Dan Mackey On ColdFusion Development

ColdFusion, Java, .NET, AJAX, DHTML development and general programming. Daniel is owner and Administrator of CFTagStore.com and works for an Application Development Company in Ireland called Digital Crew. His interests cover all areas of programming in multiple languages with a particular interest in Internet Technologies.

All Articles tagged : Security
2007-08-02 17:35:00.0

Securing Your RSS Feeds Using Basic HTTP Authentication and ColdFusion

We are working on a project at the moment that requires secure RSS feeds. We need it to be secure in both browsers and Feed readers such as FeedDemon so decided that Basic HTTP Authentication was the best way forward.

The snippet of code below demonstrates how to force the user agent (browser/feed reader) to prompt for a username and password which in turn ties into our existing users table without messing around with IIS permissions and users etc

<cfset REQUEST.userAuthenticated = false>
 
<cflogin>
    <cfif isDefined("CFLOGIN")>	
	<cfquery name="checkUser" datasource="myDatasource">
	SELECT	u.userId
	FROM	users AS u
	WHERE	u.userName = <cfqueryparam value="#CFLOGIN.name#">
	    AND u.password = <cfqueryparam value="#CFLOGIN.password#">
	</cfquery>
	
	<cfif checkUser.recordcount NEQ 0>
		<cfset REQUEST.userAuthenticated = true> 
	</cfif>
   </cfif>
</cflogin>

<cfif NOT REQUEST.userAuthenticated>
   <cfheader statuscode="401">
   <cfheader name="WWW-Authenticate" value="Basic realm=""My RSS Feed""">
   <cfabort>
<cfelse>	
	<!----------- Continue With RSS output ------------------->
	Output your RSS Code Here
</cfif>

One small sticking problem which took some time to figure out:

On my local development server, the above worked perfectly. When I uploaded it to the production server running Windows Server 2003 Web Edition, the authentication popped up but kept popping up no matter what was entered in the username and password fields. The Realm header text was also not the one entered in the code above. After alot of digging it turned out to be a simple option on IIS that needed to be turned off.

The option to turn off is Directory Security -> Annonymous Access and Authentication Control - Edit - Integrated Windows Authentication

Once you disable Integrated Windows Authentication the whole thing works like a dream!

Not only is this a good way of securing your RSS feeds, its also perfect for Web Services or even securing your whole application. The draw back is that you cant style the login form as it uses the built in browser dialog.

Tags: ColdFusion | IIS | RSS | Security | Tips | WebDev
Add to your del.icio.us    DIGG This!    Technorati Cosmos Link    Post to Reddit    Add to your Furl    Add to Blinklist
Comments [1] - Leave a comment