2 Replies Latest reply on Jul 25, 2013 5:47 AM by Donald Baert

    Authentication and Authorization control outside of application code

    RLH in MD

      I have an application which has no security code implemented in it.  I would like to control who can access certain URL paths within the application.  In addition, I would like to have single sign on to authenticate the users that have also logged on to the network with their Active Directory userids.


      Environment: ColdFusion 10

      App Server: default (Tomcat)

      WebServer: IIS 7.5

      Server: Windows Server 2008 R2

      Authentication: Active Directory


      In a currently existing environment I was able to do this using SiteMinder to protect certain URL paths.  I am putting together a new environment that no longer has SiteMinder.  I was also able to do this in a configuration using WebSphere as the application server and modifying ColdFusion's web.xml file to create security roles for the protected URL paths.  This was done by adding <security-constraint> and <security-role>  clauses to the web.xml.  I could then use WebSphere to control what users or groups have access to these URL paths.  In addition, I was able to implement Single Sign On for the users using SPNEGO.  This was all pretty clean and worked nicely for the users.  I would like to run under WebSphere, but unfortunately I have to use Version 8.5 of WebSphere which is not supported by ColdFusion.  So I have to use Tomcat.  Is there a way I could provide a similar access control using Tomcat?

      • Authentication using SPNEGO
      • Defining roles in the web.xml


      I am also open to other ideas to obtain the same results.