ColdFusion scheduled tasks - how to secure when using <cflogin>?
https://stackoverflow.com/questions/1675085
-
16-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a web-site written in ColdFusion that contains both the usual interactive web pages and some tasks run through the CF scheduler. The dir layout is
/
/app
/scheduledTasks
I'd like the tasks to be able to use all the same settings, etc. created in the application.cfc inside of /app so I'd like to move that entire /scheduledTasks directory into /app. The problem is that that application.cfc uses the cflogin mechanism and my own log in form. The CF scheduler only lets you supply a username and password for HTTP Basic authentication. The scheduled tasks will never get past that. How can I resolve this or is there a better approach to begin with?
I've wondered about looking at some CGI variable in my application.cfc's OnRequestStart such as the user agent, the remote IP, and/or a magic value in the URL param's and if all are there, bypass security since I "know" it's CF's scheduler on the other end. This isn't great security but it may be acceptable.
I've also wondered about creating a new application.cfc in my root that the application.cfc in /app inherits from. I'd leave the tasks where they are and put a new application.cfc there as well that inherits common stuff from the root. This increases complexity though and I've had issues when trying to access the CFCs inside of /app/cfcs from /scheduledTasks.
Has anyone had a similar problem and solved it?
Solution
leave the schedule tasks in their own folder like you currently have it off the root of the site.
create an application.cfc in the scheduletasks folder that extends the one in the apps directory like so:
<cfcomponent extends="/.apps/application">
overload the onrequeststart method and put in your authentication like so:
<cffunction name="onRequestStart" returntype="void" access="public" output="false">
<cfargument name="targetPage" type="any" required="true">
<cfif not structkeyexists(url, "access") or not url.access eq application.ApplicationName>
<cflocation url="/" addtoken="false">
</cfif>
</cffunction>
this is VERY basic security but will get the job done. customize to your liking.
OTHER TIPS
Offhand, I would create a custom role for the scheduled application. Then, in your main application, automatically apply it when the request comes from the local server.
ColdFusion scheduled tasks pass in certain data in the CGI information including:
HTTP_USER_AGENT=CFSCHEDULE
Now HTTP_USER_AGENT is fakeable so the next question is to determine how secure you need access to the folder. Do you only want CF to run these tasks? Or do you want to run them from outside as well? Just your computer? Etc. Once that is determined you can code for it and rip747's solution is a good one so I'm not going to suggest anything else! ;)
I will check just that the request comes from a local IP (if you are running the schedule in the same server...).....another (I believe better) solution is what I normallydo to allow webservices or monitoring routines being used externally and without login:
On you application.cfc, method onApplicationStart, put something like:
<!--- List of Directories Excluded from Login --->
<cfset application.ExcludedLoginDirs = "/monitoring/registration/wservices/">
Then on your onSessionStart (or whatever method you user to prevent non authorized access and redirect to login:
<!--- Find current directory --->
<cfset currentDir = listgetAt("-," & cgi.Script_Name, listLen("-," & cgi.script_Name, "/")-1, "/")>
<!--- Exclude LOGIN if user authenticated or Directory Excluded --->
<!--- In this code, I FORCE login if user is NOT autenticated AND directory is NOT excluded --->
<cfif Val(session.User_ID) EQ 0 AND ListFind(application.ExcludedLoginDirs, "#currDir#", "/") EQ 0>
............Login..........
</cfif>
etc.......
Some advantages on this method are: 1.If the caller software does not implement cookie and maintains session state, it works. 2. if the caller software DOES maintain session, access is granted to protected pages passing cfid & cftoken in the call url. 3. if very flexible and no maintenance other than add a new directory eventually and DESTROY THE APPLICATION...(I use
<cfif isDefined("url.destroyApp")>
<cfset reinit = this.onApplicationStart()>
</cfif>
on the onRequestStart method and
<cfset StructClear(application)>
as my first line on the onApplicationStart method.
Hope it helps!
