About User Security - MACROMEDIA COLDFUSION MX 61-DEVELOPING COLDFUSION MX Develop Manual

About user security

User security lets your application use security rules to determine what it displays. It has two
elements:
•
Authentication
by the user. ColdFusion (or, in some cases if you use web server authentication, the web server)
maintains the user ID information while the user is logged-in.
•
Authorization
operation. Authorization is typically based on one or more roles (sometimes called groups) to
which the user belongs. For example, in an employee database, all users could be members of
either the employee role or the contractor role. They could also be members of roles that
identify their department, position in the corporate hierarchy, or job description. For example,
someone could be a member of some or all of the following roles:
Employees
Human Resources
Benefits
Managers
Roles enable you to control access in your application resources without requiring the application
to maintain knowledge about individual users. For example, suppose you use ColdFusion for your
company's intranet. The Human Resources department maintains a page on the intranet on
which all employees can access timely information about the company, such as the latest company
policies, upcoming events, and job postings. You want everyone to be able to read the
information, but you want only certain authorized Human Resources employees to be able to
add, update, or delete information.
Your application gets the user's roles from the user information data store when the user logs in,
and then enables access to specific pages or features based on the roles. Typically, you store user
information in a database, LDAP directory, or other secure information store.
You can also use the user ID for authorization. For example, you might want to let employees
view customized information about their salaries, job levels, and performance reviews. You
certainly would not want one employee to view sensitive information about another employee,
but you would want managers to be able to see, and possibly update, information about their
direct reports. By employing both user IDs and roles, you can ensure that only the appropriate
people can access or work with sensitive data.
The following figure shows a typical flow of control for user authentication and authorization.
Following sections expand on this diagram to describe how you implement user security in
ColdFusion.
348 Chapter 16: Securing Applications
Ensures that a valid user is logged-in, based on an ID and password provided
Ensures that the logged-in user is allowed to use a page or perform an