Developing ColdFusion 9 Applications

Web server–based authentication user security example



The following example shows how to implement user security using web-server–based basic authentication and two roles, user and administrator.

This example has two ColdFusion pages:

  1. The Application.cfc page logs the user into the ColdFusion security system and assigns the user to specific roles based on the user’s ID.

    This page also includes the one-button form and logic for logging out a user, which appears at the top of each page.

  2. The securitytest.cfm page is a sample application page. It displays the logged-in user’s roles.

This simple example does not provide a user log-out interface. Test the security behavior by adding your own pages to the same directory as the Application.cfc page.

Example: Application.cfc

The Application.cfc page consists of the following:

<cfcomponent> 
<cfset This.name = "Orders"> 
<cffunction name="OnRequestStart"> 
    <cfargument name = "request" required="true"/> 
    <cflogin> 
        <cfif IsDefined("cflogin")> 
            <cfif cflogin.name eq "admin"> 
                <cfset roles = "user,admin"> 
            <cfelse> 
                <cfset roles = "user"> 
            </cfif> 
            <cfloginuser name = "#cflogin.name#" password = "#cflogin.password#" 
                roles = "#roles#" /> 
        <cfelse> 
            <!--- This should never happen. ---> 
            <h4>Authentication data is missing.</h4> 
            Try to reload the page or contact the site administrator. 
        <cfabort> 
        </cfif> 
    </cflogin> 
</cffunction> 
</cfcomponent>

Reviewing the code

The Application.cfc onRequestStart method executes before the code in each ColdFusion page in an application. For more information on the Application.cfc page and when it is executed, see Designing and Optimizing a ColdFusion Application.

The following table describes the CFML code in Application.cfc and its function:

Code

Description

 
<cfcomponent> 
<cfset This.name = "Orders"> 
<cffunction name="OnRequestStart"> 
    <cfargument name = "request" required="true"/>

Identifies the application and starts the onRequestStart method that runs at the starts of each request. The login information on this page only applies to this application.

 
<cflogin> 
    <cfif IsDefined("cflogin")> 
        <cfif cflogin.name eq "admin"> 
            <cfset roles = "user,admin"> 
        <cfelse> 
            <cfset roles = "user"> 
        </cfif>

Executes if there is no logged-in user.

Makes sure that the user is correctly logged in by the web server. (Otherwise, there would be no cflogin variable.)

Sets a roles variable based on the user’s ID. Assigns users named "admin" to the admin role. Assigns all other users to the users role.

 
<cfloginuser name = "#cflogin.name#" password = "#cflogin.password#" roles = "#roles#" />

Logs the user into the ColdFusion security system and specifies the user’s password, name, and roles. Gets the password and name directly from the cflogin structure.

 
<cfelse> 
    <!--- This should never happen. ---> 
    <h4>Authentication data is missing.</h4> 
    Try to reload the page or contact the site administrator. 
    <cfabort>

This code should never run, but if the user somehow got to this page without logging in to the web server, this message would display and ColdFusion would stop processing the request.

 
</cfif> 
</cflogin> 
</cffunction> 
</cfcomponent>

Ends the if/else block.

Ends the cflogin tag body.

Ends the onRequestStart method.

Ends the Application component.

Example: securitytest.cfm

The securitytest.cfm page shows how any application page uses ColdFusion user authorization features. The web server ensures the existence of an authenticated user, and the Application.cfc page ensures that the user is assigned to roles the page content appears. The securitytest.cfm page uses the IsUserInAnyRole and GetAuthUser functions to control the information that is displayed.

The securitytest.cfm page consists of the following:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 
<html> 
<head> 
    <title>Basic authentication security test page</title> 
</head> 
 
<body> 
<cfoutput> 
    <h2>Welcome #GetAuthUser()#!</h2> 
</cfoutput> 
 
ALL Logged-in Users see this message.<br> 
<br> 
<cfscript> 
    if (IsUserInRole("admin")) 
        WriteOutput("Users in the admin role see this message.<br><br>"); 
    if (IsUserInRole("user")) 
        WriteOutput("Everyone in the user role sees this message.<br><br>"); 
</cfscript> 
 
</body> 
</html>

Reviewing the code

The following table describes the securitytest.cfm page CFML code and its function:

Code

Description

 
<cfoutput> 
    <h2>Welcome #GetAuthUser()#!</h2> 
</cfoutput>

User is already logged in by Application.cfc. Displays a welcome message that includes the user’s login ID.

 
ALL Logged-in Users see this message.<br> 
<br>

Displays this message in all cases. The page does not display until a user is logged in.

 
<cfscript> 
    if (IsUserInRole("admin")) 
        WriteOutput("Users in the admin role see this message.<br><br>"); 
    if (IsUserInRole("user")) 
        WriteOutput("Everyone in the user role sees this message.<br><br>"); 
</cfscript>

Tests whether the user belongs to each of the valid roles. If the user is in a role, displays a message with the role name.

The user sees one message per role to which the user belongs.