ColdFusion's default security framework (involving cflogin, cfloginUser, cfNTauthenticate, getAuthUser, isUserInRole, and so on) assumes that you, the developer, decide the policy for storing usernames, passwords and roles. The usual place to store them is the database.
How you assign users access to various parts of your site is a science apart. In my opinion, the technique most relevant to you is Role-Based Access Control (RBAC). Google it for more information.
The simplest implementation of RBAC consists of five database tables, say, user, role, userRole, resource and resourceAccess. The user table has at least the 3 columns userId (primary key), username and password. The role table has at least the 2 columns roleId (primary key) and role. The userRole table has at least the 3 columns, namely, userRoleId (primary key), userId and roleId. The columns userId and roleId are actually foreign keys. So userRoleId is essentially a composite of the two foreign keys.
The resource table contains the resources, for example, the pages, to which you wish to control access. It has at least the 2 columns resourceId (primary key) and resource. The resourceAccess table has at least the 3 columns resourceAccessId (primary key), resourceId and userRoleId. The columns resourceId and userRoleId are actually foreign keys. So resourceAccessId is essentially a composite of the two foreign keys. We have now set up our basic security database.
If you wish to regulate just login to your site, then it is sufficient to implement the user table. Roles are then irrelevant. After verifying that the user's submitted credentials match the values in the user table, you would then log him in using code like
<cfloginuser name = "some_username" password = "some_password">
However, suppose you wished to regulate access to various resources on your site, based on roles. Then you will have to implement all 5 tables.
Suppose then that a user has requested a page which has restricted access. Firstly, you verify that the user's login credentials match the values in the user table. If so, you then query the role table to get the list of roles permitted to the user. You would then log him in using something like
<cfloginuser name = "some_username" password = "some_password" roles = "role1,role2,role3">
You now do a look-up of his userId and roleIds in the userRole table. The result is a list of userRoleIds.
Since the requested page is a restricted resource, we take it for granted that is has an entry is the resource table. Let us say resourceId = 103 for the page. Finally, you query the resourceAccess table to verify whether any of the userRoleIds corresponds to resouceId 103. If so, the user is granted access.
1 Correct answer
7
Replies
AdChoices