Sounds pretty good, unfortunately some people still have to work with CF
4.5.


-----Original Message-----
From: Scott Barnes [mailto:[EMAIL PROTECTED] 
Sent: Monday, 17 March 2003 10:47 AM
To: CFAussie Mailing List
Subject: [cfaussie] Re: Intranet Authentication Via Username


Phil, Barry and I are using an Intranet environment where we only care
if
someones logged in via NT Authentication method.

As stated earlier, if you do decide to head down the path of using just
Active Directory as your application security model, then I really
recommend
you leverage CFLOGIN for such an excerise.

Reason being, is that its so easy to lock down not only your
presentation
layer, but also you can lock down your CFC's without relying on your
presentation layer.

I say this, as alot of the examples tip you into using Session or
Application variables to handle your overall security in that (ie
session.isLoggedIn returns a true/false) value. This would work and in
truth
is fairly a simple outlet for a "Is User Logged In" handshake.

But, if you store a session.variable and you publish information for
remote
access (ie webservices) then you rely on the fact that a user has come
through normal webtraffic! But.. What if you make a standalone flash
executable (just using this as an example) that due to it being
clientside
driven has no access to application.cfm, and instead only makes remote
calls
to components that are within a shared directory on a server!

In order to combat this, like i said earlier, you simply define a global
"role" (ie assign a role "IsLoggedIn") and then in your "presentation"
layer, do a simple function:

<cfscript>
function isUserLoggedIn() {
    return isUserInRole('IsLoggedIn');
}
</cfscript>

You could store this in a central UDF library and just make calls to the
method, if the answer is true (continue on) if its false (do login
handshake
methods).

Then inside your CFC's, for every function that is deemed "members only"
or
"sensitive" assign each of these methods with a must have role
"isLoggedIn"
eg.
<cffunction ... Roles="IsLoggedIn,Admin,etc">

This will ensure the user must be logged into the server via CFLOGIN,
and
has all the appropriate roles assigned to it, instead of assuming the
person
has gone through the standard login routines.

And as stated earlier if you CFLOGOUT their butts, it wipes away their
roles
(but still has getAuthUser() returning a domain/useraccount string) thus
if
they idle out and hit a CFC it will reject them as quick as i get
rejected
when asking a girl out in a nightclub.

Thats all i have to say, back to work and shit.

Scott





"Hickman, Matt" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
> Scotty, Taco,
>
> Yep you need IIS "anonymous" turned off. In my case we have NT
> authentication on the directory where our files live, for our
> 6 known domains who browse the site.
>
> If they don't match - **game show wrong answer noise**
> If they match - **money shot groan**
>
> Then I run a "log" query at the top of my "contoller.cfm" page for
every
> user who browses the site. Eg:
>
> <cfquery name="insertLog" DATASOURCE="#Application.DSN#">
> INSERT INTO #Application.tablePrefix#TABLELOG (PAGEID, STORYID,
> DATE, IPADDRESS, USERID )
> VALUES ('#URL.page_id#', #URL.story_id#, GETDATE(),
> '#CGI.REMOTE_ADDR#', '#CGI.REMOTE_USER#')
> </cfquery>
>
> Being an INTRANET I'm happy because the directory & NT Authentication
is
> doing the dirty work for me so all I care is who's viewing what, when
etc.
>
> Is that what you're after??
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Scott Barnes [mailto:[EMAIL PROTECTED]
> Sent: Monday, 17 March 2003 10:34 AM
> To: CFAussie Mailing List
> Subject: [cfaussie] Re: Intranet Authentication Via Username
>
>
> In truth, i think this relies on IIS anonymous access turned off in
order
to
> work? I don't have IIS to double check this, but can anyone else shed
some
> light onto this theory of mine :D
>
> Scott
>
>
>
> "Taco Fleur" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> >
> > OK, got to work today, had a go at it with cgi.remote_user but can't
> > find any docos on the correct permissions needed for it to return
the
> > required info.
> >
> > Anyone any ides on this?
> >
> > TIA
> > Taco
> >
> > > Taco all you need to do is retrieve the CGI.AUTH_USER variable
> > > (could be
> =
> > > CGI.REMOTE_USER I'll have to double check that), and in a domain =
> > > environment like Active Directory it will always be populated with
> > > the = user's domain user account.....e.g "domain\taco"
> >
> >
>
>
>
> ---
> You are currently subscribed to cfaussie as:
[EMAIL PROTECTED]
To
> unsubscribe send a blank email to
[EMAIL PROTECTED]
>
> MX Downunder AsiaPac DevCon - http://mxdu.com/
>
>
>
**********************************************************************"
> This correspondence is for the named person's use only. It may
> contain confidential or legally privileged information or both. "
> No confidentiality or privilege is waived or lost by any "
> mistransmission.  If you receive this correspondence in error, please
> immediately delete it from your system and notify the sender.  You
> must not disclose, copy or rely on any part of this correspondence
> if you are not the intended recipient.
>
> Any views expressed in this message are those of the individual
sender,
> except where the sender expressly, and with authority, states them to
> be the views of Vodafone.
>
> This email has been checked for viruses.
> **********************************************************************
>
>
>



---
You are currently subscribed to cfaussie as:
[EMAIL PROTECTED]
To unsubscribe send a blank email to
[EMAIL PROTECTED]

MX Downunder AsiaPac DevCon - http://mxdu.com/

---------------------------------------------------------------------------- 
This email, together with any attachments, is intended for the named 
recipient(s) only and may contain privileged and confidential information. If 
received in error, please inform the sender as quickly as possible and delete 
this email and any copies from your computer system network.

If not an intended recipient of this email, you must not copy, distribute or 
rely upon it and any form of disclosure, modification, distribution and/or 
publication of this email is prohibited.

Unless stated otherwise, this email represents only the views of the sender and 
not the views of the Queensland Government. 
---------------------------------------------------------------------------- 

---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]

MX Downunder AsiaPac DevCon - http://mxdu.com/

Reply via email to