Re: ColdFusion security framework
On 12/10/04 6:58 PM, Jim Davis wrote: I've uploaded a zip of the CFCs involved to: ftp://ftp.depressedpress.com/FTP/cfc_DepressedPress.zip I am trying to understand your code, but it's a bit hard w/o knowing the db tables and relationships ... Can you provide the db schema (e.g. Erwin) and the SQL script? Thanks a lot. ~| Special thanks to the CF Community Suite Silver Sponsor - CFDynamics http://www.cfdynamics.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188221 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion security framework
-Original Message- From: The Wolf [mailto:[EMAIL PROTECTED] Sent: Monday, December 20, 2004 6:46 AM To: CF-Talk Subject: Re: ColdFusion security framework On 12/10/04 6:58 PM, Jim Davis wrote: I've uploaded a zip of the CFCs involved to: ftp://ftp.depressedpress.com/FTP/cfc_DepressedPress.zip I am trying to understand your code, but it's a bit hard w/o knowing the db tables and relationships ... Can you provide the db schema (e.g. Erwin) and the SQL script? All of the table generation code is the following CFC: \cfc_DepressedPress\Security\DB_SQLServer2000\DP_SecurityConfiguration_Broke r.cfc (This is the installation/uninstallation configuration CFC.) There are essentially only two methods here: install (create data tables and populate them with initial parameters and the administrator account) and uninstall (destroy the tables). That code is generated partly from SQL Server 2000 and so might need tweaking for other DBs (probably just the removal of [dbo] I would think - the code is very simple.) Is that what you're looking for? Jim Davis ~| Special thanks to the CF Community Suite Silver Sponsor - RUWebby http://www.ruwebby.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188250 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
On 12/20/04 4:17 PM, Jim Davis wrote: Is that what you're looking for? Yes, thanks for the hint! Your security framework is probably very good, but a bit too complex for my needs, I am trying to come up with an easier one for my requirements... Thanks. ~| Special thanks to the CF Community Suite Gold Sponsor - CFHosting.net http://www.cfhosting.net Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188316 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
On 12/20/04 4:17 PM, Jim Davis wrote: Is that what you're looking for? Yes, thanks for the hint! Your security framework is probably very good, but a bit too complex for my needs, I am trying to come up with an easier one for my requirements... Thanks. No problem. I'm working on documentation now, but it may not appear until after new years. I know that it's a lot to try and consume with no help tho' (I wrote it and as I'm writing the docs I find myself digging for why is that like that answers). There's a lot of stuff in there that's just done for extensibility (maybe as much as half the code covers this, but isn't really needed for the actual functionality). I hope once the docs are done it'll be more useful to people in general. Jim Davis ~| Special thanks to the CF Community Suite Silver Sponsor - CFDynamics http://www.cfdynamics.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188339 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
On 12/20/04 4:17 PM, Jim Davis wrote: Is that what you're looking for? Yes, thanks for the hint! Your security framework is probably very good, but a bit too complex for my needs, I am trying to come up with an easier one for my requirements... Thanks. No problem. I'm working on documentation now, but it may not appear until after new years. I know that it's a lot to try and consume with no help tho' (I wrote it and as I'm writing the docs I find myself digging for why is that like that answers). There's a lot of stuff in there that's just done for extensibility (maybe as much as half the code covers this, but isn't really needed for the actual functionality). I hope once the docs are done it'll be more useful to people in general. Yea, too bad it sucks. :P j/k sorry -- I couldn't resist. :) s. isaac dealey 954.927.5117 new epoch : isn't it time for a change? add features without fixtures with the onTap open source framework http://macromedia.breezecentral.com/p49777853/ http://www.sys-con.com/story/?storyid=44477DE=1 http://www.sys-con.com/story/?storyid=45569DE=1 http://www.fusiontap.com ~| Special thanks to the CF Community Suite Silver Sponsor - New Atlanta http://www.newatlanta.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188342 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion security framework
-Original Message- From: S. Isaac Dealey [mailto:[EMAIL PROTECTED] Sent: Monday, December 20, 2004 6:44 PM To: CF-Talk Subject: Re: ColdFusion security framework There's a lot of stuff in there that's just done for extensibility (maybe as much as half the code covers this, but isn't really needed for the actual functionality). I hope once the docs are done it'll be more useful to people in general. Yea, too bad it sucks. :P j/k sorry -- I couldn't resist. :) I'm literally angry with rage! ;^) Jim Davis ~| Special thanks to the CF Community Suite Silver Sponsor - RUWebby http://www.ruwebby.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188348 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion security framework
-Original Message- From: S. Isaac Dealey [mailto:[EMAIL PROTECTED] Sent: Monday, December 20, 2004 6:44 PM To: CF-Talk Subject: Re: ColdFusion security framework There's a lot of stuff in there that's just done for extensibility (maybe as much as half the code covers this, but isn't really needed for the actual functionality). I hope once the docs are done it'll be more useful to people in general. Yea, too bad it sucks. :P j/k sorry -- I couldn't resist. :) I'm literally angry with rage! ;^) It doesn't sound convincing when I curse... ... Aah! I am insane with anger! ... it is time for an ass whooping! s. isaac dealey 954.927.5117 new epoch : isn't it time for a change? add features without fixtures with the onTap open source framework http://macromedia.breezecentral.com/p49777853/ http://www.sys-con.com/story/?storyid=44477DE=1 http://www.sys-con.com/story/?storyid=45569DE=1 http://www.fusiontap.com ~| Special thanks to the CF Community Suite Silver Sponsor - RUWebby http://www.ruwebby.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188350 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
On 12/10/04 6:58 PM, Jim Davis wrote: They should be unpacked into a folder called cfc_DepressedPress a mapping made to it. Te code should be consider as being under the FreeBSD license (open source). Thanks for the file, I am going to take a look at it next week and post back some feedback! ~| Special thanks to the CF Community Suite Silver Sponsor - New Atlanta http://www.newatlanta.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187206 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
On 12/10/04 3:26 AM, Jim Davis wrote: If you're interested tweaking I've got one that I've not yet made public (but it is in use on Public sites). It's CFC-based and (I think) has quite a few interesting features - but it might need some work (especially in the admin area which I've yet to do). Let me know if you want to see it. Hi, that sounds very interesting. It would be great if you can mail me it or post it to the list. Thanks a lot. ~| Special thanks to the CF Community Suite Gold Sponsor - CFHosting.net http://www.cfhosting.net Message: http://www.houseoffusion.com/lists.cfm/link=i:4:186959 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
On 12/9/04 9:34 PM, dave wrote: www.communitymx.com has a couple, 1 cfc based and 1 not I cannot seem to find them, do you have the direct links? Thanks. ~| Special thanks to the CF Community Suite Silver Sponsor - New Atlanta http://www.newatlanta.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:186960 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
On 12/10/04 12:06 AM, Matt Robertson wrote: And I sell one for US$29.95. Has roles, groups and tiers. I noted your comment about the easycfm code only having roles. The way I implemented them in AMPro, roles are code-level, item-by-item elements if you want them to be. There are faq's that explain what each type is meant to accomplish. http://mysecretbase.com/ampro_home.cfm I am going to give a try to the Lite version before considering purcashing the Pro version. Or is there a demo of the Pro version? What are the main differences between the Lite and Pro version? Thanks. ~| Special thanks to the CF Community Suite Silver Sponsor - CFDynamics http://www.cfdynamics.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:186961 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
oops. I said the pro ver just does encoded/expiring links and I meant lite. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com ~| Special thanks to the CF Community Suite Silver Sponsor - New Atlanta http://www.newatlanta.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187026 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
Lite just does tiers. Access level 1, 2, 3 and so on Pro has roles and groups, or at least what I call them. I explain the implementations in the faq on the site. You can also pre-build default user profiles containing the roles and groups you want to have for default types of users (admin, manager, editor privileged visitor and so on) and then apply those default profiles to individual users. From there you can customize each person's profile, adding and removing whatever individual permission items you please. AMPro also does hint/answer on the pwd reset authentication. AMPro just does the encoded links with expiry. The former is about as good as it gets and the latter could be jhijacked by someone who intercepts the email. Basically Lite is code that I wrote a couple of years ago and have updated. I sat down and wrote Pro afterwards as something that does everything I could want, covers my butt as much as can be etc. etc. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com ~| Special thanks to the CF Community Suite Silver Sponsor - RUWebby http://www.ruwebby.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187031 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion security framework
-Original Message- From: The Wolf [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 6:30 AM To: CF-Talk Subject: Re: ColdFusion security framework Hi, that sounds very interesting. It would be great if you can mail me it or post it to the list. Thanks a lot. I've uploaded a zip of the CFCs involved to: ftp://ftp.depressedpress.com/FTP/cfc_DepressedPress.zip They should be unpacked into a folder called cfc_DepressedPress a mapping made to it. Te code should be consider as being under the FreeBSD license (open source). That's the core system - there's no interface or usage information there (I've not documented it yet) but here's some information. The core concept of the system is that it's decoupled from the application using it. The system doesn't make any assumptions about its host. The host simply passes whatever it's using for session management (some key) into the security system and it returns information. Because of this decoupling the system can be instantiated anyplace - there're no application dependencies. You can instantiate it on the fly (which is resource intensive) or persist it to the application or server scopes (which means you can use the system even without using CF's application framework or having CF sessions enabled). The system provides three basic abstractions for user information. It allows you to easily extend any or all of them with customized CFCs if the packaged ones don't suit. The three are: +) Credential: This component contains all of the security-level information about the user. Password, logins, etc. +) Profile: This component contains all of the personal-level information about the user (name, address, phone, emails, etc). +) Entitlement: This contains permission-level information about the user. Right now simple groups (nested or not) are supported, but more complex sets of entitlements could be added easily by extending the component. Each of these abstractions is managed by intelligent mediator components. Your admin and editing systems should also use these mediators. Doing this means that all changes are reflected instantly in the security system (banning a user is done instantly, not next log on). The system also supports n strikes and you're out style lockout lists (for example three bad passwords and you're banned for a specified amount of time). Passwords can be forced to a minimum length and can be optionally case-sensitive. Password salt can be added to improve to quality of the hash as well. (Speaking of that - passwords aren't stored in the system - only the hash) The database code provided is for SQL Server, but the framework a simple mechanism to create your own DB implementation (in fact you can have any persistence mechanism you like and the same installed codebase can instantiate multiple instances of the security system using multiple persistence services at once). To create the system you first create a persistence element using CFC_DepressedPress.Utility.DP_PersistenceInfo_DSN (right now I've only got DSNs defined - I plan to add XML as maybe LDAP as well) like this: CreateObject(Component, CFC_DepressedPress.Utility.DP_PersistenceInfo_DSN).init(SQLServer2000, DSN_Name, Table_Prefix, Username (if any), Password (if any)) You would then call DP_SecurityConfiguration.cfc. This CFC creates and populates the data tables needed for the system and the options you've elected. It only needs to be called once. This is the installer. Later pass your Persistence Component into DP_Security.cfc to instatiate the actual system. For example: cfset Application.DPSecurity = CreateObject(Component, CFC_DepressedPress.Security.DP_Security).init(PersistenceInfo) / That's that. You can then protect a resource like this (abbreviated code): cfset EntitlementList = Member,Adminstrator !--- This code will return not entitled if the user is logged in and not enititled or simply not logged in at all --- cfif NOT Application.DPSecurity.isEntitled(SessionKey, EntitlementList) !--- This line checks if the user is actually logged in at all --- cfif Application.DPSecurity.isAuthentication(SessionKey) cfset AuthError = AuthNotInGroup cfelse cfset AuthError = AuthNotLoggedIn /cfif cflocation addtoken=No url=YourLogInPage?AuthError=#AuthError# / /cfif Some other functions of note. To create user use: DPSecurity.Users.create(UserID, Handle, Password, true, true) To get a new password: DPSecurity.generatePassword() To get information about a user: DPSecurity.CredentialMediator.get(UserKey) DPSecurity.ProfileMediator.get(UserKey) DPSecurity.EntitlementMediator.get(UserKey) I'm sorry - I know that my organization can seem a little insane, but I assure you - it all makes sense to me. ;^) The CFCs DP_Users.cfc and DP_Groups.cfc are essentially management CFCs. They're where to look for creating
Re: ColdFusion security framework
http://tutorial67.easycfm.com/ Cheers Marco On Thu, 09 Dec 2004 20:11:19 +0100, The Wolf [EMAIL PROTECTED] wrote: Hi all, does anyone know any good ColdFusion security framework for implementing authentication and authorization (roles, permissions, etc.) available for download and customization? I found this article: Rethinking Roles-based Security http://www.halhelms.com/index.cfm?fuseaction=newsletters.showissue=052203_rolesBasedSecurity Unfortunately there is no sample code or database schema ... Thanks. ~| Special thanks to the CF Community Suite Silver Sponsor - New Atlanta http://www.newatlanta.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:186884 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
Plum has it all completely built for you: http://www.productivityenhancement.com/plum/WhatPlumCanDo.cfm Respectfully, Adam Phillip Churvis Member of Team Macromedia http://www.ProductivityEnhancement.com Download Plum and other cool development tools, and get advanced intensive Master-level training: * C# ASP.NET for ColdFusion Developers * ColdFusion MX Master Class * Advanced Development with CFMX and SQL Server 2000 - Original Message - From: The Wolf [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, December 09, 2004 2:11 PM Subject: ColdFusion security framework Hi all, does anyone know any good ColdFusion security framework for implementing authentication and authorization (roles, permissions, etc.) available for download and customization? I found this article: Rethinking Roles-based Security http://www.halhelms.com/index.cfm?fuseaction=newsletters.showissue=052203_ rolesBasedSecurity Unfortunately there is no sample code or database schema ... Thanks. ~| Special thanks to the CF Community Suite Gold Sponsor - CFHosting.net http://www.cfhosting.net Message: http://www.houseoffusion.com/lists.cfm/link=i:4:186889 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
On 12/9/04 8:23 PM, Marco Antonio C. Santos wrote: http://tutorial67.easycfm.com/ Thanks for the link, I already know that one and I think it's too limited: it only uses roles, I need more granular security, using both roles and permissions ... Thanks. ~| Special thanks to the CF Community Suite Gold Sponsor - CFHosting.net http://www.cfhosting.net Message: http://www.houseoffusion.com/lists.cfm/link=i:4:186898 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
www.communitymx.com has a couple, 1 cfc based and 1 not -- Original Message -- From: The Wolf [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 09 Dec 2004 21:26:02 +0100 On 12/9/04 8:23 PM, Marco Antonio C. Santos wrote: http://tutorial67.easycfm.com/ Thanks for the link, I already know that one and I think it's too limited: it only uses roles, I need more granular security, using both roles and permissions ... Thanks. ~| Special thanks to the CF Community Suite Silver Sponsor - New Atlanta http://www.newatlanta.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:186902 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion security framework
And I sell one for US$29.95. Has roles, groups and tiers. I noted your comment about the easycfm code only having roles. The way I implemented them in AMPro, roles are code-level, item-by-item elements if you want them to be. There are faq's that explain what each type is meant to accomplish. http://mysecretbase.com/ampro_home.cfm -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com ~| Special thanks to the CF Community Suite Gold Sponsor - CFHosting.net http://www.cfhosting.net Message: http://www.houseoffusion.com/lists.cfm/link=i:4:186918 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion security framework
If you're interested tweaking I've got one that I've not yet made public (but it is in use on Public sites). It's CFC-based and (I think) has quite a few interesting features - but it might need some work (especially in the admin area which I've yet to do). Let me know if you want to see it. Jim Davis -Original Message- From: The Wolf [mailto:[EMAIL PROTECTED] Sent: Thursday, December 09, 2004 2:11 PM To: CF-Talk Subject: ColdFusion security framework Hi all, does anyone know any good ColdFusion security framework for implementing authentication and authorization (roles, permissions, etc.) available for download and customization? ~| Special thanks to the CF Community Suite Silver Sponsor - CFDynamics http://www.cfdynamics.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:186937 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54