Phil, Barry and I are using an Intranet environment where we only care if
someones logged in via NT Authentication method.
As stated earlier, if you do decide to head down the path of using just
Active Directory as your application security model, then I really recommend
you leverage CFLOGIN for such an excerise.
Reason being, is that its so easy to lock down not only your presentation
layer, but also you can lock down your CFC's without relying on your
presentation layer.
I say this, as alot of the examples tip you into using Session or
Application variables to handle your overall security in that (ie
session.isLoggedIn returns a true/false) value. This would work and in truth
is fairly a simple outlet for a "Is User Logged In" handshake.
But, if you store a session.variable and you publish information for remote
access (ie webservices) then you rely on the fact that a user has come
through normal webtraffic! But.. What if you make a standalone flash
executable (just using this as an example) that due to it being clientside
driven has no access to application.cfm, and instead only makes remote calls
to components that are within a shared directory on a server!
In order to combat this, like i said earlier, you simply define a global
"role" (ie assign a role "IsLoggedIn") and then in your "presentation"
layer, do a simple function:
<cfscript>
function isUserLoggedIn() {
return isUserInRole('IsLoggedIn');
}
</cfscript>
You could store this in a central UDF library and just make calls to the
method, if the answer is true (continue on) if its false (do login handshake
methods).
Then inside your CFC's, for every function that is deemed "members only" or
"sensitive" assign each of these methods with a must have role "isLoggedIn"
eg.
<cffunction ... Roles="IsLoggedIn,Admin,etc">
This will ensure the user must be logged into the server via CFLOGIN, and
has all the appropriate roles assigned to it, instead of assuming the person
has gone through the standard login routines.
And as stated earlier if you CFLOGOUT their butts, it wipes away their roles
(but still has getAuthUser() returning a domain/useraccount string) thus if
they idle out and hit a CFC it will reject them as quick as i get rejected
when asking a girl out in a nightclub.
Thats all i have to say, back to work and shit.
Scott
"Hickman, Matt" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
> Scotty, Taco,
>
> Yep you need IIS "anonymous" turned off. In my case we have NT
> authentication on the directory where our files live, for our
> 6 known domains who browse the site.
>
> If they don't match - **game show wrong answer noise**
> If they match - **money shot groan**
>
> Then I run a "log" query at the top of my "contoller.cfm" page for every
> user who browses the site. Eg:
>
> <cfquery name="insertLog" DATASOURCE="#Application.DSN#">
> INSERT INTO #Application.tablePrefix#TABLELOG (PAGEID, STORYID,
> DATE, IPADDRESS, USERID )
> VALUES ('#URL.page_id#', #URL.story_id#, GETDATE(),
> '#CGI.REMOTE_ADDR#', '#CGI.REMOTE_USER#')
> </cfquery>
>
> Being an INTRANET I'm happy because the directory & NT Authentication is
> doing the dirty work for me so all I care is who's viewing what, when etc.
>
> Is that what you're after??
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Scott Barnes [mailto:[EMAIL PROTECTED]
> Sent: Monday, 17 March 2003 10:34 AM
> To: CFAussie Mailing List
> Subject: [cfaussie] Re: Intranet Authentication Via Username
>
>
> In truth, i think this relies on IIS anonymous access turned off in order
to
> work? I don't have IIS to double check this, but can anyone else shed some
> light onto this theory of mine :D
>
> Scott
>
>
>
> "Taco Fleur" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> >
> > OK, got to work today, had a go at it with cgi.remote_user but can't
> > find any docos on the correct permissions needed for it to return the
> > required info.
> >
> > Anyone any ides on this?
> >
> > TIA
> > Taco
> >
> > > Taco all you need to do is retrieve the CGI.AUTH_USER variable
> > > (could be
> =
> > > CGI.REMOTE_USER I'll have to double check that), and in a domain =
> > > environment like Active Directory it will always be populated with
> > > the = user's domain user account.....e.g "domain\taco"
> >
> >
>
>
>
> ---
> You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To
> unsubscribe send a blank email to [EMAIL PROTECTED]
>
> MX Downunder AsiaPac DevCon - http://mxdu.com/
>
>
> **********************************************************************"
> This correspondence is for the named person's use only. It may
> contain confidential or legally privileged information or both. "
> No confidentiality or privilege is waived or lost by any "
> mistransmission. If you receive this correspondence in error, please
> immediately delete it from your system and notify the sender. You
> must not disclose, copy or rely on any part of this correspondence
> if you are not the intended recipient.
>
> Any views expressed in this message are those of the individual sender,
> except where the sender expressly, and with authority, states them to
> be the views of Vodafone.
>
> This email has been checked for viruses.
> **********************************************************************
>
>
>
---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
MX Downunder AsiaPac DevCon - http://mxdu.com/