Coldfusion 如何保护与AJAX一起使用的webservice CFC
我有一个启用远程访问的CFC文件,我用它来执行各种管理任务,例如从数据库中添加/删除图像记录。对这个CFC的调用是通过AJAX通过我的管理页面上的自定义JavaScript进行的。我把CFC放在一个我认为是安全的目录中,但由于图像自动消失而出现了一些问题,因此我发现它根本不安全 我想获得CFC。我已经为管理员页面使用了基于会话的安全CFC,每次请求一个管理员页面时都会调用该CFC的protect方法,如果身份验证失败,该方法会重定向用户。我可以在我的CFC上用这个吗?如果是,最好的实施方式是什么?如果没有,我应该如何在其上实现安全性 以下是我的CFC示例:Coldfusion 如何保护与AJAX一起使用的webservice CFC,coldfusion,coldfusion-8,cfml,Coldfusion,Coldfusion 8,Cfml,我有一个启用远程访问的CFC文件,我用它来执行各种管理任务,例如从数据库中添加/删除图像记录。对这个CFC的调用是通过AJAX通过我的管理页面上的自定义JavaScript进行的。我把CFC放在一个我认为是安全的目录中,但由于图像自动消失而出现了一些问题,因此我发现它根本不安全 我想获得CFC。我已经为管理员页面使用了基于会话的安全CFC,每次请求一个管理员页面时都会调用该CFC的protect方法,如果身份验证失败,该方法会重定向用户。我可以在我的CFC上用这个吗?如果是,最好的实施方式是什么
<cfcomponent
name="test"
displayname="test"
output="false"
hint="test"
>
<!--- pseudo constructor --->
<cfscript>
variables.propertyImageDAO = CreateObject("component","cfcs.dataobjects.property_imageDAO").init(APPLICATION.dsn);
variables.propertyImageGateway = CreateObject("component","cfcs.dataobjects.property_imageGateway").init(APPLICATION.dsn);
</cfscript>
<!--- constructor --->
<cffunction name="init" access="public" output="false" returntype="any"
hint="Constructor for this CFC">
<!--- return this CFC --->
<cfreturn this />
</cffunction>
<!--- CRUD methods (create, read, update, delete) --->
<!--- CREATE: inserts a new property_image into the database --->
<cffunction name="createRecord" access="remote" output="true"
hint="Creates a new property_image record and returns a struct containing a boolean (success) indicating the success or
failure of the operation, an id (id), and a string (message) containing a message"
>
<cfargument name="name" type="any" required="false" default="" />
<cfargument name="alt" type="any" required="true" />
<!--- initialize variables --->
<cfset var results = StructNew() />
<!--- create property bean --->
<cfscript>
var propertyImageBean = CreateObject("component","cfcs.beans.property_image").init(
'',
arguments.name,
arguments.alt
);
results = propertyImageDAO.createRecord(propertyImageBean);
</cfscript>
<!--- return the struct --->
<cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>
<!--- READ: reads a property_image from the database and populates the property_image object --->
<cffunction name="readRecord" access="remote" output="true" returntype="void"
hint="Reads property_image data from the database and returns a JSON">
<!--- take property_image bean as argument --->
<cfargument name="id" type="numeric" required="true" />
<!--- initialize variables --->
<cfset var results = StructNew() />
<!--- create property bean --->
<cfscript>
propertyImageBean = CreateObject("component","cfcs.beans.property_image");
propertyImageBean.setid(arguments.id);
propertyImageDAO.readRecord(propertyImageBean);
</cfscript>
<!--- return the struct --->
<cfoutput>#SerializeJSON(propertyImageBean)#</cfoutput>
</cffunction>
<!--- DELETE: reads a property_image from the database and populates the property_image object --->
<cffunction name="deleteRecord" access="remote" output="true" returntype="void"
hint="Reads property_image data from the database and returns a JSON">
<!--- take property_image bean as argument --->
<cfargument name="id" type="numeric" required="true" />
<!--- initialize variables --->
<cfset var results = StructNew() />
<!--- create property bean --->
<cfscript>
results = propertyImageDAO.deleteRecordById(arguments.id);
</cfscript>
<!--- return the struct --->
<cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>
<!--- DELETERECORDS: deletes a property_image from the database --->
<cffunction name="deleteRecords" access="remote" output="true" returntype="void"
hint="Deletes property_image data from the database and returns a JSON">
<!--- take property_image bean as argument --->
<cfargument name="imageIdList" type="string" required="true" />
<!--- initialize variables --->
<cfset var results = StructNew() />
<!--- delete DB records --->
<cfscript>
results = propertyImageDAO.deleteRecordsByIdList(arguments.imageIdList);
</cfscript>
<!--- delete files --->
<!--- return the struct --->
<cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>
<!--- DELETERECORDS: reads a property_image from the database and populates the property_image object --->
<cffunction name="deleteRecordById" access="remote" output="true" returntype="void"
hint="Deletes property_image data from the database and returns a JSON">
<!--- take property_image bean as argument --->
<cfargument name="id" type="numeric" required="true" />
<!--- initialize variables --->
<cfset var results = StructNew() />
<!--- delete DB records --->
<cfscript>
results = propertyImageDAO.deleteRecordById(arguments.id);
</cfscript>
<!--- delete files --->
<!--- return the struct --->
<cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>
<!--- DELETERECORDSBYIDLIST: reads a property_image from the database and populates the property_image object --->
<cffunction name="deleteRecordsByIdList" access="remote" output="true" returntype="void"
hint="Deletes property_image data from the database and returns a JSON">
<!--- take property_image bean as argument --->
<cfargument name="imageIdList" type="string" required="true" />
<!--- initialize variables --->
<cfset var results = StructNew() />
<!--- delete DB records --->
<cfscript>
results = propertyImageDAO.deleteRecordsByIdList(arguments.imageIdList);
</cfscript>
<!--- return the struct --->
<cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>
<cffunction name="deleteImagesByNameList" access="remote" output="true" returntype="void"
hint="Deletes property_image data from the database and returns a JSON">
<!--- take property_image bean as argument --->
<cfargument name="imageNameList" type="string" required="true" />
<!--- initialize variables --->
<cfset var results = StructNew() />
<!--- delete DB records --->
<cfscript>
results = propertyImageDAO.deleteImagesByNameList(arguments.imageNameList);
</cfscript>
<!--- return the struct --->
<cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>
<!--- READ: reads a property_image from the database and populates the property_image object --->
<cffunction name="getByIdList" access="remote" output="true" returntype="void"
hint="Reads property_image data from the database and returns a JSON">
<!--- take property_image bean as argument --->
<cfargument name="imageIdList" type="string" required="true" />
<!--- initialize variables --->
<cfset var results = StructNew() />
<!--- create property bean --->
<cfscript>
qGetByIdList = propertyImageGateway.getByIdList(arguments.imageIdList);
</cfscript>
<!--- convert into JSON friendly format --->
<cfif qGetByIdList.recordCount GT 0>
<cfset images = ArrayNew(1)>
<cfloop query="qGetByIdList" startRow="1" endRow="#qGetByIdList.recordCount#">
<cfscript>
// create image struct and assign values
image = StructNew();
image.id = id;
image.name = name;
image.alt = alt;
// append to JSON response
ArrayAppend(images,image);
</cfscript>
</cfloop>
<cfset results.images = images>
</cfif>
<cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>
<!--- READ: reads a property_image from the database and populates the property_image object --->
<cffunction name="updateRecord" access="remote" output="true" returntype="void"
hint="Reads property_image data from the database and returns a JSON">
<!--- take property_image bean as argument --->
<cfargument name="id" type="numeric" required="true" />
<cfargument name="name" type="any" required="true" />
<cfargument name="alt" type="any" required="true" />
<!--- initialize variables --->
<cfset var results = StructNew() />
<!--- create property bean --->
<cfscript>
propertyImageBean = CreateObject("component","cfcs.beans.property_image").init(
arguments.id,
arguments.name,
arguments.alt
);
results = propertyImageDAO.updateRecord(propertyImageBean);
</cfscript>
<!--- return the struct --->
<cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>
variables.propertyImageDAO=CreateObject(“组件”、“cfcs.dataobjects.property_imageDAO”).init(APPLICATION.dsn);
variables.propertyImageGateway=CreateObject(“组件”、“cfcs.dataobjects.property_imageGateway”).init(APPLICATION.dsn);
var propertyImageBean=CreateObject(“组件”、“cfcs.beans.property_image”).init(
'',
arguments.name,
arguments.alt
);
结果=propertyImageDAO.createRecord(propertyImageBean);
#序列化JSON(结果)#
propertyImageBean=CreateObject(“组件”、“cfcs.beans.property_图像”);
propertyImageBean.setid(arguments.id);
readRecord(propertyImageBean);
#序列化JSON(propertyImageBean)#
结果=propertyImageDAO.deleteRecordById(arguments.id);
#序列化JSON(结果)#
结果=propertyImageDAO.deleteRecordsByIdList(arguments.imageIdList);
#序列化JSON(结果)#
结果=propertyImageDAO.deleteRecordById(arguments.id);
#序列化JSON(结果)#
结果=propertyImageDAO.deleteRecordsByIdList(arguments.imageIdList);
#序列化JSON(结果)#
结果=propertyImageDAO.deleteImagesByNameList(arguments.imageNameList);
#序列化JSON(结果)#
qGetByIdList=propertyImageGateway.getByIdList(arguments.imageIdList);
//创建图像结构并赋值
image=StructNew();
image.id=id;
image.name=名称;
image.alt=alt;
//附加到JSON响应
ArrayAppend(图像,图像);
#序列化JSON(结果)#
propertyImageBean=CreateObject(“组件”、“cfcs.beans.property_image”).init(
.id,
arguments.name,
arguments.alt
);
结果=propertyImageDAO.updateRecord(propertyImageBean);
#序列化JSON(结果)#
为什么不在每次进行ajax调用时使用会话令牌呢。将身份验证逻辑(验证会话)放在远程facade中,或者如果您使用的是任何MVC框架,则将身份验证逻辑放在控制器层上
如果会话验证失败,则返回相应的HTTP状态代码(例如403),以便前端代码能够做出适当的反应。要强制执行身份验证逻辑,应使用此逻辑将所有远程CFC调用包装到Application.CFC中 不幸的是,您使用的是CF8,因此无法使用Application.cfc的
oncfcrestonRequestStart'.cfc'<cffunction name="onRequestStart">
<cfargment name="targetPage">
<cfif right(targetPage, 4) eq '.cfc'>
<!--- Perform authentication check --->
<cfif not loggedIn>
<!--- Return "unauthorized" to the client --->
<cfheader statuscode="401">
<cfabort>
</cfif>
</cfif>
</cffunction>
然后,在Ajax
fail