Clever Geek Handbook

Is it possible to secure a ColdFusion 11 REST service with HTTP BASIC authentication?

I am creating a simple REST service in ColdFusion 11. The web server is IIS 8.5 on Windows Server 2012R2.

This REST service must be secured to prevent unauthorized users from accessing the data. There will only be one authorized user for now, so I want to keep the authentication / authorization as simple as possible. My initial thought is to use HTTP BASIC Authentication.

Here's the REST service setup:

Source Directory: C: \ web \ site1 \ remoteapi \ REST Path: Inventory

To implement this, I configured the source directory of the REST service in IIS to allow only one user, disable anonymous authentication, and enable basic authentication.

When I call the source directory directly in the browser (i.e. http: //site1/remoteapi/inventory.cfc? Method = read ), I am presented with a basic authentication dialog.

However, when I try to request a REST path ( http: // site1 / rest / inventory / ) I am not challenged at all.

How can I implement HTTP BASIC authentication on a REST path?

+3


source to share


1 answer


So, out of the need to do this without too much delay, I went ahead and used some of the principles from Ben Nadel's site, I wrote my own authentication in the onRequestStart () method of the REST Service Application.cfc. Here's the basic code, although it uses hard-coded values ​​in the VARIABLES scope to validate the username and password, and doesn't contain any actual authorization settings:



public boolean function onRequestStart(required string targetPage) {
    LOCAL.Response = SUPER.onRequestStart(ARGUMENTS.targetpage);

    if  (!StructKeyExists(GetHTTPRequestData().Headers, "Authorization")) {
        cfheader(
            name="WWW-Authenticate",
            value="Basic realm=""REST API Access"""
            );

        LOCAL.RESTResponse = {
            status = 401,
            content = {Message = "Unauthorized"}
            };

        restSetResponse(LOCAL.RESTResponse);
    }
    else {
        LOCAL.IsAuthenticated = true;

        LOCAL.EncodedCredentials =
            GetToken( GetHTTPRequestData().Headers.Authorization, 2, " " );

        //  Credential string is not Base64
        if  (   !ArrayLen(
                    REMatch(
                        "^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$",
                        LOCAL.EncodedCredentials
                        )
                    )
            ) {
            LOCAL.IsAuthenticated = false;
        }
        else {
            //  Convert Base64 to String
            LOCAL.Credentials =
                ToString(ToBinary( LOCAL.EncodedCredentials ));

            LOCAL.Username = GetToken( LOCAL.Credentials, 1, ":" );
            LOCAL.Password = GetToken( LOCAL.Credentials, 2, ":" );

            if  (   LOCAL.Username != VARIABLES.CREDENTIALS.Username
                ||  LOCAL.Password != VARIABLES.CREDENTIALS.Password
                ) {
                LOCAL.IsAuthenticated = false;
            }
        }

        if  (!LOCAL.IsAuthenticated) {
            LOCAL.Response = {
                status = 403,
                content = {Message = "Forbidden"}
                };

            restSetResponse(LOCAL.Response);
        }
    }

    return LOCAL.Response;
}
0


source






More articles:


All Articles