The following sample pages illustrate how you might implement user security by authenticating users and then allowing users to see or use only the resources that they are authorized to use.
In this example, a user requests a page in an application named Orders, which is part of a security context, also named Orders, that governs pages and resources for an order-tracking application.
User security is generally handled in two steps:
If the user passes the authentication test, ColdFusion passes the cfauth
cookie to carry the user's authentication state to subsequent application pages governed by this Application.cfm page.
The following example code for an Application.cfm page checks first to see whether the current user is authenticated by checking to see whether a login form was submitted. If the username and password can be authenticated for the current security context, the user passes through and the requested page is served.
If the Application.cfm page does not receive the user's login information from the previous page, it prompts the user to provide a username and password. The user's response is checked against the list of valid users defined for the current security context.
If the user passes the authentication step, the requested page appears. The application uses the CGI variables script_name
and query_string
to keep track of the originally requested page so that it can display that page after the user is authenticated.
All pages governed by this Application.cfm page - those in the same directory as Application.cfm and in its subtree - automatically invoke this authentication test.
Note To use this code in your own Application.cfm page, change the application name and security context name to match your application and security names. |
<cfapplication name="Orders">
<cfif NOT IsAuthenticated()>
<!--- The user is not authenticated --->
<cfset showlogin="No">
<cfif IsDefined("form.username") AND IsDefined("form.password")>
<!--- The login form was submitted. Try authenticating --->
<cftry>
<cfauthenticate securityContext="Orders"
username="#form.username#"
password="#form.password#"
setCookie="YES">
<cfcatch type="security">
<!--- Security error in login occurred. Show login again --->
<h3>Invalid Login</h3>
<cfset showLogin="Yes">
</cfcatch>
</cftry>
<cfelse>
<!--- The login was not detected. Show login again--->
<cfset showlogin="Yes">
</cfif>
<!--- Show the login form --->
<cfif showlogin>
<!--- Recreate the url used to call the requested page --->
<cfset url="#cgi.script_name#">
<cfif cgi.query_string IS NOT "">
<cfset url=url & "?#cgi.query_string#">
</cfif>
<!--- The login form.
Submitting the form re-requests the originally requested page
using the recreated url --->
<cfoutput>
<form action="#url#" method="Post">
<table>
<tr>
<td>username:</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>password:</td>
<td><input type="password" name="password"></td>
</tr>
</table>
<input type="submit" value="Login">
</form>
</cfoutput>
<cfabort>
</cfif>
</cfif>
Inside application pages, you can use the IsAuthorized
function to check whether an authenticated user is authorized to access the protected resources, and then display only the authorized resources.
The following sample page appears to users who pass the authentication test in the previous Application.cfm page. It uses the IsAuthorized
function to test whether authenticated users are allowed to update or select data from a data source.
<!--- First, check whether a form button was submitted --->
<cfif IsDefined("Form.btnUpdate")> <!--- Is user is authorized to update or select information from the Orders data source? ---> <cfif IsAuthorized("DataSource", "Orders", "update")> <cfquery name="AddItem" datasource="Orders"> INSERT INTO Orders (Customer, OrderID) VALUES #Customer#, #OrderID# </cfquery> <cfoutput query="AddItem"> Authorization Succeeded. Order information added: #Customer# - #OrderID#<br> </cfoutput> <cfelse> <cfabort showerror="You are not allowed to update order information."> </cfif> </cfif> <cfif IsAuthorized("DataSource", "Orders", "select")> <cfquery name="GetList" datasource="Orders"> SELECT * FROM Orders </cfquery> Authorization Succeeded. Order information follows: <cfoutput query="GetList"> #Customer# - #BalanceDue#<br> </cfoutput> <cfelse> <cfabort showerror="You cannot view order information."> </cfif>