Submit Your Article
Home Articles News Tutorials Videos Add An Article
Topics: Design Photoshop Programming PHP CSS Java Database Web Development Javascript Ajax
– Close + Open

Find Out More About DevWebPro!

Sign up for the newsletter


» Terms & Conditions

Welcome to the New DevWebPro!

DevWebPro Includes:
  Hundreds Of Tutorials   Developer News
  Unique Gadget Videos   Tons of Topics to Discuss
  Expert Advice   We Will Publish Your Articles

Restricting CFAJAXProxy To Certain Methods

By: Raymond Camden
Friday, October 19th, 2007
Text: Decrease Font Size Increase Font Size | Print Print Article | Share: Delicious Digg StumbleUpon Post to Twitter Post to Facebook

A user asked this about the cfajaxproxy tag:

Any way around CFAJAXProxy exposing all remote component functions to JavaScript? To elaborate, I have a component with x remote functions. A particular page call requires only one of these remote functions. I’d like CFAJAXproxy to expose only the required functions.

When I first read this – I was a bit confused. Why expose a method as remote if you didn’t want it – well – remote? Turns out he was using one CFC for his public facing site as well as his Admin.

So the short answer is that there is no way to tell cfajaxproxy to just expose certain methods. The long answer is that there are multiple ways around this.

First off – don’t forget that when your browser makes an Ajax-based call, it is just like a “normal” call. This means the Ajax call shares your session. So if your CFC methods had session based security of some type, or roles-based security, then you need not worry.

The other possibly way to handle this is to take all those methods and make them access=”public” instead of remote. Then build a public facing CFC that has access to the CFC methods it needs. Another CFC would then handle accessing the other methods. You still need to secure the methods though. Do not assume that someone won’t guess at the location of the admin CFC.

But at least with the second method – you have one core CFC with the logic – and your “proxy” cfcs simply handle security and handling off the calls to the core CFC.

By the way, the user said he suggested to Adobe that they extend the cfajaxproxy to support this. Here is what he suggested:

<cfajaxproxy cfc="cfc.widgets" jsclassname="widgetFactory" exposeTheseMethods="Widget1,Widget2,Widget3" OmitTheseMethods="SecretWidget">

I’m not so sure I like this. It may give you a false sense of security. If secretwidget was method=”remote”, then you still have a possible security hole if someone can guess at the method name.

And lastly – I still say cfajaxproxy is the coolest tag in ColdFusion since cfdump. Anyone using it in production yet?

Topics: ,

About the Author:
Raymond Camden, ray@camdenfamily.com http://ray.camdenfamily.com Raymond Camden is Vice President of Technology for roundpeg, Inc. A long time ColdFusion user, Raymond has worked on numerous ColdFusion books and is the creator of many of the most popular ColdFusion community web sites. He is an Adobe Community Expert, user group manager, and the proud father of three little bundles of joy.
DevWebPro » WebMasterFree.com CSSJuice.com Code-Sucks.com MySpaceAntics.com FreeMacWare.com FreeMacBlog.com
Small Business
Videos | Top News | Blog Talk
Expert Articles | Directories
E-Business
Videos | Top News | Blog Talk
Expert Articles | Directories | WebProWorld
Information Technology
IT Directory | IT Resources | SecurityProNews
Videos | Advertise | About Us | Newsletter
2549 Richmond Road Second Floor Lexington, KY 40509 | Phone: (859) 514-2720 | Fax: (859) 219-9065
Newsletter Archive | RSS Feeds | Terms & Conditions
DevWebPro is an iEntry Network ® publication - © 1998-2010 All Rights Reserved