Ask a Jedi: Preventing direct access to a CFC

Chad asks:

I am using a CFC for an AJAX-based shopping cart and it works great. But along comes a customer who is behind a proxy. The proxy is trying to request the CFC through a GET request (instead of a POST). Of course, when you try to access a CFC directly, it redirects the browser to the ColdFusion Component Browser. I have tried everything I know to keep the proxy from trying to access this page directly, but nothing seems to work. Any suggestions?

For folks who don’t get what Chad is talking about, ColdFusion has a feature where if you access a CFC in your browser, you get a nicely formatted HTML page that describes the CFC and what it can do. (If you authenticate first.) You only get this if you don’t specify a specific method. While this is nice and all, it may not be what you desire. You may - for example, want to share the documentation for a CFC and have it be something you wrote yourself. This way folks don’t need your CF Admin password.

So what’s cool about this question is that there is a really simple, very trivial solution. Mark Drew used this for his SnipEx code and it’s just brilliant. I mean it’s obvious - but it never occurred to me! Consider the simple CFC below:

<cfcomponent output="false">

<cffunction name=”sayHi” access=”remote” returnType=”string” output=”false”> <cfargument name=”name” type=”string” required=”false” default=”Nameless”>

&lt;cfreturn "Hello, #arguments.name#"&gt; &lt;/cffunction&gt;

</cfcomponent> </code>

If you view this CFC in your browser and do not pass a method in the query string, you will get prompted to authenticate to your CF Admin and then you will get the nice documentation. But now look at this version:

<cfcomponent output="false">

<cfif not structKeyExists(url, “method”)> <cfset url.method = “sayHi”> </cfif>

<cffunction name=”sayHi” access=”remote” returnType=”string” output=”false”> <cfargument name=”name” type=”string” required=”false” default=”Nameless”>

&lt;cfreturn "Hello, #arguments.name#"&gt; &lt;/cffunction&gt;

</cfcomponent> </code>

All I’ve done here is add code to notice the lack of a method in the query string. If it is missing, a default method is specified. Simple, right? Of course this disables the “auto-documentation”, but it may be exactly what you want to do.

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Comments