5 Replies Latest reply: Apr 26, 2012 8:53 AM by BKBK RSS

    Page Authentication

    wannab0133

      I have an application where I am setting user roles using cfloginuser.  I restrict some pages depending on roles.  I am just using a if statement at the top of the page similar to this:

       

      <cfif IsUserInRole("admin")>
           PAGE CONTENT
      <cfelse>
                <cflocation url="unathorized.cfm" addtoken="no">
      </cfif>
      

       

      This is working fine, but I am now wanting to expand the roles.  I want to display or reject each page depending on the roles.  However, I am not wanting to add an if statement to every page.  Can anyone point me to a better method?  I know I am missing something very easy, but I would like an easy non-obtrusive way to do this.  Thanks for the suggestions.

        • 1. Re: Page Authentication
          Adam Cameron. Community Member

          You could shift the logic into the onRequest() interceptor, perhaps?

           

          --

          Adam

          • 2. Re: Page Authentication
            wannab0133 Community Member

            I broke down and put the logic in the onrequest function of the application.cfc  I went ahead and made a table and added a record for every secured page and the role required to view it.  I just didn't want to have to read a table for every page load, but it works fine.  If anyone has a better suggestion, I'd love to hear it.  Thanks.

            • 3. Re: Page Authentication
              Upen@Roul Community Member

              Just a suggestion don't know whether it is applicable for your case or not.

               

              - If we will store the user roles in session variable and store the secure page information in  cache. Then we will do the the same as Adam suggested then I think it will improve the execution time.

              • 4. Re: Page Authentication
                Adam Cameron. Community Member

                I broke down and put the logic in the onrequest function of the application.cfc  I went ahead and made a table and added a record for every secured page and the role required to view it.  I just didn't want to have to read a table for every page load, but it works fine.  If anyone has a better suggestion, I'd love to hear it.  Thanks.

                 

                Well that stuff is application-wide, yes?  So you could just load it once in onApplicationStart, and put it in an application variable.

                 

                --
                Adam

                • 5. Re: Page Authentication
                  BKBK CommunityMVP

                  wannab0133 wrote:

                   

                  I have an application where I am setting user roles using cfloginuser.  I restrict some pages depending on roles.  I am just using a if statement at the top of the page similar to this:

                   

                  <cfif IsUserInRole("admin")>
                       PAGE CONTENT
                  <cfelse>
                            <cflocation url="unathorized.cfm" addtoken="no">
                  </cfif>

                   

                  This is working fine, but I am now wanting to expand the roles.  I want to display or reject each page depending on the roles.  However, I am not wanting to add an if statement to every page.  Can anyone point me to a better method?  I know I am missing something very easy, but I would like an easy non-obtrusive way to do this.  Thanks for the suggestions.

                  Did you say non-obtrusive? I find this a tigress of a question masquerading as a homely pussycat!

                   

                  First of all, there are known restrictions in any implementation of onRequest in Application.cfc. For example, you won't be able to run CFCs for web services, flash remoting or event gateways.

                   

                  Login, permissions and page flow are determined on a request by request basis. Therefore, the code you need will have to be in a scope that is more fine-grained than session or application. That brings us to request. Since we have ruled out the onRequest event, we have to settle for the only remaining contender, onRequestStart.

                   

                  Let's say, for simplicity, that user IDs are U1, U2, U3, ... an so on. Similarly we assume role IDs are R1, R2, ... and authorized-page IDs, P1, P2, P3, .... That you can use onRequestStart to do login and assign roles is an established fact.

                   

                  Such login and permission assignment are essentially a product of the relation between the set of users, U = {U1, U2, U3, ...} and the set of roles, R = {R1, R2, R3, ...}. The functionality you seek is between the set R and the set of pages, P = {P1, P2, P3, ...}. Sounds all nice and easy till we stumble on the fact the relations U <=> R and R <=> P are many-to-many. You cannot translate a many-to-many relation directly into a relational database model. This means you will likely have to redesign your database model.

                   

                  One way to solve the problem is to introduce so-called junction tables within the relations U <=> R and R <=> P. Whatever design route you choose to follow, there is one well-known guideline that will ensure you stay on course, Ferraiolo and Kuhn's Role-Based Access Control(RBAC). This is everything but non-obtrusive, I hope you will agree!