0

我有一个启用了远程访问的 CFC 文件,我正在使用它来执行各种管理任务,例如从数据库中添加/删除图像记录。对此 CFC 的调用是通过我的管理页面上的自定义 JavaScript 通过 AJAX 进行的。我将 CFC 放在了我认为是安全的目录中,但是在图像自行消失时遇到了一些问题,我发现它根本不安全。

我想确保 CFC 的安全。我已经为管理页面使用了一个基于会话的安全 CFC,并且每次请求一个管理页面时都会调用其保护方法,如果身份验证失败,它将重定向用户。我可以在我的 CFC 上使用这个东西吗?如果是这样,实现它的最佳方法是什么?如果没有,我应该如何对其实施安全性?

下面是我的示例 CFC:

<cfcomponent
  name="test"
  displayname="test"
  output="false"
  hint="test"
>

<!--- pseudo constructor --->
<cfscript>
    variables.propertyImageDAO = CreateObject("component","cfcs.dataobjects.property_imageDAO").init(APPLICATION.dsn);
    variables.propertyImageGateway = CreateObject("component","cfcs.dataobjects.property_imageGateway").init(APPLICATION.dsn);
</cfscript>

<!--- constructor --->
<cffunction name="init" access="public" output="false" returntype="any"
        hint="Constructor for this CFC">

    <!--- return this CFC --->
    <cfreturn this />
</cffunction>

<!--- CRUD methods (create, read, update, delete) --->
<!--- CREATE: inserts a new property_image into the database --->
<cffunction name="createRecord" access="remote" output="true" 
        hint="Creates a new property_image record and returns a struct containing a boolean (success) indicating the success or
        failure of the operation, an id (id), and a string (message) containing a message"
        >

    <cfargument name="name" type="any" required="false" default="" />
    <cfargument name="alt" type="any" required="true" />

    <!--- initialize variables --->
    <cfset var results = StructNew() />

    <!--- create property bean --->
    <cfscript>
        var propertyImageBean = CreateObject("component","cfcs.beans.property_image").init(
            '',
            arguments.name,
            arguments.alt
        );
        results = propertyImageDAO.createRecord(propertyImageBean);
    </cfscript>

    <!--- return the struct --->
    <cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>
<!--- READ: reads a property_image from the database and populates the property_image object --->
<cffunction name="readRecord" access="remote" output="true" returntype="void"
   hint="Reads property_image data from the database and returns a JSON">

    <!--- take property_image bean as argument --->
    <cfargument name="id" type="numeric" required="true" />

    <!--- initialize variables --->
    <cfset var results = StructNew() />

    <!--- create property bean --->
    <cfscript>
        propertyImageBean = CreateObject("component","cfcs.beans.property_image");
        propertyImageBean.setid(arguments.id);
        propertyImageDAO.readRecord(propertyImageBean);
    </cfscript>

    <!--- return the struct --->
    <cfoutput>#SerializeJSON(propertyImageBean)#</cfoutput>
</cffunction>
<!--- DELETE: reads a property_image from the database and populates the property_image object --->
<cffunction name="deleteRecord" access="remote" output="true" returntype="void"
   hint="Reads property_image data from the database and returns a JSON">

    <!--- take property_image bean as argument --->
    <cfargument name="id" type="numeric" required="true" />

    <!--- initialize variables --->
    <cfset var results = StructNew() />

    <!--- create property bean --->
    <cfscript>
        results = propertyImageDAO.deleteRecordById(arguments.id);
    </cfscript>

    <!--- return the struct --->
    <cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>   
<!--- DELETERECORDS: deletes a property_image from the database --->
<cffunction name="deleteRecords" access="remote" output="true" returntype="void"
   hint="Deletes property_image data from the database and returns a JSON">

    <!--- take property_image bean as argument --->
    <cfargument name="imageIdList" type="string" required="true" />

    <!--- initialize variables --->
    <cfset var results = StructNew() />

    <!--- delete DB records --->
    <cfscript>
        results = propertyImageDAO.deleteRecordsByIdList(arguments.imageIdList);
    </cfscript>
    <!--- delete files --->

    <!--- return the struct --->
    <cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>   
<!--- DELETERECORDS: reads a property_image from the database and populates the property_image object --->
<cffunction name="deleteRecordById" access="remote" output="true" returntype="void"
   hint="Deletes property_image data from the database and returns a JSON">

    <!--- take property_image bean as argument --->
    <cfargument name="id" type="numeric" required="true" />

    <!--- initialize variables --->
    <cfset var results = StructNew() />

    <!--- delete DB records --->
    <cfscript>
        results = propertyImageDAO.deleteRecordById(arguments.id);
    </cfscript>
    <!--- delete files --->

    <!--- return the struct --->
    <cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction> 
<!--- DELETERECORDSBYIDLIST: reads a property_image from the database and populates the property_image object --->
<cffunction name="deleteRecordsByIdList" access="remote" output="true" returntype="void"
   hint="Deletes property_image data from the database and returns a JSON">

    <!--- take property_image bean as argument --->
    <cfargument name="imageIdList" type="string" required="true" />

    <!--- initialize variables --->
    <cfset var results = StructNew() />

    <!--- delete DB records --->
    <cfscript>
        results = propertyImageDAO.deleteRecordsByIdList(arguments.imageIdList);
    </cfscript>

    <!--- return the struct --->
    <cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>   

<cffunction name="deleteImagesByNameList" access="remote" output="true" returntype="void"
   hint="Deletes property_image data from the database and returns a JSON">

    <!--- take property_image bean as argument --->
    <cfargument name="imageNameList" type="string" required="true" />

    <!--- initialize variables --->
    <cfset var results = StructNew() />

    <!--- delete DB records --->
    <cfscript>
        results = propertyImageDAO.deleteImagesByNameList(arguments.imageNameList);
    </cfscript>

    <!--- return the struct --->
    <cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>   

<!--- READ: reads a property_image from the database and populates the property_image object --->
<cffunction name="getByIdList" access="remote" output="true" returntype="void"
   hint="Reads property_image data from the database and returns a JSON">

    <!--- take property_image bean as argument --->
    <cfargument name="imageIdList" type="string" required="true" />

    <!--- initialize variables --->
    <cfset var results = StructNew() />

    <!--- create property bean --->
    <cfscript>
        qGetByIdList = propertyImageGateway.getByIdList(arguments.imageIdList);
    </cfscript>

    <!--- convert into JSON friendly format --->
    <cfif qGetByIdList.recordCount GT 0>
      <cfset images = ArrayNew(1)>
      <cfloop query="qGetByIdList" startRow="1" endRow="#qGetByIdList.recordCount#">
          <cfscript>
              // create image struct and assign values
              image = StructNew();
              image.id = id;
              image.name = name;
              image.alt = alt;
              // append to JSON response
              ArrayAppend(images,image);
          </cfscript>
      </cfloop>
      <cfset results.images = images>
    </cfif>
    <cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>
<!--- READ: reads a property_image from the database and populates the property_image object --->
<cffunction name="updateRecord" access="remote" output="true" returntype="void"
   hint="Reads property_image data from the database and returns a JSON">

    <!--- take property_image bean as argument --->
    <cfargument name="id" type="numeric" required="true" />
    <cfargument name="name" type="any" required="true" />
    <cfargument name="alt" type="any" required="true" />

    <!--- initialize variables --->
    <cfset var results = StructNew() />

    <!--- create property bean --->
    <cfscript>
        propertyImageBean = CreateObject("component","cfcs.beans.property_image").init(
            arguments.id,
            arguments.name,
            arguments.alt
        );
        results = propertyImageDAO.updateRecord(propertyImageBean);
    </cfscript>

    <!--- return the struct --->
    <cfoutput>#SerializeJSON(results)#</cfoutput>
</cffunction>

4

3 回答 3

1

要强制执行您的身份验证逻辑,您应该使用此逻辑将所有远程 CFC 调用包装在 Application.cfc 中。

不幸的是,您使用的是 CF8,因此您不能使用onCFCRequestApplication.cfc 的方法轻松包装所有远程请求。但是您可以onRequestStart通过检查目标页面是否以'.cfc'.

<cffunction name="onRequestStart">
    <cfargment name="targetPage">
    <cfif right(targetPage, 4) eq '.cfc'>
        <!--- Perform authentication check --->
        <cfif not loggedIn>
            <!--- Return "unauthorized" to the client --->
            <cfheader statuscode="401"> 
            <cfabort>
        </cfif>
    </cfif>
</cffunction>

然后,在您的 Ajaxfail处理程序中,检查 401 状态代码并向用户显示一条消息,指示需要登录。

于 2013-06-13T19:25:53.887 回答
0

将您的身份验证逻辑(验证会话)放入远程外观,或者如果您使用任何 MVC 框架,请将身份验证逻辑放在控制器层。

如果会话验证失败,则返回适当的 HTTP 状态代码(例如 403),以便前端代码可以做出适当的反应。

于 2013-06-13T19:12:03.250 回答
0

为什么每次进行 ajax 调用时不使用会话令牌。

于 2013-06-13T17:05:04.227 回答