Skip navigation
wannab0133
Currently Being Moderated

Page Authentication

Apr 21, 2012 9:38 AM

I have an application where I am setting user roles using cfloginuser.  I restrict some pages depending on roles.  I am just using a if statement at the top of the page similar to this:

 

<cfif IsUserInRole("admin")>
     PAGE CONTENT
<cfelse>
          <cflocation url="unathorized.cfm" addtoken="no">
</cfif>

 

This is working fine, but I am now wanting to expand the roles.  I want to display or reject each page depending on the roles.  However, I am not wanting to add an if statement to every page.  Can anyone point me to a better method?  I know I am missing something very easy, but I would like an easy non-obtrusive way to do this.  Thanks for the suggestions.

 
Replies
  • Currently Being Moderated
    Apr 22, 2012 3:44 AM   in reply to wannab0133

    You could shift the logic into the onRequest() interceptor, perhaps?

     

    --

    Adam

     
    |
    Mark as:
  • Currently Being Moderated
    Apr 26, 2012 1:42 AM   in reply to wannab0133

    Just a suggestion don't know whether it is applicable for your case or not.

     

    - If we will store the user roles in session variable and store the secure page information in  cache. Then we will do the the same as Adam suggested then I think it will improve the execution time.

     
    |
    Mark as:
  • Currently Being Moderated
    Apr 26, 2012 1:47 AM   in reply to wannab0133

    I broke down and put the logic in the onrequest function of the application.cfc  I went ahead and made a table and added a record for every secured page and the role required to view it.  I just didn't want to have to read a table for every page load, but it works fine.  If anyone has a better suggestion, I'd love to hear it.  Thanks.

     

    Well that stuff is application-wide, yes?  So you could just load it once in onApplicationStart, and put it in an application variable.

     

    --
    Adam

     
    |
    Mark as:
  • Currently Being Moderated
    Apr 26, 2012 8:53 AM   in reply to wannab0133

    wannab0133 wrote:

     

    I have an application where I am setting user roles using cfloginuser.  I restrict some pages depending on roles.  I am just using a if statement at the top of the page similar to this:

     

    <cfif IsUserInRole("admin")>
         PAGE CONTENT
    <cfelse>
              <cflocation url="unathorized.cfm" addtoken="no">
    </cfif>

     

    This is working fine, but I am now wanting to expand the roles.  I want to display or reject each page depending on the roles.  However, I am not wanting to add an if statement to every page.  Can anyone point me to a better method?  I know I am missing something very easy, but I would like an easy non-obtrusive way to do this.  Thanks for the suggestions.

    Did you say non-obtrusive? I find this a tigress of a question masquerading as a homely pussycat!

     

    First of all, there are known restrictions in any implementation of onRequest in Application.cfc. For example, you won't be able to run CFCs for web services, flash remoting or event gateways.

     

    Login, permissions and page flow are determined on a request by request basis. Therefore, the code you need will have to be in a scope that is more fine-grained than session or application. That brings us to request. Since we have ruled out the onRequest event, we have to settle for the only remaining contender, onRequestStart.

     

    Let's say, for simplicity, that user IDs are U1, U2, U3, ... an so on. Similarly we assume role IDs are R1, R2, ... and authorized-page IDs, P1, P2, P3, .... That you can use onRequestStart to do login and assign roles is an established fact.

     

    Such login and permission assignment are essentially a product of the relation between the set of users, U = {U1, U2, U3, ...} and the set of roles, R = {R1, R2, R3, ...}. The functionality you seek is between the set R and the set of pages, P = {P1, P2, P3, ...}. Sounds all nice and easy till we stumble on the fact the relations U <=> R and R <=> P are many-to-many. You cannot translate a many-to-many relation directly into a relational database model. This means you will likely have to redesign your database model.

     

    One way to solve the problem is to introduce so-called junction tables within the relations U <=> R and R <=> P. Whatever design route you choose to follow, there is one well-known guideline that will ensure you stay on course, Ferraiolo and Kuhn's Role-Based Access Control(RBAC). This is everything but non-obtrusive, I hope you will agree!

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points