Morning Andrew, Glad I'm not the only one that's been working along similar lines with this one. I essentially work with the same method as you, I have a bunch of user objects which manage the profiles, credentials and roles, then in effect I have my user 'factory', although its not a factory in the strictest term as it doesn't actually generate the other beans, that is handled by coldspring for me, but it does give me a tidy point of contact for the thing, so you're right that you could probably classify this as a user 'service'.
If you have any ideas I would be keen to hear them. Especially on the more security oriented elements like protection again session hijacking and thing, which I know a little about, but not enough that I'm comfortable. Rob -----Original Message----- From: Andrew Scott [mailto:[EMAIL PROTECTED] Sent: 08 March 2007 09:04 To: CF-Talk Subject: Re: User Authentication Hmmm, Just seems strange I just had to implement this the last few days too. Now there maybe a better way but this is how it folded out based on the requiements of my application. The first problem I faced was that a user could only be signed in once. So the only way I cold see this and with other requirements was to hold a collection of user objects. The user object just holds all the information I need, so in a sense its a userService (is that right, or would user object surfice) anway. In that object it also holds the users roles, and permissions. Now to encapsulate that I have a userFactory, that returns the, finds or checks if the user is logged in etc. And basically is the front line to the user object. But I still have the oppurtunity to modify my approach too, so I can take more suggesations here as well. Regards, Andrew Scott On 3/8/07, AJ Mercer <[EMAIL PROTECTED]> wrote: > > how about having the user.cfc expose all the functions from the other CFCs > and it calls the correct function? > so Session.User.getProfile().getName() > would become Session.User.getName() > where getName() calls Profile.getName() > > On 3/7/07, Robert Rawlins - Think Blue < > [EMAIL PROTECTED]> > wrote: > > > > Hello Guys, > > > > > > > > Wanted to run a couple of ideas past you with regards to a comprehensive > > user authentication system. Basically the system needs to be a 'role' or > > 'entitlements' based security system, so all users can login using the > > same > > process, they are then offered access to particular tasks dependant on > > their > > entitlements or roles. > > > > > > > > Now my thoughts are to have 4 CFC's that control this my user. The first > > of > > which is my User.cfc which contains the most basic of information, and > > almost acts as a container for my other user related cfc's, this would > sit > > in the session scope and could be accessed via something like > > 'session.user'. > > > > > > > > The user.cfc then has instances of my 3 other user beans, the first of > > which > > being Profile.cfc which contains the general non security related > > information for my user, such as their name, postal and email address > and > > suchlike. So if you wanted to access the users profile information you > can > > do Session.User.getProfile().getName() and it would return the users > name > > for output. > > > > > > > > The next bean is what I would call 'credentials' and this contains the > > core > > security data, such as the 'Username', 'Password' and 'IsAuthenticated' > > settings, then at any point if I require that information I can access > it > > through 'session.user.getCredentials()' This way once the user has > logged > > in > > for the first time, I can set the value of that bean > > VARIABLE.isAuthenticated = true, then for future references I could > simply > > pull on 'Session.User.getCredentials().isAuthenticated()' and it would > > return true or false if the user is logged in or not. > > > > > > > > Finally I plan to have an 'Entitlements.cfc' which basically contains an > > array of 'entitlements' that are built when the user logs in from a > table > > in > > the database. So if I need to authorize a user for a specific task I can > > go > > 'Session.User.getEntitlements().IsEntitled("DeleteUser")' and it would > > search the array for that entitlement and return true or false if they > are > > entitled or not. > > > > > > > > I just wanted to run this rough plan past you guys to catch your > thoughts > > on > > it, does that make sense or is there a better way of handling a role > based > > authentication system? > > > > > > > > Thanks guys, > > > > > > > > Rob > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271972 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
