Table of Contents
Advertisement
DEVELOPING COLDFUSION 9 APPLICATIONS
Developing CFML Applications
An application authentication security scenario
An application that does its own authentication works as follows. The example in
example" on page 356 implements this scenario.
Whenever ColdFusion receives a request for a ColdFusion page, it instantiates the Application.cfc and runs the
1
method. If you use an Application.cfm page in place of Application.cfc, ColdFusion runs the
onRequestStart
contents of the Application.cfm page before it runs the requested page. The
Application.cfm page contains the
in. A user is logged in if the
out by a
tag.
cflogout
Code in the
tag body checks to see if it has received a user ID and password, normally from a login form.
2
cflogin
If there is no user ID or password, the code in the
3
ID and password.
The form posts the login information back to the originally requested page, and the
method or the Application.cfm page runs again. This time, the
onRequestStart
user name and password against a database, LDAP directory, or other policy store, to ensure that the user is valid
and get the user's roles.
If the user name and password are valid, the
4
password, and roles, to identify the user to ColdFusion.
When the user is logged in, application pages use the
5
to a role before they run protected code that must be available only to users in that role.
The application can use the
personalization. It can also use the ID as a database key to get user-specific data.
Each application page displays a link to a logout form that uses the
6
logout link is in a page header that appears in all pages. The logout form can also be in the Application.cfc (for
example, in the
onRequestStart
Although this scenario shows one method for implementing user security, it is only an example. For example, your
application could require users to log in for only some pages, such as pages in a folder that contains administrative
functions. When you design your user security implementation, remember the following:
• Code in the
tag body executes only if there is no user logged in.
cflogin
• With application authentication, you write the code that gets the identification from the user and tests this
information against a secure credential store.
• After you have authenticated the user, you use the
tag. ColdFusion executes the
cflogin
tag has run during the current session and the user had not been logged
cfloginuser
cflogin
tag body code calls the
cflogin
IsUserInAnyRole
function to determine the user ID; for example, to display the ID for
GetAuthUser
or
method) or on the Application.cfm page.
onRequestEnd
cfloginuser
Last updated 8/5/2010
"Application-based user security
onRequestStart
tag body if the user is not logged
cflogin
tag body displays a login form that asks for the user's
cflogin
cflogin
cfloginuser
function to check whether the user belongs
tag to log out the user. Typically, the
cflogout
tag to log the user into ColdFusion.
350
method or
tag in the
tag body code checks the
tag with the user's ID,
Advertisement
Table of Contents
