One of the great features of CFCs is the ability to reuse the code for both a straight .cfm page and for Flex apps.
One such app that I devleoped uses Flex for its charting capabilities and needs access to a 'getResults()' function in the cfc.
All of this content is behind an authentication mechanism, but since the cfc will open itself up to a wsdl request:
and will actually return the results to the browser if the URL query is crafted properly:
https://myserver.com/c/functions.cfc?method=getResults&Term=2009&Course=Anatomy
What techniques have people used to protect the cfc from direct access UNLESS the request is coming directly from the CFML processor OR from Flex Remoting?
You could utilize some of the CGI scope variables to check where the request is coming from.
ie: CGI.REMOTE_HOST, CGI.REMOTE_ADDR
So, you'd probably construct a new function with a access="public" property which checks the values of those variables against a list of valid values for your server. If it returns true, you would execute the request and if it returns false, you would throw/return some sort of error.