WSS4CF: Secure Webservices with ColdFusion

Posted At : June 15, 2010 8:28 AM | Posted By : James Holmes
Related Categories: WSS4CF

The new project WSS4CF aims to provide WS-Security for CF webservices:

WSS4CF on RIAForge

So far both plain and digest username/password tokens are implemented. Hopefully more can be provided in the future.

Comments (3) | Send | del.icio.us | Linking Blogs | 5751 Views
Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
[Add Comment]
Paul's Gravatar Hi James,

Do you have an example of how WSS4CF would work with a <cfhttp> call to a specified endpoint, e.g. with the following (it needs WS authentication with username/password):

<cfhttp
url="https://ws.staging.training.gov.au/Deewr.Tga.WebSe..."
method="post">
<cfhttpparam type="header" name="content-type" value="application/soap+xml" />
<cfhttpparam type="header" name="SOAPAction" value="http://training.gov.au/services/IOrganisationServi..."/>
<cfhttpparam type="header" name="accept-encoding" value="no-compression" />
<cfhttpparam type="xml" value="#trim(sXML)#"/>
   </cfhttp>
# Posted By Paul | 8/6/12 7:34 AM
James Holmes's Gravatar The CFC isn't really designed to be used with CFHTTP, since it leverages the AXIS Java jars under the hood like a standard CF webservice call does. The wiki shows the standard usage:

http://wss4cf.riaforge.org/wiki/

However you might be able to make use of the code to get the security headers you need and attach them to the http call. Alternatively, try adding the info to the underlying axis object; this would require a small modification to the cfc to allow access to that object.
# Posted By James Holmes | 8/10/12 2:29 PM
Paul's Gravatar Yep, I ended up just stuffing the security headers into the XML packet, then cfhttp'd it. Worked well. Thanks.
# Posted By Paul | 8/10/12 6:38 PM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.5.1.