Copy link to clipboard
Copied
I have an application which has no security code implemented in it. I would like to control who can access certain URL paths within the application. In addition, I would like to have single sign on to authenticate the users that have also logged on to the network with their Active Directory userids.
Environment: ColdFusion 10
App Server: default (Tomcat)
WebServer: IIS 7.5
Server: Windows Server 2008 R2
Authentication: Active Directory
In a currently existing environment I was able to do this using SiteMinder to protect certain URL paths. I am putting together a new environment that no longer has SiteMinder. I was also able to do this in a configuration using WebSphere as the application server and modifying ColdFusion's web.xml file to create security roles for the protected URL paths. This was done by adding <security-constraint> and <security-role> clauses to the web.xml. I could then use WebSphere to control what users or groups have access to these URL paths. In addition, I was able to implement Single Sign On for the users using SPNEGO. This was all pretty clean and worked nicely for the users. I would like to run under WebSphere, but unfortunately I have to use Version 8.5 of WebSphere which is not supported by ColdFusion. So I have to use Tomcat. Is there a way I could provide a similar access control using Tomcat?
I am also open to other ideas to obtain the same results.
Copy link to clipboard
Copied
Oh, in addition, I tried controlling access using IIS's "Authorization Rules". This works fine for non-ColdFusion elements, but does not seem to apply to the ColdFusion elements.
Copy link to clipboard
Copied
Did you figure out how to get the IIS "Authorization Rules" to work with ColdFusion files? I am having a very similar problem and until I solve it I cannot upgrade my production environment to CF10.