Advanced Security Basics

All types of Advanced Security implement the following four elements. You may recognize these terms if you're at all familiar with discussions of Web, Java, or distributed application security:

This section introduces these elements and describes how they work together to build your Advanced Security framework. For detailed, hands-on instructions for actually implementing an Advanced Security framework, see "Creating an Advanced Security Framework".

User Directories

User directories provide a listing of user information, such as the user's name, login password, and the names of any groups to which the user belongs. ColdFusion Advanced Security lets you incorporate any of the following industry-standard user directories:

A user directory authenticates users but doesn't authorize them: In and of itself, a directory can tell you if someone is a valid user of the system, but can't assign ColdFusion security permissions to the user. When you create a security context, you select users and groups from a user directory and then individually assign them access rights to ColdFusion resources. ColdFusion developers then include code in their applications that checks if a user has rights to a resource.

Because ColdFusion uses your existing LDAP directories, NT domains, or data sources, you don't have to create and maintain redundant user directories just to develop or deploy ColdFusion applications. Using existing NT or LDAP provides an added bonus: User groups to whom you assign security priveleges automatically inherit changes to group membership; no additional maintenance is required. For example, suppose your company's NT Domain contains a user group called BigDev. You've used Advanced Security to give the BigDev group access to a number of custom tags. Your company hires a new developer to work in the BigDev group. When the new developer is added to the BigDev group in your company's NT domain, she's automatically granted access to the custom tags because of her user group affiliation.

Note Netscape Directory Server is bundled with ColdFusion to provide an LDAP user directory in case you aren't already using NT domains or LDAP directories.

Resources

A ColdFusion resource that you want to protect is the core of Advanced security. Selecting a resource to protect doesn't specify how to protect it or which users can access it; you're simply telling ColdFusion the name and, if applicable, the acton of the resource you intend to secure. For example, you can control

Resources are not secured until you specifically choose to protect them. You can secure the following types of resources:

Policies

After you specify a resource to protect, you need to create a policy that gives access rights to a set of users. A policy matches resources to users or user groups, that is, it grants a group of users access to specified resources.

For example, you can create a policy that gives members of a team complete access to three data sources that the team uses regularly. You could also create a policy that specifies the system administrator as the only user who can use the CFFILE tag's WRITE action.

If you specify a resource to protect but do not include it in any policy, the resource is fully protected within the Security Context -- in other words, no users have access to those resources.

Security Contexts

A security context is a container for logically-related groups of policies.

You can create and implement as many security contexts as your application or development environment requires: