Using Operating System Security

We've seen how you can roll your own security system so that authentication can be performed in multiple fashions. You can use a database lookup, LDAP, or any other method. One that may be particularly useful is the operating system itself. If your ColdFusion server runs on a Windows machine using domains, ColdFusion allows you to authenticate against any domain. You can not only authenticate a user, you can get a list of groups the user is a member of. This is all possible with the new, <cfNTAuthenticate> tag. Table 21.4 lists the attributes for this tag.

Listing 21.10 demonstrates a simple example of using <cfNTAuthenticate>. I'm keeping this example very simple since it will only run on Windows machines, and only those machines that are part of a domain. Obviously you will need to modify the username and password values.

Listing 21.10. DomainAuth.cfmUsing <cfNTAuthenticate>

 <!---  Filename: DomainAuth.cfm  Created by: Raymond Camden (ray@camdenfamily.com)  Purpose: Uses <cfNTAuthenticate> ---> <!--- Change this username! ---> <cfset username="changeme"> <!--- Change this password! ---> <cfset password="changeme"> <!--- Change this domain! ---> <cfset domain="changeme"> <!--- Attempt to logon ---> <cfNTAuthenticate username="#username#" password="#password#" result="result"  domain="#domain#" listGroups="yes"> <cfdump var="#result#" label="Result of NT authentication."> 

The script begins by creating variables for the three main pieces needed for authentication, username, password, and domain. As it obviously states in the code, you will need to change these values. However, if you want to see a failed authentication result, you can leave these alone. Finally, we run the <cfNTAuthenticate> tag, passing in the values and telling it to return the result in a struct called result and enumerating the groups the user belongs to. Lastly we dump the result structure. Again, you will have to modify the values in order to get a valid authentication result.