Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Productsupport
Search
Thisreferenceonly
ViewHelpPDF(23MB)
Home/DevelopingColdFusion9Applications/DevelopingCFMLApplications/SecuringApplications/
Implementingusersecurity
Applicationbasedusersecurityexample
Example:Application.cfc
Example:loginform.cfm
Example:securitytest.cfm
Thefollowingexampleshowshowtoimplementusersecuritybyauthenticatingusersandthenallowinguserstoseeoruseonlythe
resourcesthattheyareauthorizedtoaccess.
ThisexamplehasthreeColdFusionpages:
TheApplication.cfcpagecontainstheauthenticationlogicthatcheckswhetherauserisloggedin,requeststheloginpageif
theuserisnotloggedin,andauthenticatesthedatafromtheloginpage.Iftheuserisauthenticated,itlogstheuserin.
Thispagealsoincludestheonebuttonformandlogicforloggingoutauser,whichappearsatthetopofeachpage.
Theloginform.cfmpagedisplaystheloginform.ThecodeonthispagecouldalsobeincludedinApplication.cfc.
Thesecuritytest.cfmpageisasampleapplicationpage.Itdisplaystheloggedinusersroles.
TestthesecuritybehaviorbyaddingyourownpagestothesamedirectoryastheApplication.cfcpage.
TheexamplegetsuserinformationfromtheLoginInfotableofthecfdocexamplesdatabasethatisinstalledwithColdFusion.Youcan
replacethisdatabasewithanydatabasecontainingUserID,Password,andRolesfields.Thesampledatabasecontainsthefollowing
data:
UserID
Password
Roles
BobZ
Ads10
Employee,Sales
JaniceF
Qwer12
Contractor,Documentation
RandalQ
ImMe
Employee,HumanResources,Manager
Becausespacesaremeaningfulinrolesstrings,donotfollowthecommaseparatorsintheRolesfieldswithspaces.
Example:Application.cfc
TheApplication.cfcpageconsistsofthefollowing:
<cfcomponent>
<cfsetThis.name="Orders">
<cfsetThis.Sessionmanagement="True">
<cfsetThis.loginstorage="session">
<cffunctionname="OnRequestStart">
<cfargumentname="request"required="true"/>
<cfifIsDefined("Form.logout")>
<cflogout>
</cfif>
<cflogin>
<cfifNOTIsDefined("cflogin")>
<cfincludetemplate="loginform.cfm">
<cfabort>
<cfelse>
<cfifcflogin.nameIS""ORcflogin.passwordIS"">
<cfoutput>
<h2>YoumustentertextinboththeUserNameandPasswordfields.
</h2>
</cfoutput>
<cfincludetemplate="loginform.cfm">
<cfabort>
<cfelse>
<cfqueryname="loginQuery"dataSource="cfdocexamples">
SELECTUserID,Roles
FROMLoginInfo
WHERE
UserID='#cflogin.name#'
ANDPassword='#cflogin.password#'
</cfquery>
<cfifloginQuery.RolesNEQ"">
<cfloginusername="#cflogin.name#"Password="#cflogin.password#"
roles="#loginQuery.Roles#">
<cfelse>
<cfoutput>
<H2>Yourlogininformationisnotvalid.<br>
PleaseTryagain</H2>
</cfoutput>
<cfincludetemplate="loginform.cfm">
<cfabort>
</cfif>
</cfif>
</cfif>
</cflogin>
<cfifGetAuthUser()NEQ"">
<cfoutput>
<formaction="securitytest.cfm"method="Post">
<inputtype="submit"Name="Logout"value="Logout">
</form>
</cfoutput>
</cfif>
</cffunction>
</cfcomponent>
Reviewingthecode
TheApplication.cfcpageexecutesbeforethecodeineachColdFusionpageinanapplication.Formoreinformationonthe
Application.cfcpageandwhenitisexecuted,seeDesigningandOptimizingaColdFusionApplication.
ThefollowingtabledescribestheCFMLcodeinApplication.cfcanditsfunction:
Code
<cfcomponent>
<cfsetThis.name="Orders">
<cfsetThis.Sessionmanagement="True">
<cfsetThis.loginstorage="session">
<cffunctionname="OnRequestStart">
<cfargumentname="request"required="true"/>
Description
Identifiesthe
application,
enablessession
management,
andenables
storinglogin
informationin
theSession
scope.
Beginsthe
definitionofthe
onRequestStart
methodthat
runsatthe
startsofeach
request.
<cfifIsDefined("Form.logout")>
<cflogout>
</cfif>
<cflogin>
<cfifNOTIsDefined("cflogin")>
<cfincludetemplate="loginform.cfm">
Iftheuserjust
submittedthe
logoutform,
logsoutthe
user.The
followingcflogin
tagrunsasa
result.
Runsifthereis
nologgedin
user.
Teststoseeif
<cfabort>
theuserhas
submitteda
loginform.If
not,uses
cfincludeto
displaythe
form.Thebuilt
incflogin
variableexists
andcontainsthe
usernameand
passwordonlyif
theloginform
usedj_username
andj_password
fortheinput
fields.
Thecfaborttag
prevents
processingof
anycodethat
followsonthis
page.
<cfelse>
<cfifcflogin.nameIS""ORcflogin.passwordIS"">
<cfoutput>
<h2>YoumustentertextinboththeUserNameandPasswordfields.</h2>
</cfoutput>
<cfincludetemplate="loginform.cfm">
<cfabort>
Runsiftheuser
submitteda
loginform.
Teststomake
surethatboth
nameand
passwordhave
data.Ifeither
variableis
empty,displays
amessage,
followedbythe
loginform.
Thecfaborttag
prevents
processingof
anycodethat
followsonthis
page.
<cfelse>
<cfqueryname="loginQuery"dataSource="cfdocexamples">
SELECTUserID,Roles
FROMLoginInfo
WHERE
UserID='#cflogin.name#'
ANDPassword='#cflogin.password#'
</cfquery>
<cfifloginQuery.RolesNEQ"">
<cfloginusername="#cflogin.name#"Password="#cflogin.password#"roles="#loginQuery.Roles#">
Runsiftheuser
submitteda
loginformand
bothfields
containdata.
Usesthecflogin
structuresname
andpassword
entriestofind
theuserrecord
inthedatabase
andgetthe
usersroles.
Ifthequery
returnsdatain
theRolesfield,
logsintheuser
usingtheusers
nameand
passwordand
theRolesfield
fromthe
database.In
thisapplication,
everyusermust
beinsomerole.
<cfelse>
<cfoutput>
<H2>Yourlogininformationisnotvalid.<br>
PleaseTryagain</H2>
</cfoutput>
<cfincludetemplate="loginform.cfm">
<cfabort>
Runsifthe
querydidnot
returnarole.If
thedatabaseis
valid,this
meansthere
wasnoentry
matchingthe
userIDand
password.
Displaysa
message,
followedbythe
loginform.
Thecfaborttag
prevents
processingof
anycodethat
followsonthis
page.
</cfif>
</cfif>
</cfif>
</cflogin>
Endsthe
loginquery.Roles
testcode.
Endstheform
entryempty
valuetest.
Endstheform
entryexistence
test.
Endsthe
cflogintag
body.
<cfifGetAuthUser()NEQ"">
<cfoutput>
<formaction="securitytest.cfm"method="Post">
<inputtype="submit"Name="Logout"value="Logout">
</form>
</cfoutput>
</cfif>
Ifauseris
loggedin,
displaysthe
Logoutbutton.
Iftheuserclicks
thebutton,
poststheform
tothe
applications
(theoretical)
entrypage,
index.cfm.
Application.cfc
thenlogsout
theuserand
displaysthe
loginform.If
theuserlogsin
again,
ColdFusion
displays
index.cfm.
</cffunction>
</cfcomponent>
Endsthe
onRequestStart
method
Endsthe
Application
component.
Example:loginform.cfm
Theloginform.cfmpageconsistsofthefollowing:
<H2>PleaseLogIn</H2>
<cfoutput>
<formaction="#CGI.script_name#?#CGI.query_string#"method="Post">
<table>
<tr>
<td>username:</td>
<td><inputtype="text"name="j_username"></td>
</tr>
<tr>
<td>password:</td>
<td><inputtype="password"name="j_password"></td>
</tr>
</table>
<br>
<inputtype="submit"value="LogIn">
</form>
</cfoutput>
Reviewingthecode
Thefollowingtabledescribestheloginform.cfmpageCFMLcodeanditsfunction:
Code
Description
Displaystheloginform.
<H2>PleaseLogIn</H2>
<cfoutput>
<formaction="#CGI.script_name#?#CGI.query_string#"method="Post">
<table>
<tr>
<td>username:</td>
<td><inputtype="text"name="j_username"></td>
</tr>
<tr>
<td>password:</td>
<td><inputtype="password"name="j_password"></td>
</tr>
</table>
<br>
<inputtype="submit"value="LogIn">
</form>
</cfoutput>
Constructstheformactionattributefrom
CGIvariables,witha?characterpreceding
thequerystringvariable.Thistechnique
worksbecauseloginform.cfmisaccessedby
acfincludetagonApplication.cfc,sothe
CGIvariablesarethosefortheoriginally
requestedpage.
TheformrequestsauserIDandpassword
andpoststheusersinputtothepage
specifiedbythenewurlvariable.
Usesthefieldnamesj_usernameand
j_password.ColdFusionautomaticallyputs
formfieldswiththesevaluesinthe
cflogin.nameandcflogin.passwordvariables
insidethecflogintag.
Example:securitytest.cfm
Thesecuritytest.cfmpageshowshowanyapplicationpagecanuseColdFusionuserauthorizationfeatures.Application.cfcensures
theexistenceofanauthenticateduserbeforethepagecontentappears.Thesecuritytest.cfmpageusestheIsUserInAnyRoleand
GetAuthUserfunctionstocontroltheinformationthatisdisplayed.
Thesecuritytest.cfmpageconsistsofthefollowing:
<!DOCTYPEHTMLPUBLIC"//W3C//DTDHTML4.01Transitional//EN">
<html>
<head>
<title>Securitytestpage</title>
</head>
<body>
<cfoutput>
<h2>Welcome#GetAuthUser()#!</h2>
</cfoutput>
ALLLoggedinUsersseethismessage.<br>
<br>
<cfscript>
if(IsUserInRole("HumanResources"))
WriteOutput("HumanResourcesmembersseethismessage.<br><br>");
if(IsUserInRole("Documentation"))
WriteOutput("Documentationmembersseethismessage.<br><br>");
if(IsUserInRole("Sales"))
WriteOutput("Salesmembersseethismessage.<br><br>");
if(IsUserInRole("Manager"))
WriteOutput("Managersseethismessage.<br><br>");
if(IsUserInRole("Employee"))
WriteOutput("Employeesseethismessage.<br><br>");
if(IsUserInRole("Contractor"))
WriteOutput("Contractorsseethismessage.<br><br>");
</cfscript>
</body>
</html>
Reviewingthecode
Thefollowingtabledescribesthesecuritytest.cfmpageCFMLcodeanditsfunction:
Code
Description
<cfoutput>
<h2>Welcome#GetAuthUser()#!</h2>
</cfoutput>
ALLLoggedinUsersseethismessage.<br>
<br>
<cfscript>
if(IsUserInRole("HumanResources"))
WriteOutput("HumanResourcesmembersseethismessage.<br><br>");
if(IsUserInRole("Documentation"))
WriteOutput("Documentationmembersseethismessage.<br><br>");
if(IsUserInRole("Sales"))
WriteOutput("Salesmembersseethismessage.<br><br>");
if(IsUserInRole("Manager"))
WriteOutput("Managersseethismessage.<br><br>");
if(IsUserInRole("Employee"))
WriteOutput("Employeesseethismessage.<br><br>");
if(IsUserInRole("Contractor"))
WriteOutput("Contractorsseethismessage.<br><br>");
</cfscript>
Displaysawelcomemessagethatincludes
theusersloginID.
Displaysthismessageinallcases.Thepage
doesnotdisplayuntilauserisloggedin.
Testswhethertheuserbelongstoeachofthe
validroles.Iftheuserisinarole,displaysa
messagewiththerolename.
Usersseeonemessageperrolethatthey
belong.
TwitterandFacebookpostsarenotcoveredunderthetermsofCreativeCommons.
Home/DevelopingColdFusion9Applications/DevelopingCFMLApplications/SecuringApplications/
Implementingusersecurity
LegalNotices|OnlinePrivacyPolicy