Adobe COLDFUSION 9 Manual page 348

DEVELOPING COLDFUSION 9 APPLICATIONS
Developing CFML Applications
Note: Dreamweaver and Studio MX do not support NTLM security with RDS. Therefore, you cannot use RDS with these
applications if the ColdFusion RDS servlet (cf_root/CFIDE/main/ide.cfm) is in a directory that is protected using NTLM
security.
In web server authentication, the web server requires the user to log in to access pages in a particular directory, as
follows:
When the user first requests a page in the secured directory, the web server notifies the browser that the requested
1
page requires credentials (a user ID and password).
Basic HTTP authentication sends the user ID and password in a base64-encoded string with each request. Use SSL
(Secure Sockets Layer) for all page transactions, to protect the user ID and password from unauthorized access. For
more information on SSL and the keytool utility, see
2 The browser prompts the user for the credentials.
The user supplies the credentials and the browser send the information back to the web server along with the
3
original request.
The web server checks the user ID and password, using its own user authentication mechanism.
4
5 If the user logs in successfully, the browser caches the authentication information and sends it in an HTTP
Authorization header with every subsequent page request from the user.
The web server processes the requested page and all future page requests from the browser that contain the HTTP
6
Authorization header, if it is valid for the requested page.
You can use web server authentication without using any ColdFusion security features. In this case, you configure and
manage all user security through the web server's interfaces.
You can also use web server authentication with ColdFusion application authentication, and thus use ColdFusion
security for authorization. If the web server uses basic HTML authentication, the ColdFusion
access to the user ID and password that the user entered to log in to the web server. If the web server uses Digest or
NTLM authentication, the
cflogin
As a result, your application rely on the web server to authenticate the user against its user and password information,
and does not have to display a login page. You use the
ColdFusion user security system, and use the
authorization. For more information on this form of security, see
page 349.
Note: If a user has logged in using web server authentication and has not logged in using ColdFusion application
authentication, the
GetAuthUser
authentication with application authorization based on the user's ID.
Application authentication
With application authentication, you do not rely on the web server to enforce application security. The application
performs all user authentication and authorization. The application displays a login page, checks the user's identity
and login against its own authorization store, such as an LDAP directory or database, and logs the user into
ColdFusion using the
cfloginuser
to check the user's roles or identity for authorization before running a ColdFusion page or specific code on a page. For
an example of application authentication use, see
"About LDAP Server
tag normally gets the user ID, but not the password.
cflogin
IsUserInAnyRole
tag returns the web server user ID. You could use this feature to combine web server
tag. The application then uses the
"An application authentication security
Last updated 8/5/2010
Security" on page 475.
and tags to log the user into the
cfloginuser
and functions to ensure user
GetAuthUser
"A web server authentication security
and
IsUserInAnyRole
scenario" on page 350.
343
tag provides
cflogin
scenario" on
functions
GetAuthUser