MACROMEDIA COLDFUSION MX 61-DEVELOPING COLDFUSION MX Develop Manual page 727

Using ColdFusion to control access
Instead of letting the web server control access to your web services, you can handle the
username/password string in your Application.cfm file as part of your own security mechanism.
In this case, you use the
header, decode the binary string, and extract the username and password, as the
authorization
following example Application.cfm file shows:
<cfsilent>
<cflogin>
<cfset isAuthorized = false>
<cfif isDefined("cflogin")
<!--- verify user name from cflogin.name and password from
cflogin.password
using your authentication mechanism --->
>
<cfset isAuthorized = true>
</cfif>
</cflogin>
<cfif not isAuthorized>
<!--- If the user does not pass a username/password, return a 401 error.
The browser then prompts the user for a username/password. --->
<cfheader statuscode="401">
<cfheader name="WWW-Authenticate" value="Basic realm=""Test""">
<cfabort>
</cfif>
</cfsilent>
This example does not show how to perform user verification. For more information on
verification, see Chapter 16, "Securing Applications," on page
Assigning security roles to functions
ColdFusion components offer role-based security. The following example creates a component
method that deletes files:
<cfcomponent>
<cffunction name="deleteFile" access="remote" roles="admin,manager">
<cfargument name="filepath" required="yes">
<cffile action="DELETE" file=#arguments.filepath#>
</cffunction>
</cfcomponent>
In the example, the
cffunction
to access it. In this example, only users in the role
Notice that multiple roles are delimited by a comma.
Role based security can be used with any ColdFusion component, not just for web services. For
more information on roles, see
tag to retrieve the username/password information from the
cflogin
tag includes the
Chapter 16, "Securing Applications," on page
345.
attribute to specify the user roles allowed
roles
and can access the function.
admin manager
Publishing web services
345.
727