Contents > Developing ColdFusion MX Applications > Securing Applications > About user security

About user security

User security lets your application use security rules to determine what it displays. It has two elements:

• Authentication Ensures that a valid user is logged-in, based on an ID and password provided by the user. ColdFusion (or, in some cases if you use web server authentication, the web server) maintains the user ID information while the user is logged-in.
• Authorization Ensures that the logged-in user is allowed to use a page or perform an operation. Authorization is typically based on one or more roles (sometimes called groups) to which the user belongs. For example, in an employee database, all users could be members of either the employee role or the contractor role. They could also be members of roles that identify their department, position in the corporate hierarchy, or job description. For example, someone could be a member of some or all of the following roles:
  • Employees
  • Human Resources
  • Benefits
  • Managers

Roles enable you to control access in your application resources without requiring the application to maintain knowledge about individual users. For example, suppose you use ColdFusion for your company's intranet. The Human Resources department maintains a page on the intranet on which all employees can access timely information about the company, such as the latest company policies, upcoming events, and job postings. You want everyone to be able to read the information, but you want only certain authorized Human Resources employees to be able to add, update, or delete information.

Your application gets the user's roles from the user information data store when the user logs in, and then enables access to specific pages or features based on the roles. Typically, you store user information in a database, LDAP directory, or other secure information store.

You can also use the user ID for authorization. For example, you might want to let employees view customized information about their salaries, job levels, and performance reviews. You certainly would not want one employee to view sensitive information about another employee, but you would want managers to be able to see, and possibly update, information about their direct reports. By employing both user IDs and roles, you can ensure that only the appropriate people can access or work with sensitive data.

The following figure shows a typical flow of control for user authentication and authorization. Following sections expand on this diagram to describe how you implement user security in ColdFusion.

Contents > Developing ColdFusion MX Applications > Securing Applications > About user security

ColdFusion 9 | ColdFusion 8 | ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | Bug Reporting

Version 6.1

Comments are no longer accepted for ColdFusion MX 6.1. ColdFusion 8 is the current version.

Comments

Add Comment

No screen name said on Jan 8, 2004 at 1:50 PM :

Where is the diagram the documentation talks about on the "About user security" help page? I don't see it.

fstrevisan said on Feb 17, 2004 at 6:57 PM :

Agreed. Where's the diagram ?

halL said on Feb 18, 2004 at 6:45 AM :

You can see the figures in the PDF version of this document.
To view or download the document, go to the following URL:

http://www.macromedia.com/cfusion/resourcecenter/resourcecenter.cfm?pagename=cfmx61%5Fdev%5Fcf%5Fapps%5Fen&loc=en%5Fus

No screen name said on Dec 9, 2005 at 6:38 PM :

Well, the problem is that the link is not working. What then?

ASandstrom said on Dec 16, 2005 at 8:34 AM :

The link to get the PDF version of the ColdFusion MX 6.1 documentation is:
http://www.macromedia.com/support/documentation/en/coldfusion/documentation.html.
Sorry for any confusion.

RSS feed | Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/coldfusion/6.1/htmldocs/appsecu6.htm

Add Comment