Web Services Security

Although several competing standards for handling security within the web services framework are under development, as of this writing there is no accepted standard. That said, there are existing technologies you can use to secure access to your web services. ColdFusion supports web service security in two ways, at the web server level and using ColdFusion’s built-in security framework.

Securing Access Using HTTP Basic Authentication

At the web-server level, you can protect a web service using HTTP Basic Authentication. This is done by restricting access to the directory containing the CFC you want to expose as a web service. For more information on using HTTP Basic Authentication, see Chapter 8, as well as the documentation for your particular web server.

For web services that restrict access based on HTTP Basic Authentication, you can provide a username and password to pass along with the call to the web service in the cfinvoke tag or by registering the web service in the ColdFusion Administrator:

<cfinvoke webservice="http://www.example.com/addressLookup.wsdl"
  <cfinvokeargument name="userID" value="pmoney">

The username and password values are Base64-encoded and passed as username : password in the authorization header to the target server.

Securing Access Using ColdFusion’s Built-in Security Framework

You can control access to your web services at a much more granular level ...

Get Programming ColdFusion MX, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.