Security scenarios
355
Security scenarios
The following sections provide two detailed security scenarios. The first scenario uses the web
server to perform the authentication against its user and password database. The second scenario
uses ColdFusion for all authentication and authorization.
A web server authentication security scenario
An application that uses web server authentication might work as follows. The example in
“Web-
server–based authentication user security example” on page 358
implements this scenario.
1
When the user requests a page from a particular directory on the server for the first time after
starting the browser, the web server displays a login page and logs in the user. The web server
handles all user authentication.
2
Because the user requested a ColdFusion page, the web server hands the request to ColdFusion.
3
When ColdFusion receives a request for a ColdFusion page, it runs the contents of the
Application.cfm page before it runs the requested page. The Application.cfm page contains a
cflogin
tag. ColdFusion executes the
cflogin
tag body if the user is not logged into
ColdFusion. The user is logged-in if the
cfloginuser
tag has run successfully for this
application and the user has not been logged out.
4
Code in the
cflogin
tag body uses the user ID and password from the browser login, contained
in the cflogin.name and cflogin.password variables, as follows. (With Digest or NTLM web
server authentication, the cflogin.password variable is the empty string.)
a
It checks the user’s name against information it maintains about users and roles. In a simple
case, the application might have two roles, one for users and one for administrators. The
CFML assigns the Admin role to any user logged on with the user ID
Admin
and assigns
the User role to all other users.
b
It calls the
cfloginuser
tag with the user’s ID, password, and roles, to identify the user to
ColdFusion.
5
The Application.cfm page completes processing, and ColdFusion processes the requested
application page.
6
The application pages use the
IsUserInRole
function to check whether the user belongs to a
role before they run protected code that must be available only to users in that role.
7
The application can use the
GetAuthUser
function to determine the user ID; for example, to
display the ID for personalization. It can also use the ID as a database key to get user-specific
data.
Caution:
If you use web-server–based authentication, the browser continues to send the
authentication information to your application until the user closes the browser, or in some cases, all
open browser windows. This action continues even after you use the
cflogout
tag to log out the user.
As a result, if a user requests another page in your application after logging out, the
cflogout
tag will
have a cflogin structure and the structure will contain the logged-out user’s UserID and password. If
one user logs out and does not close the browser, another user might access your pages with the first
user’s login.
Содержание ColdFusion MX
Страница 1: ...Developing ColdFusion MX Applications...
Страница 22: ...22 Contents...
Страница 38: ......
Страница 52: ...52 Chapter 2 Elements of CFML...
Страница 162: ......
Страница 218: ...218 Chapter 10 Writing and Calling User Defined Functions...
Страница 250: ...250 Chapter 11 Building and Using ColdFusion Components...
Страница 264: ...264 Chapter 12 Building Custom CFXAPI Tags...
Страница 266: ......
Страница 314: ...314 Chapter 14 Handling Errors...
Страница 344: ...344 Chapter 15 Using Persistent Data and Locking...
Страница 349: ...About user security 349...
Страница 357: ...Security scenarios 357...
Страница 370: ...370 Chapter 16 Securing Applications...
Страница 388: ...388 Chapter 17 Developing Globalized Applications...
Страница 408: ...408 Chapter 18 Debugging and Troubleshooting Applications...
Страница 410: ......
Страница 426: ...426 Chapter 19 Introduction to Databases and SQL...
Страница 476: ...476 Chapter 22 Using Query of Queries...
Страница 534: ...534 Chapter 24 Building a Search Interface...
Страница 556: ...556 Chapter 25 Using Verity Search Expressions...
Страница 558: ......
Страница 582: ...582 Chapter 26 Retrieving and Formatting Data...
Страница 668: ......
Страница 734: ...734 Chapter 32 Using Web Services...
Страница 760: ...760 Chapter 33 Integrating J2EE and Java Elements in CFML Applications...
Страница 786: ...786 Chapter 34 Integrating COM and CORBA Objects in CFML Applications...
Страница 788: ......
Страница 806: ...806 Chapter 35 Sending and Receiving E Mail...