Adobe 38043740 - ColdFusion Standard - Mac Development Manual page 244

DEVELOPING COLDFUSION 9 APPLICATIONS
Developing CFML Applications
Application security and user identification
All applications must ensure that malicious users cannot make improper use of their resources. Additionally, many
applications require user identification, typically to control the portions of a site that the user accesses, to control the
operations that the user performs, or to provide user-specific content. ColdFusion provides the following forms of
application security to address these issues:
Resource (file and directory-based) security
that application pages, in particular directories, access. Consider the resource security needs of your application when
you design the application directory structure.
User (programmatic) security
mechanism to ensure that users only access and use selected features of the application. User security also incorporates
a user ID, which you use to customize page content. To implement user security, you include security code, such as
the and
cflogin cfloginuser
For more on implementing security, see
Structuring an application
When you design a ColdFusion application, structure its contents into directories and files, also known as mapping
the directory structure. This activity is an important step in designing a ColdFusion application. Before you start
building the application, establish a root directory for the application. You store application pages in subdirectories of
the root directory.
How ColdFusion finds and process application definition pages
ColdFusion uses the following rules to locate and process the Application.cfc, Application.cfm, and
OnRequestEnd.cfm pages that define application-specific elements. The way ColdFusion locates these files helps
determine how you structure an application.
Each time ColdFusion processes a page request it does the following:
1 When ColdFusion starts processing the request, it does the following:
• It searches the page's directory for a file named Application.cfc. If one exists, it creates a new instance of the CFC,
processes the initial events, and stops searching. (ColdFusion creates a new instance of the CFC and processes
its initialization code for each request.)
• If the requested page's directory does not have an Application.cfc file, it checks the directory for an
Application.cfm file. If one exists, ColdFusion logically includes the Application.cfm page at the beginning of
the requested page and stops searching further.
• If the requested page's directory does not have an Application.cfc or Application.cfm file, ColdFusion searches
up the directory tree and checks each directory first for an Application.cfc file and then, if one is not found, for
an Application.cfm page, until it reaches the root directory (such as C:\). When it finds an Application.cfc or
Application.cfm file, it processes the page and stops searching.
ColdFusion processes the requested page's contents.
2
3 When the request ends, ColdFusion does the following:
• If you have an Application.cfc, ColdFusion processes the CFC's
instance.
Limits the ColdFusion resources, such as tags, functions, and data sources
Provides an authentication (login) mechanism and a role-based authorization
tags, in your application.
"Securing Applications" on page 339.
Last updated 1/20/2012
method and releases the CFC
onRequestEnd
239