Authentication and Authorization

Securing sensitive areas of an application, such as administrative pages, prevents unauthorized access to protected functionality. This is done through an access control system with user authentication and authorization. Authentication is proving the user is who they say they are. Authorization is determining which resources the authenticated user can access.

Such security models vary vastly from the simple, where authentication consists of a single username and/or password for all users, to the detailed, where user-authentication access control throughout the Web site is very granular. There are even single sign-on models in which logging into one application allows users to access a variety of other applications. Single sign-on models typically authenticate users with identity tokens, ranging from electronic technologies such as Smart Cards and X.509 certificates, to the more advanced biometric technologies such as fingerprinting and facial recognition.

You can create feature-rich access control paradigms with just ColdFusion and a database, or you can integrate ColdFusion with a third-party security system for added "out-of-the-box" functionality. Whether custom built or out-of-the-box, many applications today use robust "role-based" security models, where users are grouped together based on their roles for an application.

NOTE

The Advanced Security services of earlier versions of ColdFusion Enterprise Server contained an OEM version of Netegrity's SiteMinder. SiteMinder is not a part of ColdFusion, however; all customized security paradigms must therefore be coded using new CFML. Chapter 8 discusses user security in ColdFusion MX 7 and how to code authentication and authorization with the new tags and functions.

Databases are the storage facilities for these role-based group memberships. The database can be a simple RDBMS (Relational Database Management System) such as Oracle or SQL Server, or an LDAP (Lightweight Directory Access Protocol) server such as Active Directory, Novell, or Sun ONE, or even a simple flat-file system like the NT SAM. The access permissions or groups are properties in the database to which individual user IDs are added.

Imagine the Web site of an eZine that publishes new articles and columns daily. We can group the four authors who provide the initial content into a role called Author. When these authors submit their articles, the Editor group is responsible for reviewing the submissions and either approving or rejecting them. In this simple scenario, it is easy to see the benefits of being able to apply permissions to groups of users, rather than having to reenter the same data to assign the permission to each individual user.

Suppose the eZine is using an LDAP for user management and it contains the two groupsEditor and Author. Individual employees are added to these groups. The eZine could also leverage an X.509 user certificate system to provide access control throughout the publishing section of its site. (X.509 user certificates are SSL certificates that guarantee the user's identity.) Since LDAP entries typically contain certificate properties, they will integrate nicely with the eZine's LDAP.

TIP

For more information on X.509 certificates see http://www.ietf.org/html.charters/pkix-charter.html.

Now when editors or authors access the publishing section of the sitesecured with SSL, of coursethe Web server challenges them to authenticate using their certificates. The CN ("common name" or LDAP version of username) in the certificate is compared to users' LDAP entries. If an entry matches, the security code retrieves the user's group memberships, authorizing him or her to access the appropriate parts of the publishing section.

This eZine example illustrates the power of the user authentication and authorization system to provide access control to resources within your site. In general, it's a good practice to use network and OS/Web serverlevel access controls to protect any sensitive sections of a Web site, in addition to any application-level controls. If you decide to use ColdFusion to provide access control, it's a good idea to use SSL to secure the login page. This way, malicious users won't not be able to easily "sniff" the username and password combination sent during the authorization. You should also make a point of using the Application.cfc file of the secured directory to ensure that all accessed pages require an authenticated user. A popular technique is utilizing ColdFusion session variables to store the authenticated user's login and permissions.

TIP

Using ColdFusion session variables requires proper scope-level Locking. See "Using Persistent Data and Locking" in the Developing ColdFusion Applications book of your ColdFusion MX 7 documentation.