Click here to close now.

Welcome!

You will be redirected in 30 seconds or close now.

ColdFusion Authors: Yakov Fain, Maureen O'Gara, Nancy Y. Nee, Tad Anderson, Daniel Kaar

Related Topics: ColdFusion

ColdFusion: Article

Understanding Anonymous and Windows Authentication, and Applying It to Fusebox

Understanding Anonymous and Windows Authentication, and Applying It to Fusebox

This article applies to developers and site administrators working in an environment using Macromedia ColdFusion running on a Windows server using Internet Information Server 4.0 or better. Those who work in an intranet environment will be especially interested. It will conclude with information on specific Fusebox applications, though non-Fusebox users may find that it's applicable to them as well.

Anonymous Access vs Integrated Windows Authentication
With Internet Information Server 5.0, the built-in Web server provided with Windows 2000 Server, there are several user authentication schemes available. The ones we are interested in are Anonymous Access and Integrated Windows Authentication. These controls can be set at the Web site, virtual directory, and file levels, which can be useful for controlling access to any of these resources.

With Anonymous Access, all incoming requests to the Web site in question are mapped to a specific Windows user account designated for anonymous Web access. All interactions with the Web server then inherit whatever permissions are assigned to that anonymous account. Typically, this account is named "IUSR_{webserver name}," and is set with a limited set of permissions. Anonymous Access is typically used in a public Web server environment.

With Integrated Windows Authentication, when an Internet Explorer user browses a Web site that uses Integrated Windows Authentication, their current logon credentials are passed to the Web server, and all subsequent interactions with the Web server use those credentials. Thus, it is possible to make use of existing permissions within a Windows domain. Typically, Integrated Windows Authentication is used in an intranet environment, where an organization knows that all internal Web browsers will be Internet Explorer, and users log on to their Windows workstation with a specific username.

Why Have Both?
You may have a Web application in which the main portion of the site is for everybody, but certain sections require user authentication. Many applications fall into this category, where anybody can read, but only registered users can post messages, update records, etc. As we'll see later, you can have parts of your site set for anonymous authentication and others secured.

ColdFusion and User Authentication
You probably know that ColdFusion has had the capability to do user authentication since version 4.0 or so, using the <CFAU THENTICATE> tag. With the release of CFMX, <CFAUTHENTICATE> has been eliminated in favor of a new family of tags that provide somewhat similar functionality.

For whatever reason, many developers find that the built-in user authentication functions in ColdFusion do not meet their needs. The method described in this article does not make use of any of the built-in user authentication tags in ColdFusion.

ColdFusion, IIS and User Authentication
Many corporate intranets make use of the Microsoft family of products, and have an existing domain user authentication model in place. Typically, in the Microsoft-based intranet environment, user authentication is handled by setting IIS to use Integrated Windows Authentication instead of Allow Anonymous Access. All Web page requests by the current user then use that user's credentials.

When a Web browser requests a ColdFusion template, and that template (or directory or entire site) is marked as Allow Anonymous Access in IIS, the value of CGI.AUTH_USER is null. When that same CF template is called with Integrated Windows Authentication active, the value of CGI.AUTH_USER will be set to the DOMAIN\username of the current user (see Figure 1).

Fusebox - A Framework, Not a House
Newcomers and veterans to Fusebox find that much online discussion occurs over just what Fusebox is, or what is expected of it. As the official Fusebox Web site (www.fusebox.org) states, "Fusebox is a standard framework for building Web-based applications."

Because it's a framework, Fusebox provides the developer with a fantastic way of organizing a Web application, and that's it. Folks often get disappointed that Fusebox does not handle forms validation, wash the dishes, or milk the cow, but remember, Fusebox is a framework, nothing more. Many developers out there have come up with a cornucopia of components that do expand on the Fusebox framework, including components for handling user authentication. The technique described here doesn't require any specific components, just a rearranging of what already exists.

Fusebox Makes It Easy
One of the "rules" of Fusebox is that all browser requests point to index.cfm. You could have a thousand templates in a Fusebox application, with dozens of nested subdirectories, but all the end user will ever see is a URL pointing to "index.cfm" at the root as the target template. Many Fusebox developers wisely prevent users from accessing any other template in the application by adding code to Application.cfm to test for any .cfm template call other than index.cfm (see Listing 1).

In order to get what we want, an application that honors both Anonymous Access and Authenticated Access, we need to think outside the box - the Fusebox, that is. Instead of having all requests point to a single template, index.cfm, we will create a new template, indexsecure.cfm, for all requests requiring Authenticated Access:

  • All requests where Anonymous Access is desired will point to index.cfm
  • All requests where user authentication is desired will point to indexsecure.cfm

    Putting It All Together -
    Modifying an Existing Fusebox Application
    to Use Both Authentication Modes

    The following work with both older Fusebox 2.x and Fusebox 3 apps.

    Changes in Your Fusebox Application

  • First and foremost, make a backup copy of your existing Fusebox application before proceeding!
  • Make a copy of index.cfm and save it as indexsecure.cfm. There should now be index.cfm and indexsecure.cfm at the root level of your Fusebox application (see Figure 2).
  • Throughout the entire Fusebox application, change any index.cfm referrals to indexsecure.cfm where user authentication is desired.
  • Leave any referrals to index.cfm alone where anonymous access is desired.
  • Modify application.cfm so it will allow both index.cfm and indexsecure.cfm (see Listing 2).

    To prevent sneaky users from changing a call to indexsecure.cfm back to index.cfm in order to execute an unauthorized fuseaction, it is necessary to modify your Fusebox application so that only the appropriate fuseaction may be called. In a Fusebox application, actions - called fuseactions - are called by traversing a CFSWITCH which determines what action to take.

    With Fusebox 2.x applications, securing which fuseactions get called is easy. Simply delete the fuseactions requiring user authentication from index.cfm and add them to indexsecure.cfm.

    With Fusebox 3.x applications, this is a bit trickier, since index.cfm no longer houses the big CFSWITCH, which resides in FBX_Switch.cfm.We instead modify that file to control which fuseactions are secured and which are not (see Listing 3).

    Changes in File Level Permissions
    You may need to make some changes to permissions at the file level. In order to allow both the anonymous account and authenticated domain users access to your application, it is necessary to ensure that both the anonymous account and authenticated users have Read access. The images here show a "Before" and "After" of file-level permissions settings on a folder. This example works if your Anonymous Access account is a member of the "Domain Users" group. Consult with your domain security specialist before making changes to file-level permissions (see Figures 3 and 4).

    Changes in IIS
    For the directory holding the Fusebox application, select both Allow Anonymous Access and Integrated Windows Authentication. Why turn them both on? When a user passes from a user-authenticated template back to an Anonymous-Access template, they will be denied, since the browser session is now mapped to the current user's credentials instead of the anonymous account. By turning both options on, IIS will use either the anonymous user credentials, or authenticated user credentials (see Figures 5 and 6).

    Those familiar with Fusebox will see that this technique can be modified to work in a variety of ways, but the basic idea remains:

  • All requests where Anonymous Access is desired will point to index.cfm
  • All requests where user authentication is desired will point to indexsecure.cfm

    Note: The technique outlined here represents a deviation from accepted standard Fusebox technique. For more details on Fusebox, please visit www.fusebox.org.

  • More Stories By Alan McCollough

    Alan McCollough is a Web programmer at the Alaska Native Medical center in Anchorage and a recently certified ColdFusion (4.5) developer.

    Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


    @ThingsExpo Stories
    Dave will share his insights on how Internet of Things for Enterprises are transforming and making more productive and efficient operations and maintenance (O&M) procedures in the cleantech industry and beyond. Speaker Bio: Dave Landa is chief operating officer of Cybozu Corp (kintone US). Based in the San Francisco Bay Area, Dave has been on the forefront of the Cloud revolution driving strategic business development on the executive teams of multiple leading Software as a Services (SaaS) application providers dating back to 2004. Cybozu's kintone.com is a leading global BYOA (Build Your O...
    How is unified communications transforming the way businesses operate? In his session at WebRTC Summit, Arvind Rangarajan, Director of Product Marketing at BroadSoft, will discuss how to extend unified communications experience outside the enterprise through WebRTC. He will also review use cases across different industry verticals. Arvind Rangarajan is Director, Product Marketing at BroadSoft. He has over 19 years of experience in the telecommunications industry in various roles such as Software Development, Product Management and Product Marketing, applied across Wireless, Unified Communic...
    The IoT Bootcamp is coming to Cloud Expo | @ThingsExpo on June 9-10 at the Javits Center in New York. Instructor. Registration is now available at http://iotbootcamp.sys-con.com/ Instructor Janakiram MSV previously taught the famously successful Multi-Cloud Bootcamp at Cloud Expo | @ThingsExpo in November in Santa Clara. Now he is expanding the focus to Janakiram is the founder and CTO of Get Cloud Ready Consulting, a niche Cloud Migration and Cloud Operations firm that recently got acquired by Aditi Technologies. He is a Microsoft Regional Director for Hyderabad, India, and one of the f...
    The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
    From telemedicine to smart cars, digital homes and industrial monitoring, the explosive growth of IoT has created exciting new business opportunities for real time calls and messaging. In his session at @ThingsExpo, Ivelin Ivanov, CEO and Co-Founder of Telestax, shared some of the new revenue sources that IoT created for Restcomm – the open source telephony platform from Telestax. Ivelin Ivanov is a technology entrepreneur who founded Mobicents, an Open Source VoIP Platform, to help create, deploy, and manage applications integrating voice, video and data. He is the co-founder of TeleStax, a...
    SYS-CON Events announced today that B2Cloud, a provider of enterprise resource planning software, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. B2cloud develops the software you need. They have the ideal tools to help you work with your clients. B2Cloud’s main solutions include AGIS – ERP, CLOHC, AGIS – Invoice, and IZUM
    SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY., and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides private all-in-one social intranets allowing workers to securely collaborate from anywhere in the world and from any device. Social, mobile, and easy to use. MangoApps has been named a "Market Leader" by Ovum Research and a "Cool Vendor" by Gartner...
    SYS-CON Media announced today that @ThingsExpo Blog launched with 7,788 original stories. @ThingsExpo Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @ThingsExpo Blog can be bookmarked. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago.
    The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on Twitter at @MicroservicesE
    SYS-CON Events announced today that robomq.io will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. robomq.io is an interoperable and composable platform that connects any device to any application. It helps systems integrators and the solution providers build new and innovative products and service for industries requiring monitoring or intelligence from devices and sensors.
    Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
    Wearable technology was dominant at this year’s International Consumer Electronics Show (CES) , and MWC was no exception to this trend. New versions of favorites, such as the Samsung Gear (three new products were released: the Gear 2, the Gear 2 Neo and the Gear Fit), shared the limelight with new wearables like Pebble Time Steel (the new premium version of the company’s previously released smartwatch) and the LG Watch Urbane. The most dramatic difference at MWC was an emphasis on presenting wearables as fashion accessories and moving away from the original clunky technology associated with t...
    SYS-CON Events announced today that Litmus Automation will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Litmus Automation’s vision is to provide a solution for companies that are in a rush to embrace the disruptive Internet of Things technology and leverage it for real business challenges. Litmus Automation simplifies the complexity of connected devices applications with Loop, a secure and scalable cloud platform.
    While not quite mainstream yet, WebRTC is starting to gain ground with Carriers, Enterprises and Independent Software Vendors (ISV’s) alike. WebRTC makes it easy for developers to add audio and video communications into their applications by using Web browsers as their platform. But like any market, every customer engagement has unique requirements, as well as constraints. And of course, one size does not fit all. In her session at WebRTC Summit, Dr. Natasha Tamaskar, Vice President, Head of Cloud and Mobile Strategy at GENBAND, will explore what is needed to take a real time communications ...
    In 2015, 4.9 billion connected "things" will be in use. By 2020, Gartner forecasts this amount to be 25 billion, a 410 percent increase in just five years. How will businesses handle this rapid growth of data? Hadoop will continue to improve its technology to meet business demands, by enabling businesses to access/analyze data in real time, when and where they need it. Cloudera's Chief Technologist, Eli Collins, will discuss how Big Data is keeping up with today's data demands and how in the future, data and analytics will be pervasive, embedded into every workflow, application and infra...
    As Marc Andreessen says software is eating the world. Everything is rapidly moving toward being software-defined – from our phones and cars through our washing machines to the datacenter. However, there are larger challenges when implementing software defined on a larger scale - when building software defined infrastructure. In his session at 16th Cloud Expo, Boyan Ivanov, CEO of StorPool, will provide some practical insights on what, how and why when implementing "software-defined" in the datacenter.
    So I guess we’ve officially entered a new era of lean and mean. I say this with the announcement of Ubuntu Snappy Core, “designed for lightweight cloud container hosts running Docker and for smart devices,” according to Canonical. “Snappy Ubuntu Core is the smallest Ubuntu available, designed for security and efficiency in devices or on the cloud.” This first version of Snappy Ubuntu Core features secure app containment and Docker 1.6 (1.5 in main release), is available on public clouds, and for ARM and x86 devices on several IoT boards. It’s a Trend! This announcement comes just as...
    SYS-CON Events announced today that CodeFutures, a leading supplier of database performance tools, has been named a “Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. CodeFutures is an independent software vendor focused on providing tools that deliver database performance tools that increase productivity during database development and increase database performance and scalability during production.
    SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy. Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Raspberry Pi, BeagleBone, Spark and Intel Edison. You will also get an overview of cloud technologies s...
    The only place to be June 9-11 is Cloud Expo & @ThingsExpo 2015 East at the Javits Center in New York City. Join us there as delegates from all over the world come to listen to and engage with speakers & sponsors from the leading Cloud Computing, IoT & Big Data companies. Cloud Expo & @ThingsExpo are the leading events covering the booming market of Cloud Computing, IoT & Big Data for the enterprise. Speakers from all over the world will be hand-picked for their ability to explore the economic strategies that utility/cloud computing provides. Whether public, private, or in a hybrid form, clo...