Inspiring

Answered

Using the adminAPI

Forum|Forum|13 years ago
November 13, 2012
1 reply
2165 views

I'm new to this, but I wanted to use the CF adminAPI, so I wrote:

<cfset result = adminObj.login(

adminUserID = 'admin',

adminPassword = 'HASHED_ADMIN_PASSWORD',

isHashed = true

)>

And it reports back: false

I don't want to supply the unhashed value in the code itself, and I used the BIF hash() to hash the actual password (which is supplied in the above as 'HASHED_ADMIN_PASSWORD') Can anyone help point out to me what I'm doing wrong?

This topic has been closed for replies.

Correct answer Aegis_Kleais

*** UPDATE ***

With some help from a co-worker, it seems the hash that CF expects is for algorithm SHA1. (Not even sure you can custom specify a different algo)

We did a dump of:

hash( 'admin_password_here', 'SHA1' )

and then used that value in the login() call, and it returned TRUE.

I'm going to look into seeing if there's a way to change CF 10's default algo to SHA256.

A

Adam Cameron.

Inspiring

Have you read the docs for Using the Administrator API? That describes how you use it.

I'm not completely familiar with it, but I see no reference to passing a hashed pwd (although that'd be a good idea if it was supported), it all seems to demonstrating using a clear-text password. I can find no indication of using a hashed password would work (via Google). What makes you think that you can? Did you read somethings somewhere?

--
Adam

A

Aegis_KleaisAuthor

Inspiring

I used introspection on the administrator.cfc and it showed an isHashed attribute for the login() method.

I assumed, since it didn't allow me to specify the algo, I had to use a basic MD5 Hash() on it, and that's what I specified (though I prefer SHA-256). Whatever solution I employ, I'd feel safer if I didn't pass the password in an unencrypted manner.

Here is the text it shows:

remote boolean login ( required adminPassword, adminUserId="[runtime expression]", rdsPasswordAllowed="false", isHashed="false" )

Authenticate the user for the length of the request. Required before accessing other methods of the Administrator API. Returns true if login successful.

Output: suppressed

Parameters:

adminPassword: any, required, adminPassword - ColdFusion Administrator password.

adminUserId: any, optional, adminUserId - ColdFusion Administrator User Id

rdsPasswordAllowed: any, optional, rdsPasswordAllowed - Allow the user to login and access the adminapi with the RDS password.

isHashed: any, optional, isHashed - Set it to true if the password sent is already hashed once.

A

Adam Cameron.

Inspiring

Tagging, got it. Will try to make that a habit.

This all came around due to some old code we were using that was referncing creating a java object to 'coldfusion.server.ServiceFactory'. We wanted to programmatically determine whether we had access to the adminAPI (because this code might be put out into environments where it, for one reason or another, isn't allowed.)

Good practice on setting up a low-priv user, I'll look into utilizing that practice. I'm eagerly awaiting the CF10 Server Lockdown guide, and previous ones alluded to ensuring that at least a SHA-256 algo was used in all passwords; that was the mindset I had when realizing SHA1 was used instead.

I'm eagerly awaiting the CF10 Server Lockdown guide, and previous ones alluded to ensuring that at least a SHA-256 algo was used in all passwords; that was the mindset I had when realizing SHA1 was used instead.

Hehheh... yes, well they should definitely be eating their own dogfood on this one! I'm put it on Shilpi's radar...

--

Adam

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded