Hi all, I need to implement a new security framework for my ColdFusion applications (CMS, etc.).
I used a role-based security model in the past and I found it too strict, that's why I would like to implement a permission-based security framework now. Check out the following article about the benefits of a permission-based security model over role-based one: "Rethinking Roles-based Security" <http://www.halhelms.com/index.cfm?fuseaction=newsletters.show&issue=052203_rolesBasedSecurity> I came up with the following database schema (Oracle), that should be sufficient to implement a permission-based security model, like the one outlined in the above article: CREATE TABLE Person ( PersonID INTEGER NOT NULL, FirstName VARCHAR2(40) NOT NULL, LastName VARCHAR2(40) NOT NULL, PRIMARY KEY (PersonID) ); CREATE TABLE Group ( GroupID INTEGER NOT NULL, GroupName VARCHAR2(20) NOT NULL, GroupDescription VARCHAR2(40) NOT NULL, PRIMARY KEY (GroupID) ); CREATE TABLE Person_Group ( PersonID INTEGER NOT NULL, GroupID INTEGER NOT NULL, FOREIGN KEY (GroupID) REFERENCES Group, FOREIGN KEY (PersonID) REFERENCES Person ); CREATE TABLE Permission ( PermissionID INTEGER NOT NULL, PermissionName VARCHAR2(20) NOT NULL, PermissionDescription VARCHAR2(40) NOT NULL, PRIMARY KEY (PermissionID) ); CREATE TABLE Group_Permission ( GroupID INTEGER NOT NULL, PermissionID INTEGER NOT NULL, FOREIGN KEY (PermissionID) REFERENCES Permission, FOREIGN KEY (GroupID) REFERENCES Group ); Let me make a quick example of how this database schema is supposed to work: - My sample person is a member of the 'Admin' Group; - The admin Group has several Permissions: 'addUser', 'modifyUser', 'removeUser', 'addDocument', 'modifyDocument', 'deleteDocument', etc.; - The sample person will be able to access all the features that require any of the Permissions above: add, modify and delete users and documents; Now I have to start coding the CFML files and I am not sure if I should use the ColdFusion built-in security tags and functions: <cflogin>, <cfloginuser>, IsUserInRole, etc. If I got it right, what is called a 'role' in the ColdFusion built-in tags and functions is a 'Permission' in my database schema. So when my sample user logs into the system, I should have the following code (of course the username/password and roles assignation will be dynamic in the production code): <cfloginuser name="myuser" password="mypasswd" roles="addUser,modifyUser,removeUser,addDocument, modifyDocument,deleteDocument"> And I should use the following code to check if the user is authorized to add a document: <cfif IsUserInRole("addDocument")> *authorized* <cfelse> *not autorized* </cfif> If this is the correct use of the tags and functions, I am a bit worried about the ColdFusion built-in security framework scalability. Will it still work fine if I add a lot (e.g. 50-100) 'roles' ('Permissions' according to my db schema) to each user using the <cfloginuser> tag? Any slowdown or memory problem on the server? Do you think I should use custom UDFs or CFCs instead? Also, I'd like to hear any suggestion or criticism about the security framework I want to implement ... I am sure I am missing something. :-) Thanks a lot. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Special thanks to the CF Community Suite Gold Sponsor - CFHosting.net http://www.cfhosting.net Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188319 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54