Howdy -- Taking my first stab at an Advanced Security config using CF5, have got it working except for one nagging little problem: Scenario (all names changed to protect the innocent ;-) : In the "Users" User Directory (implemented in SQL Server, accessed via ODBC), I have defined two groups, "Database Users" and "Database Administrators". Also have defined two users, "Ulysses User" and "Andy Admin", the former belonging to the "Database Users" group and the latter belonging to the "Database Administrators" group. (P.S. I've used SQL Server's Query Analyzer to look at the SmUser, SmGroup, and SmUserGroup tables to verify these entries.) Security Context #1: "Database" User Directory "Users" Only Applications protected One policy, both "Database Users" and "Database Administrators" allowed to execute applications. Security Context #2: "DatabaseAdmin" User Directory "Users" Only Applications protected One policy, only "Database Administrators" allowed to execute applications. The Application.cfm that oversees the routine "Database" .cfm's starts like this (copied straight out of the CF5 docs): <cfapplication name="Database"> <cfif NOT IsAuthenticated()> <!--- The user is not authenticated ---> <cfset showlogin="No"> <cfif IsDefined("form.username") AND IsDefined("form.password")> <!--- The login form was submitted. Try authenticating ---> <cftry> <cfauthenticate securityContext="Database" username="#form.username#" password="#form.password#" setCookie="YES"> and it works just fine, allowing both Users and Administrators to access the other .cfm's in the same directory. In another directory I've got another Application.cfm that oversees the .cfm's only the Admins should get to, and it's essentially identical to the first Application.cfm except the cfapplication specifies name="DatabaseAdmin", and in the cfauthenticate tag the securityContext is specified as "DatabaseAdmin". The Problem: When I call up admin pages, cfauthenticate in the admin Application.cfm is authenticating users in both the Database Users as well as the Database Administrators group, when the policy for the DatabaseAdmin security context clearly says to allow only those users in the Database Administrators group. In other words, Ulysses User is (inappropriately) getting access to the admin directory. The only reason I can figure out this is happening is that, in the User Directory listing for "Users", the "Authenticate User" query is a simple select Name from SmUser where Name = '%s' and Password = '%s' (This is the default query.) In fact, I (think I) verified that this is the problem by changing the DatabaseAdmin policy for Application protection. I removed "Database Administrators" from the list of allowed users and added just "Andy Admin". Then I tried again calling up one of the pages in the admin directory, and when the login form came up, I again tested using "Ulysses User" as the userid. Darnit, Ulysses User was authenticated, even though the policy says to only allow Andy Admin in. (P.S. Yes, I made sure to flush the Authentication and Authorization caches in between policy changes and testing attempts.) If the above SQL is truly all that's required to authenticate a user, it's clearly inadequate. It's not valid to authenticate a user simply by seeing whether the username (with appropriate password) exists in the User Directory. Authentication has to take into account group membership. That is, cfauthenticate should first run the "Authenticate User" query and *then*, if the submitted userid isn't explicitly listed in the list of allowed users for the specified securitycontext, it needs to go through each of the *groups* that're in the list of allowed users and execute the "Is Group Member" SQL for each of those groups. If any of *those* queries comes back with a hit, *then* the user is authenticated, otherwise the user is rejected. But that doesn't seem to be what cfauthenticate/Advanced Security is doing. All it seems to be doing is a simple lookup in SmUser, and if you're listed there, congratulations, you're in. I seriously doubt CF5 would have been allowed out the door with a flaw as basic as this in it. Therefore, I must be missing something, but I sure can't figure out what. If anybody (1) has made it this far through this ridiculously long message, and (2) knows what I'm missing, and (3) cares to help, I sure would appreciate it!!!! -- Larry Afrin Med. Univ. of S.C. [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists