350
Chapter 16: Securing Applications
Authenticating users
You can use either, or both, of the following forms of authentication to secure your ColdFusion
application:
•
Web server authentication, where the web server authenticates the user and does not allow
access to the website by users without valid login IDs
•
Application authentication, where the ColdFusion application authenticates the user and does
not allow access to the application by users without valid login IDs
About web server authentication
All major web servers support basic HTTP authentication. Some web servers also support other
authentication methods, including Digest HTTP authentication and Microsoft NTLM
authentication.
Note:
Basic HTTP authentication sends the user name and password in a base64-encoded string
with each request. If you do not use SSL (Secure Sockets Layer) for all page transactions, the user ID
and password are not protected from unauthorized access.
Note:
Macromedia DreamWeaver MX and Studio MX do not support NTLM security with RDS.
Therefore, you cannot use RDS with these applications if the ColdFusion RDS servlet (
cf_root
/
CFIDE/main/ide.cfm) is in a directory that is protected using NTLM security.
In web server authentication, the web server requires the user to log in to access pages in a
particular directory, as follows:
1
When the user first requests a page in the secured directory, the web server presents the user with
a login page.
2
The user fills in the login page and submits it.
3
The web server checks the user’s login ID and password, using its own user authentication
mechanism.
4
If the user logs in successfully, the browser caches the authentication information and sends it
in an HTTP Authorization header with every subsequent page request from the user.
5
The web server processes the requested page and all future page requests from the browser that
contain the HTTP Authorization header, if it is valid for the requested page.
You can use web server authentication without using any ColdFusion security features. In this
case, you configure and manage all user security through the web server’s interfaces.
You can also use web server authentication with ColdFusion application authentication, and thus
you can use ColdFusion security for authorization. If the web server uses basic HTML
authentication, the ColdFusion
cflogin
tag provides access to the user ID and password that the
user entered to log in to the web server. If the web server uses Digest or NTLM authentication,
the
cflogin
tag normally gets the user ID, but not the password.
As a result, your application can rely on the web server to authenticate the user against its user and
password information, and does not have to display a login page. You use the
cflogin
and
cfloginuser
tags to log the user into the ColdFusion user security system, and use the
IsUserInRole
and
GetAuthUser
functions to ensure user authorization. For more information
on this form of security, see
“A web server authentication security scenario” on page 355
.
Note:
If a user has logged in using web server authentication and has not logged in using ColdFusion
application authentication, the
GetAuthUser
tag returns the web server user ID. You could use this
feature to combine web server authentication with application authorization based on the user’s ID.
Содержание COLDFUSION MX 61-DEVELOPING COLDFUSION MX
Страница 1: ...Developing ColdFusion MX Applications...
Страница 22: ...22 Contents...
Страница 38: ......
Страница 52: ...52 Chapter 2 Elements of CFML...
Страница 162: ......
Страница 218: ...218 Chapter 10 Writing and Calling User Defined Functions...
Страница 250: ...250 Chapter 11 Building and Using ColdFusion Components...
Страница 264: ...264 Chapter 12 Building Custom CFXAPI Tags...
Страница 266: ......
Страница 314: ...314 Chapter 14 Handling Errors...
Страница 344: ...344 Chapter 15 Using Persistent Data and Locking...
Страница 349: ...About user security 349...
Страница 357: ...Security scenarios 357...
Страница 370: ...370 Chapter 16 Securing Applications...
Страница 388: ...388 Chapter 17 Developing Globalized Applications...
Страница 408: ...408 Chapter 18 Debugging and Troubleshooting Applications...
Страница 410: ......
Страница 426: ...426 Chapter 19 Introduction to Databases and SQL...
Страница 476: ...476 Chapter 22 Using Query of Queries...
Страница 534: ...534 Chapter 24 Building a Search Interface...
Страница 556: ...556 Chapter 25 Using Verity Search Expressions...
Страница 558: ......
Страница 582: ...582 Chapter 26 Retrieving and Formatting Data...
Страница 668: ......
Страница 734: ...734 Chapter 32 Using Web Services...
Страница 760: ...760 Chapter 33 Integrating J2EE and Java Elements in CFML Applications...
Страница 786: ...786 Chapter 34 Integrating COM and CORBA Objects in CFML Applications...
Страница 788: ......
Страница 806: ...806 Chapter 35 Sending and Receiving E Mail...