc does the following:
<cffunction name="getLoginList" access="remote" returnType="query" roles="admin">
<cfquery name="get_Employees" datasource="TrackIT">
Select Distinct(Request) from Tasks