I have an application which has no security code implemented in it. I would like to control who can access certain URL paths within the application. In addition, I would like to have single sign on to authenticate the users that have also logged on to the network with their Active Directory userids.
Environment: ColdFusion 10
App Server: default (Tomcat)
WebServer: IIS 7.5
Server: Windows Server 2008 R2
Authentication: Active Directory
In a currently existing environment I was able to do this using SiteMinder to protect certain URL paths. I am putting together a new environment that no longer has SiteMinder. I was also able to do this in a configuration using WebSphere as the application server and modifying ColdFusion's web.xml file to create security roles for the protected URL paths. This was done by adding <security-constraint> and <security-role> clauses to the web.xml. I could then use WebSphere to control what users or groups have access to these URL paths. In addition, I was able to implement Single Sign On for the users using SPNEGO. This was all pretty clean and worked nicely for the users. I would like to run under WebSphere, but unfortunately I have to use Version 8.5 of WebSphere which is not supported by ColdFusion. So I have to use Tomcat. Is there a way I could provide a similar access control using Tomcat?
I am also open to other ideas to obtain the same results.
Oh, in addition, I tried controlling access using IIS's "Authorization Rules". This works fine for non-ColdFusion elements, but does not seem to apply to the ColdFusion elements.
Did you figure out how to get the IIS "Authorization Rules" to work with ColdFusion files? I am having a very similar problem and until I solve it I cannot upgrade my production environment to CF10.