The securitytest.cfm page shows how any application page can use ColdFusion user authorization features. The web server ensures the existence of an authenticated user, and the Application.cfc page ensures that the user is assigned to roles the page content appears. The securitytest.cfm page uses the IsUserInAnyRole and GetAuthUser functions to control the information that is displayed.
The securitytest.cfm page consists of the following:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Basic authentication security test page</title> </head> <body> <cfoutput> <h2>Welcome #GetAuthUser()#!</h2> </cfoutput> ALL Logged-in Users see this message.<br> <br> <cfscript> if (IsUserInRole("admin")) WriteOutput("Users in the admin role see this message.<br><br>"); if (IsUserInRole("user")) WriteOutput("Everyone in the user role sees this message.<br><br>"); </cfscript> </body> </html>
The following table describes the securitytest.cfm page CFML code and its function:
Code |
Description |
---|---|
<cfoutput> <h2>Welcome #GetAuthUser()#!</h2> </cfoutput> |
User is already logged in by Application.cfc. Displays a welcome message that includes the user's login ID. |
ALL Logged-in Users see this message.<br> <br> |
Displays this message in all cases. The page does not display until a user is logged in. |
<cfscript> if (IsUserInRole("admin")) WriteOutput("Users in the admin role see this message.<br><br>"); if (IsUserInRole("user")) WriteOutput("Everyone in the user role sees this message.<br><br>"); </cfscript> |
Tests whether the user belongs to each of the valid roles. If the user is in a role, displays a message with the role name. The user sees one message per role to which the user belongs. |
The example in this section shows how you might implement user security by authenticating users and then allowing users to see or use only the resources that they are authorized to access.
This example has three ColdFusion pages:
This page also includes the one-button form and logic for logging out a user, which appears at the top of each page.
You can test the security behavior by adding your own pages to the same directory as the Application.cfc page.
The example gets user information from the LoginInfo table of the cfdocexamples database that is installed with ColdFusion. You can replace this database with any database containing UserID, Password, and Roles fields. The sample database contains the following data:
UserID |
Password |
Roles |
---|---|---|
BobZ |
Ads10 |
Employee,Sales |
JaniceF |
Qwer12 |
Contractor,Documentation |
RandalQ |
ImMe |
Employee,Human Resources,Manager |
Because spaces are meaningful in roles strings, you should not follow the comma separators in the Roles fields with spaces.