> -----Original Message----- > From: The Wolf [mailto:[EMAIL PROTECTED] > Sent: Friday, December 10, 2004 6:30 AM > To: CF-Talk > Subject: Re: ColdFusion security framework > > Hi, > that sounds very interesting. > > It would be great if you can mail me it or post it to the list. > > Thanks a lot.
I've uploaded a zip of the CFCs involved to: ftp://ftp.depressedpress.com/FTP/cfc_DepressedPress.zip They should be unpacked into a folder called cfc_DepressedPress a mapping made to it. Te code should be consider as being under the FreeBSD license (open source). That's the core system - there's no interface or usage information there (I've not documented it yet) but here's some information. The core concept of the system is that it's decoupled from the application using it. The system doesn't make any assumptions about its host. The host simply passes whatever it's using for session management (some key) into the security system and it returns information. Because of this decoupling the system can be instantiated anyplace - there're no application dependencies. You can instantiate it on the fly (which is resource intensive) or persist it to the application or server scopes (which means you can use the system even without using CF's application framework or having CF sessions enabled). The system provides three basic abstractions for user information. It allows you to easily extend any or all of them with customized CFCs if the packaged ones don't suit. The three are: +) Credential: This component contains all of the security-level information about the user. Password, logins, etc. +) Profile: This component contains all of the personal-level information about the user (name, address, phone, emails, etc). +) Entitlement: This contains permission-level information about the user. Right now simple groups (nested or not) are supported, but more complex sets of entitlements could be added easily by extending the component. Each of these abstractions is managed by intelligent "mediator" components. Your admin and editing systems should also use these mediators. Doing this means that all changes are reflected instantly in the security system (banning a user is done instantly, not next log on). The system also supports "n strikes and you're out" style lockout lists (for example three bad passwords and you're banned for a specified amount of time). Passwords can be forced to a minimum length and can be optionally case-sensitive. Password "salt" can be added to improve to quality of the hash as well. (Speaking of that - passwords aren't stored in the system - only the hash) The database code provided is for SQL Server, but the framework a simple mechanism to create your own DB implementation (in fact you can have any persistence mechanism you like and the same installed codebase can instantiate multiple instances of the security system using multiple persistence services at once). To create the system you first create a persistence element using CFC_DepressedPress.Utility.DP_PersistenceInfo_DSN (right now I've only got DSNs defined - I plan to add XML as maybe LDAP as well) like this: CreateObject("Component", "CFC_DepressedPress.Utility.DP_PersistenceInfo_DSN").init("SQLServer2000", "DSN_Name", "Table_Prefix", "Username (if any)", "Password (if any)") You would then call DP_SecurityConfiguration.cfc. This CFC creates and populates the data tables needed for the system and the options you've elected. It only needs to be called once. This is the "installer". Later pass your Persistence Component into DP_Security.cfc to instatiate the actual system. For example: <cfset Application.DPSecurity = CreateObject("Component", "CFC_DepressedPress.Security.DP_Security").init(PersistenceInfo) /> That's that. You can then protect a resource like this (abbreviated code): <cfset EntitlementList = "Member,Adminstrator"> <!--- This code will return "not entitled" if the user is logged in and not enititled or simply not logged in at all ---> <cfif NOT Application.DPSecurity.isEntitled("SessionKey", EntitlementList)> <!--- This line checks if the user is actually logged in at all ---> <cfif Application.DPSecurity.isAuthentication("SessionKey")> <cfset AuthError = "AuthNotInGroup"> <cfelse> <cfset AuthError = "AuthNotLoggedIn"> </cfif> <cflocation addtoken="No" url="YourLogInPage?AuthError=#AuthError#" /> </cfif> Some other functions of note. To create user use: DPSecurity.Users.create("UserID", "Handle", "Password", true, true) To get a new password: DPSecurity.generatePassword() To get information about a user: DPSecurity.CredentialMediator.get("UserKey") DPSecurity.ProfileMediator.get("UserKey") DPSecurity.EntitlementMediator.get("UserKey") I'm sorry - I know that my organization can seem a little insane, but I assure you - it all makes sense to me. ;^) The CFCs DP_Users.cfc and DP_Groups.cfc are essentially management CFCs. They're where to look for creating Groups and Users initially. You would then look to DP_Authentications.cfc for current logons (all represented by an instance of DP_Authentication.cfc) Look to CredentialMediator.cfc, ProfileMediator.cfc and EntitlementMediator.cfc to get at (you guessed it!) individual users Credential.cfc, Profile.cfc and Entitlement.cfc references and information. DP_Security.cfc is the basic system which contains everything else. DP_SecurityConfiguration.cfc is the installer/uninstaller which is only used for those functions. Sorry - didn't mean to write a book on this, but there it is. This is currently in use on several public sites and I've had no problems. The system is complex enough that I would fear about it's use for very large installations, but for average sites I don't have any performance concerns. Feel free to comment or criticize. Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Special thanks to the CF Community Suite Silver Sponsor - CFDynamics http://www.cfdynamics.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187046 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
