4 Replies Latest reply on Jul 16, 2009 11:16 AM by gliao



      We have 2 user roles(group): role1 and role2, role1 can access pages under URL1 or directory 1, role 2 can access pages under URL2 or directory2.


      I know it is easy to configure the maping between role and resource in J2EE (web.xml), but I don't know how to setup it in the coldfusion? Suppose the user information is in database, not LDAP.  I appreciate any help.



        • 1. Re: authentication
          ilssac Level 5

          I'm not sure what you are trying to do, but I wanted to point out that modern ColdFusion is Java (J2EE) based and it uses a web.xml file.  If you now how to set up what you want with that file, I suspect that is what would work for ColdFusion.

          1 person found this helpful
          • 2. Re: authentication
            gliao Level 1

            Thanks, Ian.


            You are right. I use jboss. Coldfusion is a ear file. My coldfusion code is under the coldfusion ear file. I want to implement form login to protect the resources based on the roles, just like http://www.jboss.org/community/wiki/SecureAWebApplicationUsingACustomForm but in coldfusion.  Do you know any coldfusion form login example for this?

            • 3. Re: authentication
              ilssac Level 5

              I briefly reviewed that link and it seems to be speaking to web server security with JBOSS being the web server.  ColdFusion is not a web server, at least it is not recommended that it be a web server in a production environment.  The built-in web server inside ColdFusion is recommended only for development environments.


              If you want web-server security you need to look at the features of the web server you are using with ColdFusion, commonly IIS or Apache.  They both have features to provide authentication.


              If you want basic Application security done with ColdFusion, the documentation has an entire chapter complete with code examples: http://livedocs.adobe.com/coldfusion/8/htmldocs/appSecurity_01.html.  The basic idea is that one puts code in the Application.cfm or Application.cfc files that is run at the beginning of every request.  This code checks for a logged in state, if the state is not logged in then look for a login form post, if post try to log in, if try fails OR no login form post, display login form.

              • 4. Re: authentication
                gliao Level 1

                Thanks, Ian.