Participant

Answered

cffile upload using credential

Forum|Forum|4 years ago
January 7, 2022
5 replies
2087 views

Hello Coldfusion community,

I need your suggestion in upload functionality that I recently facing. I have shared network drive where I need to upload the file using cf file. but I can't give permision to service ac on which coldfusion is running. Instead client is given user name and password to us when upload. Is there a way to to pass credential while upload file using cf file? What is alternate way to achieve this?

any help would highly appriciated

Thank You!

This topic has been closed for replies.

Correct answer Charlie Arehart

Uday, I don't think that will be possible. I assume you are using the CFFILE ACTION="upload", which takes the file (as saved as a temp file during the upload) and then MOVES it to the path named in the DESTINATION of cffile. That move will be done BY CF, on behalf of the user that CF is running as.

I'm not aware of any way to have it somehow detect and use the end-user's identity and use that. While a web server like IIS may have provision to detect and use that for files accessed by way of the web server, in this case the access is NOT "by way of the web server".

Someone may have a different perspective nad better news for you. And I could have this wrong. I will admit I have not seen it done or even discussed, so I'm going on that.

BKBK

Community Expert

@uday22547276rirg ,

I interpreted your question as a search for a proof-of-concept. Namely, whether it is possible to implement code in ColdFusion, where:

clients upload files by means of credentials;
the ultimate location of the uploaded files is a network share (however, with the constraint that the user ColdFusion runs as has insufficient permissions to access the share) .

The answer to your question is yes. I have provided proof, using ColdFusion on Windows.

U

uday22547276rirgAuthor

Participant

Hey Guy,

I'm sorry. I did not get a chance to check my mails in few days.

@BKBK you did really a good job and I appreciate it. But our expectation was something else than pass the credential inside the form with each file upload. It is impossible to create millions of username and password and store in db. Even we can't allow to execute any batch file.

Batch file could be a alternative solution but my ask was different. Question was can we upload or perform file operations on network drive without giving the permission to coldfusion service account by providing username and password of network drive to cffile or any similar tag or any CF Java based lib? No batch file.

My .net colleagues achieve this and I'm going to use their dll file in CF by creating the object of .net and use their function by providing the filefield as a parameter.

I hope I'm clear this time.

Thank you @Charlie Arehart . You were correct

Charlie Arehart

Community Expert

I don't see any discussion about the security risk of having the user pass in their windows credentials.

I've been trying to discourage from the beginning the hope that this upload could be done using the user's credentials (obtained somehow implicitly) because cf doesn't support that.

But as I noticed both BKBK and Mike discussing (in their most recent comments) using an uploaded username and password, I see now that Uday actually proposed that in his original post. I missed that.

I just want to say this seems a bad idea, especially if somehow the info would be saved to "batch" execute the uploads. Where would these user credentials be stored? Even if "just in memory", it seems a potentially grave risk.

Uday mentioned his. Net colleagues having been able to do something similar to what he wants. Uday, was their approach REALLY involving a .net app (code you guys wrote) receiving such uploaded credentials? I suggest you really confirm that, because I'd think others would have balked at that for the same reason, though perhaps they didn't see a problem.

I just want to make sure you're not trying to force cf to support something that could get you into trouble if you're not very careful.

BTW, if someone may point out out that cfntauthenticate accepts a user's username and password (presumed to be passed in), note that the sole goal of that is authentication. As a result, you know they ARE authenticated--that those credentials are valid. (This is offered as an alternative to having to create separate login credentials for users.) But again all the tag does is authenticate those credentials. They are not then stored in any way by Cf for reuse. I'd a developer did store them, they'd be in this same situation I'm now describing above.

I'm interested to hear if you guys or anyone reading along thinks I'm overreacting here in this general concern.

/Charlie (troubleshooter, carehart. org)

BKBK

Community Expert

Charlie, I don't see the security concerns you mention. The implementation could flow as follows:

Specifically for the purpose of upload, each client gets a username/password. These do not have to be the client's Windows credentials.
During upload, ColdFusion validates the client's upload-username and upload-password. If they are valid, then the file is uploaded to a location L to which the ColdFusion server has access.
A subsequent process - which could still be ColdFusion - copies the uploaded file from the location L to the share, using the username and password that allow access to the share.

Charlie Arehart

Community Expert

Help us out, bkbk. This "the username and password that allow access to the share", are you asserting its the one uploaded from the user with the file? Or some other?

If the same, my concern stands. If another, how would that solve Uday's need, which was to store the file with that user's credentials?

/Charlie (troubleshooter, carehart. org)

T

TheRealMC

Inspiring

Hi @uday22547276rirg

There are a few third party Java libraries out there that handle CIFS interactions, some more dated than others. I must stress that I've never tried any of them out, they may or may not be able to handle what you're trying to achieve, but I put them out as something you may wish to explore:

https://www.jcifs.org

This is an old library, and the web site suggests some newer libraries that may be of more use:

https://github.com/AgNO3/jcifs-ng

https://github.com/codelibs/jcifs

https://github.com/hierynomus/smbj

If you or anyone else manages to get this functioning, I'd be really interested to hear about it, as we have a similar project on the horizon.

Cheers,

Mike.

Charlie Arehart

Community Expert

Mike, can you clarify how you envision this would help with Uday's use case?

And is the similar project you have really about having a file uploaded to cf to be stored in a destination that is a network drive, using the end user's (browser user's) authentication? There's simply no provision for that with cffile upload.

/Charlie (troubleshooter, carehart. org)

T

TheRealMC

Inspiring

Hi Charlie,

I was going on @uday22547276rirg 's request for "What is alternate way to achieve this?"

Utilizing one of these libraries should allow files/directories to be manipulated on CIFS shares based on passed credentials. Obviously the user would have to be logged into the ColdFusion application, and their username/password stored somewhere, probably in the session (assuming the credentials for the CF app are the same as those for the share). These could then be passed through the relevant Java objects to manipulate files/directories on the share.

So I guess the steps would be:

Upload the file to the CF server in the standard way, saving it locally
Move the file from the local CF location to the share utilizing the library of choice.

Like I said, I've never used these libraries, but in theory, this could all be possible. I might knock up a quick test at some point, now I've piqued my own interest 😉

To your second question, the aim of the upcoming project is to build some kind of file manager/explorer type system that the user could manage files/directories on a Windows share based on their credentials, rather than the ColdFusion Service user's credentials that are used by CFFILE and CFDIRECTORY. We've identified a third party .NET app that can do just that, and we might end up just embedding that in an iframe within our CF app. But before we do that, we're going to investigate if a home grown solution in CF/Java is actually possible.

Cheers,

Mike.

BKBK

Community Expert

You could just pass the credentials via the upload form. I have created the following test example, and it works. 🙂

Notes:

Launch the CFM page in the browser.
The form posts to itself.

<!--- uploadWithCredentials.cfm --->
<cfif isDefined("Form.FileContents") >
	<cfset isValidClient=false>
	<cftry>
		<cfif isDefined("Form.username") and isDefined("Form.password")>
			<cfquery datasource="cf_db" name="validateUploader">
				select *
				from users
				where username=<cfqueryparam cfsqltype="cf_sql_varchar" value="#Form.username#">
				and pwd=<cfqueryparam cfsqltype="cf_sql_varchar" value="#Form.password#">
			</cfquery>
                  <cfset isValidClient = validateUploader.recordcount gt 0>
		</cfif>

		<cfif isValidClient>

		    <cffile action = "upload"
		        fileField = "FileContents"
		        destination = "c:\uploads"
				nameConflict = "overwrite">
			<cfif cffile.FileWasSaved>Upload done!</cfif>
			
		<cfelse>
			Your upload credentials are invalid.
		</cfif> 
		
	<cfcatch type="any">
		<cfdump var="#cfcatch#">
	</cfcatch>

	</cftry>
    
<cfelse>
    <form method="post" action="uploadWithCredentials.cfm" enctype="multipart/form-data">
        <input name="FileContents" type="file">
        <br>
        Username: <input name="username" type="text" required>
        <br>
        Password: <input name="password" type="text" required>
        <br>
        <input name="submit" type="submit" value="Upload File">
    </form>
</cfif>

:

Charlie Arehart

Community Expert

Bkbk, I don't read Uday's original post as saying he wanted a cf page to validate the user's credentials (what you just offered). He said he has a "shared network drive where I need to upload the file using cf file. but I can't give permision to service ac on which coldfusion is running".

So as I discussed in my comments, this is about the permissions with which the cffile upload (what is basically a MOVE to that network drive) takes effect. Your code doesn't show you accommodating that, and indeed I'm not aware of a way to cause that. But if you're saying you did, please clarify also how the username entetd was tied to an identity that DOES have permission for that user to allow the file write/move/upload. It seems that is what Uday would be needing most, though he can clarify.

/Charlie (troubleshooter, carehart. org)

Charlie Arehart

Correct answer

Community Expert

Uday, I don't think that will be possible. I assume you are using the CFFILE ACTION="upload", which takes the file (as saved as a temp file during the upload) and then MOVES it to the path named in the DESTINATION of cffile. That move will be done BY CF, on behalf of the user that CF is running as.

I'm not aware of any way to have it somehow detect and use the end-user's identity and use that. While a web server like IIS may have provision to detect and use that for files accessed by way of the web server, in this case the access is NOT "by way of the web server".

Someone may have a different perspective nad better news for you. And I could have this wrong. I will admit I have not seen it done or even discussed, so I'm going on that.

/Charlie (troubleshooter, carehart. org)

U

uday22547276rirgAuthor

Participant

I agree with you, on other part of my project which has developed in .net
achieve this.
Thanks

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded