Skip to main content
A
Aegis_Kleais
Inspiring
November 13, 2012
Answered

Using the adminAPI

  • November 13, 2012
  • 1 reply
  • 2165 views

I'm new to this, but I wanted to use the CF adminAPI, so I wrote:

<cfset adminObj = new 'cfide.adminapi.administrator'()>

<cfset result = adminObj.login(

adminUserID = 'admin',

adminPassword = 'HASHED_ADMIN_PASSWORD',

isHashed = true

)>

<cfdump var="#result#" abort="1">

And it reports back: false

I don't want to supply the unhashed value in the code itself, and I used the BIF hash() to hash the actual password (which is supplied in the above as 'HASHED_ADMIN_PASSWORD')  Can anyone help point out to me what I'm doing wrong?

    This topic has been closed for replies.
    Correct answer Aegis_Kleais

    *** UPDATE ***

    With some help from a co-worker, it seems the hash that CF expects is for algorithm SHA1. (Not even sure you can custom specify a different algo)

    We did a dump of:

    hash( 'admin_password_here', 'SHA1' )

    and then used that value in the login() call, and it returned TRUE.

    I'm going to look into seeing if there's a way to change CF 10's default algo to SHA256.

    1 reply

    A
    Adam Cameron.
    Inspiring
    November 13, 2012

    Have you read the docs for Using the Administrator API?  That describes how you use it.

    I'm not completely familiar with it, but I see no reference to passing a hashed pwd (although that'd be a good idea if it was supported), it all seems to demonstrating using a clear-text password. I can find no indication of using a hashed password would work (via Google). What makes you think that you can?  Did you read somethings somewhere?

    --
    Adam

    A
    Aegis_KleaisAuthor
    Inspiring
    November 13, 2012

    I used introspection on the administrator.cfc and it showed an isHashed attribute for the login() method.

    I assumed, since it didn't allow me to specify the algo, I had to use a basic MD5 Hash() on it, and that's what I specified (though I prefer SHA-256).  Whatever solution I employ, I'd feel safer if I didn't pass the password in an unencrypted manner.

    Here is the text it shows:

    remote boolean login ( required adminPassword, adminUserId="[runtime expression]", rdsPasswordAllowed="false", isHashed="false" )


    Authenticate the user for the length of the request. Required before accessing other methods of the Administrator API. Returns true if login successful.


    Output: suppressed

    Parameters:

       adminPassword: any, required, adminPassword - ColdFusion Administrator password.

       adminUserId: any, optional, adminUserId - ColdFusion Administrator User Id

       rdsPasswordAllowed: any, optional, rdsPasswordAllowed - Allow the user to login and access the adminapi with the RDS password.

       isHashed: any, optional, isHashed - Set it to true if the password sent is already hashed once.

    A
    Aegis_KleaisAuthorCorrect answer
    Inspiring
    November 13, 2012

    *** UPDATE ***

    With some help from a co-worker, it seems the hash that CF expects is for algorithm SHA1. (Not even sure you can custom specify a different algo)

    We did a dump of:

    hash( 'admin_password_here', 'SHA1' )

    and then used that value in the login() call, and it returned TRUE.

    I'm going to look into seeing if there's a way to change CF 10's default algo to SHA256.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices