Develop Coldfusion Web Service

I need to develop/design Coldfusion Web Service which uses few object calls and functions.

1. What is good source of samples to develop in terms of OOP?
2. What is best way to开发者_如何转开发 secure the web service?
3. how to authenticate external/internal users, any sample?

FYI, This web service is going to be used by multiple department.

thanks A

OOP examples are all over the web. I don't have any handy, so I'll skip that part, and go straight to authentication and security.

First, authentication. There are several possible answers depending on what kind of users you are authenticating. For example, if you are authenticating users connnecting via a 3rd parth tool -- like a desktop or phone app posting to Twitter -- I would say that OAuth is a good solution. There is a good library for both publishing and consuming OAuth integrations at oauth.riaforge.com. If you are looking for someting lighter weight, we used a simple token creation scheme for a webservice that was only consumed by partner services. Basically, the partner service sends what amounts to a username and password pair, a token is created with a "last used" timestamp, and every time the webservice interacts after that, we do a check against the token store.

Security is, similarly, very dependent on your end goals. However, there are a few basic principles I've always tried to follow. First, build your basic CFCs as you normally would for constructing your objects. Entry points should be public, helper functions private, etc. This includes building an object to handle whatever authntication model you choose. On top of that, build your public API. These should all simply be access functions. They are called by outside applications, call the security object, then call the appropriate objects and methods to achieve the goal of the call. This way, you never have to bake the security layer into your base functionality calls, but you also have an easy way to include security. Remember, a single API call does not have to reflect a single base call -- you can build more complex routines if needed.

So, to recap.

Authentication

• OAuth
• Temporary Token Generation

Security

• private/public (not remote) base layer
• private/public (not remote) authentication layer
• remote API layer