CURRENT PROJECTS
loading
CATEGORIES AND POSTS
loading
overset
DEVELOPMENT LOG FOR JIM PALMER
Posted 02/14/2007 in coldfusion


Seeing as XMLHTTPRequest.open() is limited to only working on URI's on the same domain:port pair as the page was originally loaded from - I had a problem trying to access an AJAX handler on a different host.

I solved this problem with Apache's mod_proxy. This caused another issue with the client authentication functionality in CFAJAX.

First off, to enable the utilization of authentication of each incoming CFAJAX request, add the following hint declaration to each function you wish to make sure is authenticated.
...
<cffunction ... hint="... authenticateClient='yes' ...">
...

It is important to note that this is different than the sessioncheckfunction hint declaration.

The problem is that the decodeClientAuthenticationKey function in the security.cfm file will only return true if the CGI.REMOTE_ADDR is the same as what was originally encoded. In the case of using a web proxy to access you AJAX handler - the CGI.REMOTE_ADDR will be the address of the proxy machine instead of the address of the client's machine in which the authentication was initially Encrypt()ed. The solution is to pass the end-user's IP address through the proxy in the form of a URL variable.

Solution #1
I decided that (after trying Solution #2 below) there was no way to verify each incoming request from a client's browser beyond just enabling strong asymmetrical encryption as CFAJAX already supports. This means removing all of CFAJAX's IP verification in the client key authentication. I simply commented out the IPVERIFIED==true cfif in the cfajax.cfm's authenticateClient hint "function". I wanted to retain the TIMEELAPSED condition.

There is no need, in our case, to impossibly authenticate the client's IP address (because of masquerading issues) to verify incoming requests. I see utilizing the client authentication more as preventing a completely open door to potential malicious attacks. The grunt of the logic and dangerous database changes will occur only if a valid session exists - hence more importance on using sessioncheckfunction.

Solution #2
WARNING - This will NOT work when the client is accessing AJAX calls from behind a bridge/maquerading box. I.e. a great majority of end-users on the net.

To accomplish passing of the end-user's IP through the proxy I setup a QSA, Query String Append, variable at the end of my proxy Rewrite Rule as follows:
<VirtualHost *>
...
RewriteEngine On
RewriteRule ^/_api/(.*) balancer://api_cluster/$1?remote_addr=%{REMOTE_ADDR} [P,QSA]
...
</VirtualHost>

This RewriteRule allows all incoming requests to /_api/ to point to any of the cluster members. The Cluster members are defined as:
<Proxy balancer://api_cluster>
        BalancerMember http://10.0.0.100:80
        BalancerMember http://10.0.0.101:80
</Proxy>

The RewriteRule will choose a specific proxy cluster member as declared in the declaration. This is part of the Apache 2.2.X mod_proxy_balancer module. The [P] declaration takes advantage of the mod_proxy module in Apache. The [QSA] declaration enables graceful query string appending. Case in point, if the original address for the VirtualHost declaration was http://10.0.0.1 here are two test queries and how they would be proxied:
http://10.0.0.1/_api/index.cfm -> 
	http://10.0.0.[100|101]/index.cfm?remote_addr=196%2E128%2E1%2E1
http://10.0.0.1/_api/index.cfm?existingVar=value ->
	http://10.0.0.[100|101]/index.cfm?existingVar=value&remote_addr=196%2E128%2E1%2E1

Now - we must modify the CFAJAX decodeClientAuthenticationKey function in the security.cfm file to use this newly passed GET variable to set IPVERIFIED to true|false instead of the CGI.REMOTE_ADDR.

Find the following line of code in the CFAJAX security.cfm:
<cfif trim(StructFind(variables.retData, "IP")) EQ trim(CGI.REMOTE_ADDR)>
and change it to:
<cfif ( IsDefined('URL.REMOTE_ADDR') AND 
	trim(StructFind(variables.retData, "IP")) EQ trim(URL.REMOTE_ADDR) ) OR
	( trim(StructFind(variables.retData, "IP")) EQ trim(CGI.REMOTE_ADDR) )>
comments
loading
new comment
NAME
EMAIL ME ON UPDATES
EMAIL (hidden)
URL
MESSAGE TAGS ALLOWED: <code> <a> <pre class="code [tab4|tabX|inline|bash]"> <br>
PREVIEW COMMENT
TURING TEST
gravatar