Overview Of User Security; Using Advanced Security In Application Pages - MACROMEDIA COLDFUSION 4.5-DEVELOPING WEB Develop Manual

Chapter 17: Application Security

Overview of User Security

User security authenticates users when they log into a ColdFusion application, and
then assigns privileges based on group membership or other criteria that you
determine. For example, suppose you've used ColdFusion to build and host your
company's intranet. The Human Resources department maintains a page on the
intranet where all employees can access timely information about the company, like
the latest company policies, upcoming events, and job postings. You'd want everyone
to be able to read the information, but you'd only want certain authorized HR
employees to be able to add, update, or delete information. In addition, you might
want to let employees view customized information about their salaries, job levels, and
performance reviews. You certainly wouldn't want one employee to view sensitive
information about another employee, but you'd want managers to be able to see, and
possibly update, information about their direct reports. User security authenticates
and authorizes users each time they try to access or work with sensitive data.
User security is made up of two components:
Security contexts, configured in the ColdFusion Administrator, on the
Advanced Security page. A security context provides the framework against
which to authenticate and authorize users.
Code you write in your application pages that checks against a security context
to see if a user is allowed to access a particular resource and then takes
Before you can implement user security in your applications, you must make sure that
your ColdFusion administrator has installed Advanced security on the server and has
configured the appropriate security framework for your application. After the security
framework is in place, you can code security features into your ColdFusion
applications. For complete information about installing Advanced security and setting
up a security framework, See Administering ColdFusion Server.

Using Advanced Security in Application Pages

Advanced security makes it easier for developers to enforce application security. After
your administrator sets up the appropriate security contexts for your application, you
can start using ColdFusion security tags and functions to authenticate users and see if
they've been authorized for the part of the application they're trying to access.
This section describes how to use security tags and functions to authenticate users and
provide or withhold resources according to the security context's rules.
Include CFAUTHENTICATE on any application page where you want to
authenticate users — that is, to make sure users are who they say they are. (You
can also use CFAUTHENTICATE your application's
the authentication information to subsequent pages where you want to test for
authentication.
ColdFusion sets a cookie, CFAUTH, to contain authentication information. If
you choose not to use this cookie, you must check authentication for each
request.
file.) Pass
Application.cfm
265