Monday, February 24, 2003

How to Stop Requiring the RDS Password for CFC Exploring

Would you be interested in enabling folks to browse your CFCs documentation without needing to know the RDS or Admin password for your server in order to do so? You can.It just takes either of a couple of undocumented steps.

You may know that you can view the documentation for a CFC by browsing it, but Macromedia designed that feature to require you to provide the server's RDS or Administrator password in order to do so. That's unacceptable for some servers, since those passwords can grant too much access in other respects. But you can change things so that either no password is expected at all (which may not be desirable either), or by requiring a password of your choosing that's used just for browsing CFCs, or by requiring some other username/password pair of your choosing.

To allow browsing without any password at all, you can simply rename the Application.cfm file in the directory where the CFC Explorer is stored: \CFusionMX\wwwroot\CFIDE\componentutils. (You don't directly execute code in this directory, but when you browse a CFC it is where CF runs the CFCExplorer on your behalf.) By renaming that directory's Application.cfm, for instance to xApplication.cfm, the code in that directory will no longer expect the RDS or Admin password. (Some have asserted that another solution is to simply disable the RDS password entirely, but that's throwing the baby out with the bathwater, since it will expose your server to being used by features in tools like ColdFusion Studio, HomeSite+, and Dreamweaver MX which use RDS to access databases, files, and more on the server.)

But while renaming the Application.cfm will no longer require any password at all to browse CFC's, some may worry that exposing their CFC's documentation to just anyone will be an equally unacceptable security risk.

Another alternative is to simply replace the Application.cfm with one that does some other form of authentication of your own choosing. Most have written their own security processing in Application.cfm, so feel free to roll your own. If you'd like to use one written just for this purpose, I've provided one here. Feel free to copy and paste it into a new Application.cfm (again, after renaming the current one in the CFIDE\componentutils directory). There's quite a bit of comments, with only about 30 lines of actual code:

<!--- Application.cfm that can be used to replace that in \CFusionMX\wwwroot\CFIDE\componentutils\ so that the developers don't require the Admin or RDS password in order to explore CFCs. Instead, they will be prompted for a password that you can define in this program. See the line below, which expects the password to be "getcfc" by default:

    <cfif form.password is not "getcfc">

You'll want to change that to some password that you prefer to use for browsing CFCs. You could also switch the code to prompt for both a username and password and then do a lookup in a database instead.

To implement this, rename the Application.cfm that's currently in the \CFusionMX\wwwroot\CFIDE\componentutils\ directory, and save this one there.

Then tell your developers to use whatever password you choose to implement for browsing CFCs. This change will have no other effect of the funcitoning of features that leverage the RDS password. It only overrides the password needed for browsing CFCs.

Note also that this is setup to allow logins to last for an hour (which you can change with the IDLETIMEOUT on CFLOGIN) and it supports a logout, which you can remove if you'd like by taking out the first 4 and the last 7 below.
--->


<!--- if they clicked logout button, log them out --->
<cfif isdefined("form.logout")>
    <cflogout>
</cfif>

<cffunction name="dologin">
    Please Login:
    <form method="post">
    Password: <input type="Password" name="password"><br>
    <input type="Submit" value="Login" name="login">
    </form>
</cffunction>

<!--- set login to allow up to an hour of idleness before timing out, and use a unique applicationtoken to as not to conflict with any others--->
<cflogin applicationtoken="cfcexplore" idletimeout="3600">
    <!--- if here, user is not yet logged in. if not responding to username/password prompt, show them login form --->
    <cfif not isdefined("form.Login")>
        <!--- call the dologin function defined above --->
        <cfscript>dologin();</cfscript>
        <cfabort>
    <cfelse>
        <!--- validate username/password here --->

        <cfif form.password is not "getcfc">
            Invalid password. Try again.
            <!--- call the dologin function defined above --->
            <cfscript>dologin();</cfscript>
            <cfabort>
        </cfif>
        <!--- if valid username/password, log them in--->
        <cfloginuser name="cfcexplorer" password="#form.password#" roles="">
    </cfif>
</cflogin>

<!--- -if they're logged in, give them a logout
-getauthuser() returns the empty string if not logged in --->
<cfif getauthuser() is not "">
    <form method="post">
    <input type="submit" name="logout" value="Logout">
    </form>
</cfif>

The comments explain that it creates an expected password of "getcfc", and how you can change it, even to instead use a query to test usernames and passwords if desired. Hope you find it helpful.

No comments: