Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member
In ColdFusion 8 you had to jump through a couple of hoops to remove the onRequest method from the Applications .cfc in order to allow AJAX and SOAP requests to work correctly with remote access CFCs. In ColdFusion 9 Adobe has added an onCFCrequest method that will run on any remote CFC method call, allowing you to find or control over who and how your CFCs are accessed. So first let's take a look at the workaround we've all been using to actually get past some of the issues with onRequest method breaking remote CFC calls.
If you open up Application.cfc and in our onRequestStart method, we check and see if a CFC has been requested or if this is a SOAP request, and then simply delete the onRequest method from the Application.cfc. Now this works, but it's a hack and nobody likes to use a hack in order to get critical applications working correctly. So in ColdFusion 9 we can add an onCFCrequest function to our file. So let's go ahead and do that now. We'll do cffunction name = onCFCrequest.
Now any time onCFCrequest is called it's going to pass three arguments. The first one is the name of the component that's actually being called. So this will pass in a string. The second one is going to be the method name that the user wants to invoke, and that will also be a string. The last will be the arguments that are supposed to be passed for this particular method. So we'll call that methodArguments and that's going to be a struct.
So let's go ahead and see how this works. I am just going to dump out the arguments, and in our CFC's directory, I have a remoteArtistService. Now this file has two methods in it. The first is getArtists, which has an access of remote, and it simply runs a query where we can filter by the artist id and it returns that query. I also have one called getArtPieces, which is a public method, but not remote. So we shouldn't be able to call it through our remote web service.
So let's go ahead and try and call our getArtists method. So let's go ahead and switch over to the browser and we'll invoke our remote method. We will do local host:8500/Chapter2/cfcs/ remoteArtistsService.cfc, and we'll call the method getArtists. You'll see nothing has actually been returned from that method. I've never even called this method.
If you looked down at our debugging information, you can see there's no call to that method anywhere in here. There's no query that's been run or anything. The entire request has been intercepted by onCFCrequest. So now we need to do a little extra work to actually get this method invoked. So back to CF Builder. We'll go back Application.cfc and we'll invoke the CFC that's been called. So we will use the cfinvoke tag. We'll call the proper component, we'll call the method, and then we'll pass it at all of the arguments.
Now the last thing we need to do is set a return variable. Then we will dump out that return variable. So if we go about to our browser and reload, you'll see it runs my query and dumps out all the values. Now let's take a look at what happens when I pass additional query string arguments. If I do id equals 2 for example, we can see in the Arguments dump it separates out all my URL variables into nicely formatted structures and here it's passed in the proper id to filter out my query. So what are the uses can you make of this this? The onCFCrequest, because you can intercept every single request, you could add security around particular components.
For example, restricting access to specific component by IP address or whether a user is logged in or not. You could also standardize how you return all of your results by potentially wrapping every single return in let's say a serialized JSON function. Now if I go back here and reload, I get a nice JSON formatted return string. Just to make sure the security hasn't been compromised by having our new onCFCrequest. Let's try running the getArtPiece method.
Now we have a problem. Because our onCFCrequest is running these method calls directly from inside the application, it has access to all the public methods available. Only our remote method should be exposed. So what you are going to need to do is make sure that you properly lock down these public methods by adding some additional logic inside onCFCrequest to control who can and cannot call remote methods. So using the new onCFCrequest method in Application.cfc should allow you have better control over how your CFCs are accessed.
It's pretty simple to wrap security and common formatting options around your objects and methods, but you're going to have to do some additional work to properly protect those remote methods, if you do want to make use of the onCFCrequest.
Get unlimited access to all courses for just $25/month.Become a member
82 Video lessons · 101370 Viewers
61 Video lessons · 88126 Viewers
71 Video lessons · 71965 Viewers
56 Video lessons · 103789 Viewers
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.
Your file was successfully uploaded.