As you rightly say, the ONLY way for a web server to receive authentication
details is if the URL is protected. If your using IIS, you have the option
to protect the directory using NT security. When the web server sees that
the URL is protected, it sends back a 'creditials request' to the browser,
which then pops up the little box asking for your credentials. Unfortunatly
the web browser treats each web site as a different realm, and thus requires
you to enter credentials for each of the servers on your intranet. As you
also said, one way round this is to use one DB, from which your CF server
authenticates the user, however this will require the user to log in every
time.
One way round this, (and something I've been trying to find the time to do),
is to build a framework that copies the Microsoft passport process. It
works, (simplified version) like this:
1) User logs into a central 'passport' web server that stores a passport
identification cookie in the browser
2) User enters a restricted server, and so the server re-directs the browser
to the central passport server, adding the return address onto the url, i.e.
CFLOCATION
URL="passportserver.com/login.cfm&requester=http://MyServer/MySecureapp/"
3) The passport server checks for the existence of the passport cookie. If
it's not there, it will display the login screen. If it is there, the
server checks to make sure the user is allowed to enter the requested site.
The passport server could get the credential information from an NT domain,
either by using an Advanced Security UserDirectory, or by access the domain
directly using Microsoft Active Directory Services.
4) If authorised, the passport server redirects the users browser back to
the requested server, adding the required details, (such as username etc),
onto the URL, i.e. CFLOCATION
URL="http://MyServer/MySecureApp/index.cfm?credentials=username:maddog", of
course, the credentials part of the URL will be encoded.
5) On the orginal server, you have a custom tag that checks for the
existence of URL.credentials, and if it exists, sets a reminder cookie in
the browser for that server, (so that it doesn't have to do the whole thing
every request).
With this process, the user only has to log on once into the network, and
there after, the passport server will automatically passback credential
information if the user is valid.
The user can also go to the 'passport' server and logout of all intranet
sites that are holding the credential information:
1) User clicks the logout button on the passport website.
2) Passport website, knows which applications the user has been logged into,
because it stored this information when the application requested the
credentials.
3) Passport website makes a call to logout.cfm on each of the applications
the user is logged in to. The logout.cfm deletes the 'reminder' cookies
held in the users browser.
Although this sounds complicated, it should be quite easy to implement,
especially if all the web servers involved are CF, making the Encryption
etc, easier.
-David 'Maddog' Maddison
>> -----Original Message-----
>> From: Emilio [mailto:[EMAIL PROTECTED]]
>> Sent: 12 February 2001 01:40
>> To: Fusebox
>> Subject: OT: Help with cgi.auth_user
>>
>>
>> This is an off topic post so please delete if you're not interested.
>>
>> I am currently trying to centralize the way in which all
>> the employees of my company login to the web apps we make.
>> Up to now, we have simply used a db for each internal
>> project and asked the users to remember the login info. I
>> think this is some what counter productive and want to come
>> up with the best way to steamline the Authentication
>> process we all have to go through to use the tools we make.
>> Ideally what I was hoping was to simply grab their NT
>> username and password and use these values to assign access
>> to our various applications. Upon reading the
>> documentation of the Webserver (O'Rielley's) it seems to me
>> that the only way the browser carries that information, is
>> IF the webserver restricts access to a URL. This doesn't
>> seem to be what I'm looking for as it still forces the user
>> to enter their username and password in AGAIN, (which is
>> what I want to avoid). So if their is a way to grab this
>> information with CF without prompting the user I would like
>> to know. If t!
>> !
>> hat is not possible then it seems the best alternative is
>> to create one db for all applications to authenticate
>> against? If there are any articles or previous posts
>> please let me know as I'm sure this is not a new issue for
>> most in house developers.
>>
>> many thanks in advance,
>> Emilio
>>
>>
>>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
