Securing a Directory

Posts: 5 · Posted: Wed Mar 11, 2009 2:54 pm

Hello All,
I've searched this forum several times looking for a solution to my problem, but I can't seem to figure it out.

I'll try and make it simple and I have this issue on more than one site I have hosted with HMS.

I the simplest terms, I have a directory on a website that is for "members only". While securing the pages is easy (a CF session login), securing the non-cf files doesn't appears to not be. Within this directory are images, .pdf files, and swf/flv files that I do not want available to non authenticated users.

While I'm sure I could setup some type of CF/Htaccess combination, I do not want to make user's login twice nor do I want to keep up with multiple Htaccess based accounts.

I have a user table already to check authentication against, that was easy. But is there away to then have CF execute some code to satisfy something like Htaccess' credentials?

Does this make any sense?

Alan

Posts: 858 · Posted: Thu Mar 12, 2009 4:48 pm

Just to clarify, is this site on a linux server? I ask because the answer will be different if you're on Windows (htaccess doesn't work on Windows).

Posts: 5 · Posted: Thu Mar 12, 2009 4:51 pm

I've already gotten somebody in support to set me up a NT protected directory. Now I've got to figure out the code. Any idea where I can find some code that I could copy?

Posts: 192 · Posted: Thu Mar 12, 2009 4:53 pm

http://livedocs.adobe.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=00001178.htm

FTA:

About web server authentication

All major web servers support basic HTTP authentication. Some web servers also support other authentication methods, including Digest HTTP authentication and Microsoft NTLM authentication.

Note: Macromedia Dreamweaver MX and Studio MX do not support NTLM security with RDS. Therefore, you cannot use RDS with these applications if the ColdFusion RDS servlet (cf_root/CFIDE/main/ide.cfm) is in a directory that is protected using NTLM security.

In web server authentication, the web server requires the user to log in to access pages in a particular directory, as follows:

1. When the user first requests a page in the secured directory, the web server notifies the browser that the requested page requires credentials (a user ID and password).

Basic HTTP authentication sends the user ID and password in a base64-encoded string with each request. Use SSL (Secure Sockets Layer) for all page transactions, to protect the user ID and password from unauthorized access. For more information on SSL and the keytool utility, see About LDAP Server Security.
2. The browser prompts the user for the credentials.
3. The user supplies the credentials and the browser send the information back to the web server along with the original request.
4. The web server checks the user ID and password, using its own user authentication mechanism.
5. If the user logs in successfully, the browser caches the authentication information and sends it in an HTTP Authorization header with every subsequent page request from the user.
6. The web server processes the requested page and all future page requests from the browser that contain the HTTP Authorization header, if it is valid for the requested page.

You can use web server authentication without using any ColdFusion security features. In this case, you configure and manage all user security through the web server's interfaces.

You can also use web server authentication with ColdFusion application authentication, and thus you can use ColdFusion security for authorization. If the web server uses basic HTML authentication, the ColdFusion cflogin tag provides access to the user ID and password that the user entered to log in to the web server. If the web server uses Digest or NTLM authentication, the cflogin tag normally gets the user ID, but not the password.

As a result, your application can rely on the web server to authenticate the user against its user and password information, and does not have to display a login page. You use the cflogin and cfloginuser tags to log the user into the ColdFusion user security system, and use the IsUserInRole and GetAuthUser functions to ensure user authorization. For more information on this form of security, see A web server authentication security scenario.

Note: If a user has logged in using web server authentication and has not logged in using ColdFusion application authentication, the GetAuthUser tag returns the web server user ID. You could use this feature to combine web server authentication with application authorization based on the user's ID.

Posts: 5 · Posted: Thu Mar 12, 2009 5:31 pm

Let me try this: What would the URL look like to pass the username and password along for access to a .flv file?

If the file is located at:
www.fred.com/bob/blah.flv

If the username is lucy and the password is ricky, what would the URL look like?

Posts: 192 · Posted: Thu Mar 12, 2009 5:41 pm

To create a link which uses http authentication you would have a URL like so:

http://username:password@example.com/bob/blah.flv

However you should not need to create links as such because the web server will pass the HTTP Authentication parameters to all subsequent page requests after your users have authenticated.

Also it is not very secure to divulge password information to your users.

Posts: 5 · Posted: Thu Mar 12, 2009 6:38 pm

Perhaps I'm just not explaining this correctly:

I want a user to be able to go to a directory, enter a username a password, and gain access to both the ColdFusion based webpages files that are not ColdFusion files (.swf, .pdf, etc).

An individual user's (and there will be several) credentials need to be maintained in a DB table for a variety of reasons.

So, why/how, upon login to the CF pages, can a user also satisfy the credentials for the directory?

This shouldn't be this complicated.

Alan

Posts: 192 · Posted: Thu Mar 12, 2009 6:52 pm

Hey Alan,

I understand your frustration. Because the regular resources (.swf, .flv) are not served through the Coldfusion connector, the only way to prevent anonymous access is with HTTP Authentication.

Since you already have HTTP Authentication on the directory in question, your ColdFusion application should be programmed to recognize when a user has authenticated using this method.

Using CFLogin, you can determine if someone has authenticated using HTTP Authentication.

The only alternative method I can think of would be to use a CF script to dynamically load the protected resources after disabling anonymous access to the files; in which case you can use your applications normal methods to authenticate users.

Maybe some one with more ColdFusion experience can elaborate on this, as I'm more of a PHP guy.

Posts: 5 · Posted: Fri Mar 13, 2009 1:21 pm

Here's the scenario I want to achieve.

There's a directory called "Members". It is a "secure" directory. By secure I mean you can't see, download or access anything in the directory.

On the website's main navigation bar there is a link called "Member's Only". When users click that link, it takes them to a login page (not a Prompt dialog), where they enter their credentials.

They are then directed to a page that is within a secure directory. Now they can download, view or whatever they need to any of the files within the directory.

So, that login page they use must authenticate and authorize them at the same time.

Alan

Posts: 192 · Posted: Fri Mar 13, 2009 4:20 pm

This article is a bit long winded, http://coldfusion.sys-con.com/node/230503 but describes in detail the problems you're having and solutions to said issues on the second page.

Posts: 858 · Posted: Mon Mar 16, 2009 2:37 am

I *am* a CF guy and I checked out the article Nate posted - it's good and should meet your needs. Post here if not.