chuckles_da_clown,
You are right on the money.
Note: My application name is farcry03.
I extened the /farcry/farcry_core/packages/security/authentication.cfc
with an application component of the same name within my application
directory. So there is a file in the application directory
/farcry/farcry03/packages/security/authentication.cfc.
I then copied the login function from
/farcry/farcry_core/packages/security/authentication.cfc to
/farcry/farcry03packages/security/authentication.cfc and removed the
ADSI section of the which statement. The removal of the ADSI section
is not necessary, but I did not need it.
To test my idea, I changed one line of code and add another line of
code to the function. You will see two lines of code like this in the
included cfc code.
<cfset stUser.userpassword = userPassword />
<cfif true > <!--- trim(stUser.userpassword) IS trim(userPassword)>
--->
Just to see if I could fake out the security system, I set the
stUser.userpassword to the password that the user typed in. This would
mean that any password that the user submits will authenticate them.
The if condition tests to check that the password in the dmUsers table
is the same as the password that the user submitted. I hardcoded the
condition to true in order to bypass the test.
I noticed that if stUser.userpassword does not equal to the
userPassword (the password supplied by the user, then something else
messes up. There must be something else that retests the user's
password over again. Remove the first line and you will see what I am
talking about.
I hope this will be helpful for others. If it is, send me a note.
Here is the source (forgive the formating, just click your beautify
button. LOL!):
<cfcomponent
extends="farcry.farcry_core.packages.security.authentication"
displayName="Authentication" hint="Security authentication functions">
<cffunction name="login" hint="Logs in the user using userlogin and
password, optionally limited to userdirectory." returntype="boolean">
<cfargument name="bAudit" required="false" default="0"
hint="Log this
login?">
<cfargument name="userLogin" required="true" hint="The users
login
name">
<cfargument name="userPassword" required="true" hint="The users
password">
<cfargument name="userdirectory" required="false">
<cfset var auditNote = "" />
<cfscript>
oAuthorisation =
createObject("component","#application.securitypackagepath#.authorisation");
oAudit =
createObject("component","#application.packagepath#.farcry.audit");
logout(); //Clear out session details
arguments.userlogin = trim(arguments.userlogin);
arguments.userpassword = trim(arguments.userpassword);
//assume user is not logged in
bHasLoggedIn = 0;
//grab the user directories (that is ones with relevant
dmSec
tables)
stUD = getUserDirectory(lFilterTypes="ADSI,Daemon");
//get the policy store
stPolicyStore = oAuthorisation.getPolicyStore();
</cfscript>
<!--- loop through each user directory --->
<cfloop index="ud" list="#structKeyList(stUD)#">
<cftrace type="information" var="ud">
<cfswitch expression="#stUD[ud].type#">
<cfcase value="default" />
<cfdefaultcase>
<!--- search for the user in ud
--->
<cfset stUser =
getUser(userlogin=arguments.userlogin,userdirectory=ud)>
<!--- if we found the user --->
<cfif not StructIsEmpty(stUser)>
<!--- check the
password is correct --->
<cfif
isdefined("stUser.userStatus")>
<cfif
stUser.userStatus neq 4>
<!---
login failed due to user status --->
<cfif
arguments.bAudit>
<cfscript>
oAudit.logActivity(auditType="dmSec.loginfailed",
username=arguments.userlogin, location=cgi.remote_host,
note="userStatus: #stUser.userstatus#, account disabled");
logged=1;
</cfscript>
</cfif>
<!---
throw error --->
<cfset
bHasLoggedIn = 0>
<cfbreak>
</cfif>
</cfif>
<!--- check if UD has
password encryption --->
<cfif
structKeyExists(stUD[ud],"bEncrypted") and
stUD[ud].bEncrypted>
<cfset
userPassword = hash(arguments.userPassword)>
<cfelse>
<cfset
userPassword = arguments.userPassword>
</cfif>
<cfset
stUser.userpassword = userPassword />
<cfif true > <!---
trim(stUser.userpassword) IS
trim(userPassword)> --->
<!--- get the
users groups --->
<cfscript>
aGroups
=
GetMultipleGroups(userLogin=arguments.userlogin,userDirectory=ud);
lGroupNames = arrayKeyToList(array=aGroups,key='groupName');
lPolicyGroupIds =
oAuthorisation.getPolicyGroupMappings(userDirectory=ud,lGroupNames=lGroupNames);
</cfscript>
<!--- map the
groups to policy groups --->
<!--- set the
session login information --->
<cflock
timeout="45" throwontimeout="No" type="EXCLUSIVE"
scope="SESSION">
<cfscript>
session.dmSec.authentication = duplicate( stUser );
if( structKeyExists( session.dmSec.authentication,
"userPassword"))
structDelete( session.dmSec.authentication, "userPassword"
);
session.dmSec.authentication.lPolicyGroupIds=lPolicyGroupIds;
session.dmSec.authentication.canonicalName =
arguments.userlogin;
//Check the audit log to see if this user has logged in
before.
//If they have not then set the firstLogin flag
if(oAudit.getAuditLog(username=arguments.userLogin,
auditType="dmSec.login").recordcount neq 0)
session.firstLogin = false;
else
session.firstLogin = true;
bHasLoggedIn = 1;
</cfscript>
</cflock>
<!--- login has
succeded so stop searching the user directories
--->
<cfif
arguments.bAudit>
<cfscript>
//Make an entry in the Audit Log for this successful login
if(session.firstLogin)
auditNote = "userDirectory:" &
session.dmSec.authentication.userdirectory & " **First Login**";
else
auditNote = "userDirectory:" &
session.dmSec.authentication.userdirectory;
oAudit.logActivity(auditType="dmSec.login",
username=arguments.userlogin, location=cgi.remote_host,
note=auditNote);
</cfscript>
</cfif>
<!--- break
cfloop, finish template (perhaps this should be
<cfexit>?) 20020908 GB --->
<cfbreak>
<cfelse>
<!--- login
failed due to incorrect password --->
<cfif
arguments.bAudit>
<cfscript>
oAudit.logActivity(auditType="dmSec.loginfailed",
username=arguments.userlogin, location=cgi.remote_host, note="password
incorrect");
logged=1;
</cfscript>
</cfif>
<!--- throw
error --->
<cfset
bHasLoggedIn = 0>
</cfif>
</cfif>
</cfdefaultcase>
</cfswitch>
</cfloop>
<!---
<cfdump var="#session#">
// overrides policy mapping if they are missing.. debugging only GB
<cfset
session.dmsec.authentication.lpolicygroupids="1,2,3,4,5,6,7,8,9">
<cfabort />
--->
<!--- we've been through all our userdirectories here,
so if we
haven't logged in throw a spaz --->
<cfif not bHasLoggedIn and not isdefined("logged")>
<!--- login failed - user unknown --->
<cfif arguments.bAudit>
<cfscript>
oAudit.logActivity(auditType="dmSec.loginfailed",
username=arguments.userlogin, location=cgi.remote_host, note="user
unknown");
</cfscript>
</cfif>
</cfif>
<cfreturn bHasLoggedIn>
</cffunction>
</cfcomponent>
Enjoy,
Troy Simpson
OCPDBA, SCSA, MCSE
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"farcry-dev" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/farcry-dev
-~----------~----~----~----~------~----~------~--~---
