Howdy --
Taking my first stab at an Advanced Security config using CF5, have got
it working except for one nagging little problem:
Scenario (all names changed to protect the innocent ;-) :
In the "Users" User Directory (implemented in SQL Server, accessed via
ODBC), I have defined two groups, "Database Users" and "Database
Administrators". Also have defined two users, "Ulysses User" and "Andy
Admin", the former belonging to the "Database Users" group and the
latter belonging to the "Database Administrators" group.
(P.S. I've used SQL Server's Query Analyzer to look at the SmUser,
SmGroup, and SmUserGroup tables to verify these entries.)
Security Context #1: "Database"
User Directory "Users"
Only Applications protected
One policy, both "Database Users" and "Database Administrators" allowed
to execute applications.
Security Context #2: "DatabaseAdmin"
User Directory "Users"
Only Applications protected
One policy, only "Database Administrators" allowed to execute
applications.
The Application.cfm that oversees the routine "Database" .cfm's starts
like this (copied straight out of the CF5 docs):
<cfapplication name="Database">
<cfif NOT IsAuthenticated()>
<!--- The user is not authenticated --->
<cfset showlogin="No">
<cfif IsDefined("form.username") AND IsDefined("form.password")>
<!--- The login form was submitted. Try authenticating --->
<cftry>
<cfauthenticate securityContext="Database"
username="#form.username#"
password="#form.password#"
setCookie="YES">
and it works just fine, allowing both Users and Administrators to access
the other .cfm's in the same directory.
In another directory I've got another Application.cfm that oversees the
.cfm's only the Admins should get to, and it's essentially identical to
the first Application.cfm except the cfapplication specifies
name="DatabaseAdmin", and in the cfauthenticate tag the securityContext
is specified as "DatabaseAdmin".
The Problem: When I call up admin pages, cfauthenticate in the admin
Application.cfm is authenticating users in both the Database Users as
well as the Database Administrators group, when the policy for the
DatabaseAdmin security context clearly says to allow only those users in
the Database Administrators group. In other words, Ulysses User is
(inappropriately) getting access to the admin directory.
The only reason I can figure out this is happening is that, in the User
Directory listing for "Users", the "Authenticate User" query is a simple
select Name from SmUser where Name = '%s' and Password = '%s'
(This is the default query.)
In fact, I (think I) verified that this is the problem by changing the
DatabaseAdmin policy for Application protection. I removed "Database
Administrators" from the list of allowed users and added just "Andy
Admin". Then I tried again calling up one of the pages in the admin
directory, and when the login form came up, I again tested using
"Ulysses User" as the userid. Darnit, Ulysses User was authenticated,
even though the policy says to only allow Andy Admin in.
(P.S. Yes, I made sure to flush the Authentication and Authorization
caches in between policy changes and testing attempts.)
If the above SQL is truly all that's required to authenticate a user,
it's clearly inadequate. It's not valid to authenticate a user simply
by seeing whether the username (with appropriate password) exists in the
User Directory. Authentication has to take into account group
membership. That is, cfauthenticate should first run the "Authenticate
User" query and *then*, if the submitted userid isn't explicitly listed
in the list of allowed users for the specified securitycontext, it needs
to go through each of the *groups* that're in the list of allowed users
and execute the "Is Group Member" SQL for each of those groups. If any
of *those* queries comes back with a hit, *then* the user is
authenticated, otherwise the user is rejected.
But that doesn't seem to be what cfauthenticate/Advanced Security is
doing. All it seems to be doing is a simple lookup in SmUser, and if
you're listed there, congratulations, you're in.
I seriously doubt CF5 would have been allowed out the door with a flaw
as basic as this in it. Therefore, I must be missing something, but I
sure can't figure out what.
If anybody (1) has made it this far through this ridiculously long
message, and (2) knows what I'm missing, and (3) cares to help, I sure
would appreciate it!!!!
-- Larry Afrin
Med. Univ. of S.C.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
