Developing ColdFusion Applications Previous Up One Level Next Search
Application Security


Example of User Authentication and Authorization

The following sample pages illustrate how you might implement user security by authenticating users and then allowing users to see or use only the resources that they are authorized to use.

In this example, a user requests a page in an application named Orders, which is part of a security context, also named Orders, that governs pages and resources for an order-tracking application.

User security is generally handled in two steps:

  1. The Application.cfm page checks to see whether the current user is authenticated. If not, the page presents a login form and the user must submit a username and password for authentication.

    If the user passes the authentication test, ColdFusion passes the cfauth cookie to carry the user's authentication state to subsequent application pages governed by this Application.cfm page.

  2. Only authenticated users can access the requested application page for selecting and updating customer orders in a database. This page checks to see which resources the authenticated user is authorized to see and use.

Authenticating users in Application.cfm

The following example code for an Application.cfm page checks first to see whether the current user is authenticated by checking to see whether a login form was submitted. If the username and password can be authenticated for the current security context, the user passes through and the requested page is served.

If the Application.cfm page does not receive the user's login information from the previous page, it prompts the user to provide a username and password. The user's response is checked against the list of valid users defined for the current security context.

If the user passes the authentication step, the requested page appears. The application uses the CGI variables script_name and query_string to keep track of the originally requested page so that it can display that page after the user is authenticated.

All pages governed by this Application.cfm page - those in the same directory as Application.cfm and in its subtree - automatically invoke this authentication test.


Note

To use this code in your own Application.cfm page, change the application name and security context name to match your application and security names.

Example: Application.cfm 

<cfapplication name="Orders">



<cfif NOT IsAuthenticated()>

  <!--- The user is not authenticated --->



  <cfset showlogin="No">

  <cfif IsDefined("form.username") AND IsDefined("form.password")>



<!--- The login form was submitted. Try authenticating --->

    <cftry>

      <cfauthenticate securityContext="Orders"

        username="#form.username#"

        password="#form.password#"

        setCookie="YES">



      <cfcatch type="security">

<!--- Security error in login occurred. Show login again --->

        <h3>Invalid Login</h3>

        <cfset showLogin="Yes">

      </cfcatch>

    </cftry>



  <cfelse>

<!--- The login was not detected. Show login again--->

    <cfset showlogin="Yes">

  </cfif>



<!--- Show the login form --->

  <cfif showlogin>

<!--- Recreate the url used to call the requested page --->

    <cfset url="#cgi.script_name#">

    <cfif cgi.query_string IS NOT "">

      <cfset url=url & "?#cgi.query_string#">

    </cfif>



<!--- The login form.

    Submitting the form re-requests the originally requested page

    using the recreated url --->

    <cfoutput>

      <form action="#url#" method="Post">

        <table>

          <tr>

            <td>username:</td>

            <td><input type="text" name="username"></td>

          </tr>

          <tr>

            <td>password:</td>

            <td><input type="password" name="password"></td>

          </tr>

        </table>

        <input type="submit" value="Login">

      </form>

    </cfoutput>

    <cfabort>

  </cfif>

</cfif>

Checking for authentication and authorization

Inside application pages, you can use the IsAuthorized function to check whether an authenticated user is authorized to access the protected resources, and then display only the authorized resources.

The following sample page appears to users who pass the authentication test in the previous Application.cfm page. It uses the IsAuthorized function to test whether authenticated users are allowed to update or select data from a data source.

Example: orders.cfm 

<!--- First, check whether a form button was submitted --->


<cfif IsDefined("Form.btnUpdate")>

<!--- Is user is authorized to update or select 

  information from the Orders data source? --->

  <cfif IsAuthorized("DataSource", "Orders", "update")>

    <cfquery name="AddItem" datasource="Orders">

      INSERT INTO Orders (Customer, OrderID)

      VALUES #Customer#, #OrderID#

    </cfquery>

    <cfoutput query="AddItem">

      Authorization Succeeded. Order information added:

      #Customer# - #OrderID#<br>

    </cfoutput>



  <cfelse>

    <cfabort showerror="You are not allowed to update order information.">

  </cfif>

</cfif>



<cfif IsAuthorized("DataSource", "Orders", "select")>

  <cfquery name="GetList" datasource="Orders">

    SELECT *

    FROM Orders

  </cfquery>

  Authorization Succeeded. Order information follows:

  <cfoutput query="GetList">

    #Customer# - #BalanceDue#<br>

  </cfoutput>

<cfelse>

  <cfabort showerror="You cannot view order information.">

</cfif>
Copyright © 2001, Macromedia Inc. All rights reserved. Previous Up Next Search

Banner.Novgorod.Ru