> requests within a particular directory are handled by the CF server,
> regardless of the file type or whether the file exists).
>
> If I understand everything correctly, the main drawback I see with that
> idea is that if you are not already logged in and attempt to access any
> file (CFM or otherwise) in the protected directory, you would get the IIS
> login box rather than a redirect to your CF login page, and you could not
> authenticate on the IIS login because the only account would be the
> internal cfsessionuser account.
We basically handle it like that. We generally don't use CF for the
authentication because of exactly what you're describing. We lock the
directory down with the OS so when the visitor hits anything at that folder
or deeper, they get the server authentication window. Their identification
is checked against LDAP and if they authenticate, we let the Application.cfm
call the cgi.remote_user (or cgi.auth_user depending on your server) to
determine who has logged in and cross check that to see if they are
authorized in the application and for what. We can do that with either the
cfldap to call an ldap group and/or an ancillary DB table to look up
groups/roles.
One of the nice things about it is that for that session, the user doesn't
have to log in again when jumping from app to app.
-Kevin
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
