Home > CFML, Web Development > Adobe CF8 SSLv3 Webservices

Adobe CF8 SSLv3 Webservices

June 24, 2009 misterdai Leave a comment Go to comments

So you have some very sensitive data being made available via a web service which is secured using SSLv3 (Client certificates).  If you’re using ColdFusion 8, you’ll have to say goodbye to your good friend CfInvoke as he doesn’t speak the lingo (SSLv3).  Your old pal CfHttp does, but you’ll have to help him along by washing his mouth out with some SOAP.

In other words, CfInvoke cannot cope with client certificates and neither can his cousin CreateObject.  Strangely enough, CfHttp does support them but of course you have to do all the SOAP stuff yourself in order to communicate with the web service.

Here’s how it’s done

  1. You’ll need to find out where the web service requests should actually be sent.  If you can get hold of the WSDL, open it up and look for something like this: 
    <wsdl:service name="BobbyService">
 <wsdl:port binding="impl:bobby.cfcSoapBinding" name="bobby.cfc">
 <wsdlsoap:address location="https://localhost/bobby.cfc"/>
 </wsdl:port>
</wsdl:service>
  2. The location attribute is the one you’ll need, this can be different sometimes that the one you expect or get the WSDL from.
  3. Now you’ll have to do some work yourself, figuring out exactly what the web service is expecting.  You’ll usually have some documentation to help you along, otherwise you’ll have to work through the WSDL and figure it out yourself.
  4. We’ll need to built the SOAP request.  notice that foobar related to the method and the arguments are contained within it: 
    <cfsavecontent variable="soap">
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <soapenv:Body>
 <foobar>
 <foo xsi:type="xsd:string">Mister Dai</foo>
 <bar xsi:type="xsd:string">z</bar>
 </foobar>
 </soapenv:Body>
</soapenv:Envelope>
</cfsavecontent>
<cfset soap = Trim(soap) />
  5. Now we’ll use CfHttp to make the actual request: 
    <cfhttp url="https://localhost/bobby.cfc" method="post"
 clientCert="#ExpandPath('./bob.pfx')#"
 clientPassword="*********">
 <cfhttpparam type="header" name="content-type" value="text/xml">
 <cfhttpparam type="header" name="content-length" value="#Len(soap)#" />
 <cfhttpparam type="header" name="charset" value="utf-8" />
 <cfhttpparam type="xml" name="message" value="#soap#" />
 <cfhttpparam type="header" name="SOAPAction" value="" />
</cfhttp>
  6. You result will be available via cfhttp.fileContent: 
    <cfdump var="#XmlParse(cfhttp.fileContent)#" />

Conculsion

While this is probably a better workaround than having another server-side language act as a go-between, I still think Adobe should push support for client certificates into anything that’s making a HTTP request.  For example cfcache, cfschedule and the admin schedule task all make web requests which would fail if a certificate was required for access.  I also seem to remember that CfDocument makes requests for retrieving images.

Railo comparison

The score is now Railo 1 – Adobe 1 as Railo currently doesn’t support client certificates on it’s CfHttp tag or the others (CfInvoke, createobject etc…).  I’ve put in a request for it via their new UserVoice site, so please vote for it if you think you’ll ever need it.  Even if you only use Adobe’s engine since it’ll pressure them into adding it too ;)

Categories: CFML, Web Development Tags: , , , , ,
  1. No comments yet.
  1. No trackbacks yet.