CF login vs. SQL login

Report · Mar 02, 2009

I have built a couple dozen pages in CF with a MS SQL back end. Everytime I check to see how the pages are working (F12), it asks me to sign in. The login box says it's for the coldfusion server, but the username and password that work are my Windows username and password (they are tied to the SQL security). I have had four other people try to login to see what they can get to and two of the four don't even see a login box (the other two get the same CF login and they use their Windows information). The girl that handles my server config tells me it has something to do with what usergroups we are in, whether they have to login or whether it just automatically pulls their Windows login data.

I don't mind the Windows information being used for now, but when we go live on the web, I'm going to have to manage outside usernames and passwords. I originally had set up a CF login page, but then I had to login to the Application first and then another login for the SQL security. Is there any way to just have one login?

Report · Mar 02, 2009

If you are getting the login it sounds to me like you are getting, this
is purely between the web server and your browser and has nothing to do
with ColdFusion.

You are getting this login because the web server has been told to use
some type of authentication. If some windows users are not getting the
login, then the type of authentication chosen sounds like "Windows
Integrated Security" on an IIS web server. With "Windows Integrated
Security", if one is using a windows browser on a windows client to talk
over a windows network to a windows server using a windows web server,
then the login can be done behind the scenes without user interaction.

Otherwise a login dialog box is presented to the user. If you do not
want this to happen, then something about the above configuration would
need to be changed.

Report · Mar 03, 2009

That sounds about right, because I think the people who are having to login each time are using Mozilla and those that don't are using IE. When we move the pages to the live server and everyone accesses the site via the web, then I presume everyone will have to sign in to the server authentication. So is there a way to "turn off" the web server authentication so I can set up a ColdFusion login? And when I do, can that ColdFusion login be used to grant permissions to tables/views/stored procedures?

Report · Mar 03, 2009

> So is
> there a way to "turn off" the web server authentication so I can set up a
> ColdFusion login? And when I do, can that ColdFusion login be used to grant
> permissions to tables/views/stored procedures?

It could quite possibly be the case that the account that the web server or
CF is using doesn't have permissions to the files you're requesting, so the
best it can do is to ask for credentials.

Make sure the service that the web server and CF is using has permissions
to the files they're serving.

--
Adam

Report · Mar 03, 2009

Replies inline

Blue Chrome wrote:
> That sounds about right, because I think the people who are having to login
> each time are using Mozilla and those that don't are using IE. When we move
> the pages to the live server and everyone accesses the site via the web, then I
> presume everyone will have to sign in to the server authentication.

They can't 'sign in to the server authentication'. Windows integrated
security uses the Windows Active Directory network domain security. If
you continue to use this security all the users would have to be members
of the domain controller of your network.

> So is
> there a way to "turn off" the web server authentication so I can set up a
> ColdFusion login?

Sure, don't use "Windows integrated Security" in the web server. If you
are planning on using ColdFusion security on a public web site, one
would probably not use security at the web server level. On a corporate
intranet network it is common to use web server security as all the
users are usually on the same network.

And when I do, can that ColdFusion login be used to grant
> permissions to tables/views/stored procedures?

That is a bit of a weird question. When a ColdFusion application access
a database, it is not the client user that is accessing the database.
It is the user defined in the ColdFusion Data Source Name (DSN) that
accesses the database. When you build a web application all the users
are seen by the database as that same DSN user. And that DSN user
should only have the *MINIMUM* permissions required for the application.

Report · Mar 03, 2009

My hands are somewhat tied in that I need to maintain the internal security and have CF security for outside users (the powers that be do not want internal users to have to remember an additional username/password). I've been talking to the web guy in our sister department and he says the way they do it is to have two applications. One is set up for internal users and one is set up for external users.

For the internal version, everything would remain the way I have it now (permissions based on windows login information). For the external version, I would set up a generic SQL user with minimum permissions that anyone connecting from the outside would be logged in as. The specifics of what records they can access/change then would be controlled in the querying code based on their CF login.

I'm just wondering if there is a way I can do it with one application, but manipulate the SQL user depending on the #cgi.auth_user# value. In other words, when the application first opens, it reads the #cgi.auth_user# value and if it is one of our internal users, then it passes that value as the SQL login. Otherwise, it passes the generic SQL login. Does that make sense, or am I farting out of my mouth again?

Report · Mar 04, 2009

A couple of points.

Whether you use IIS Window's Integrated Security or not, the Database
user, and what database permissions it has, is defined by the user
assigned in the DSN (Data Source Name) definition or that is passed in
through the 'username' and 'password' parameters of the CFQUERY tag.
When a ColdFusion application accesses a database, as far as I know, the
database has no clue what client user initialized the request to which
ColdFusion server is responding.

Having an application run both with windows integrate security and
without could be done. You could probably have two initial access
pages, one that uses window's integrated security and one that does not,
but has a HTML login form. Each of these pages would then process the
login information into some type of 'USER' state. This state can then
be passed to the rest of the application which would not care how the
user state was initialized. It just knows that if the state exists, it
can do this or that.

Report · Jun 17, 2009

We wound up turning Integrated Windows authentication off (found a website showing how to do it http://www.hostmysite.com/support/dedicated/IIS/passwordprotect/). Thanks for all the help!

Adobe Community

CF login vs. SQL login

1 Correct answer