Posts Tagged ‘NTLM

Authentication in ColdFusion

ColdFusion features built-in server-side file search, Adobe Flash and Adobe Flex application connectivity, web services publishing, and charting capabilities. ColdFusion is implemented on the Java platform and uses a Java 2 Enterprise Edition (J2EE) application server for many of  its runtime services. ColdFusion can be configured to use an embedded J2EE server (Adobe JRun), or it can be deployed as a J2EE application on a third party J2EE application server such as Apache Tomcat, IBM WebSphere, and BEA WebLogic.

Authentication

Web and application server authentication can be thought of as two different controls (see Figure 1). Web server authentication is controlled by the web server administration console or configuration files. These controls do not need to interact with the application code to function. For example, using Apache, you modify the http.conf or .htaccess files; or for IIS, use the IIS Microsoft Management Console. Basic authentication works by sending a challenge request back to a user’s browser consisting of the protected URI. The user must then respond with the user ID and password, separated by a single colon, and encoded using base64 encoding. Application-level authentication occurs at a layer after the web server access controls have been processed. This section examines how to use ColdFusion to authenticate and authorize users to resources at the application level.

Figure 1: Web server and application server authentication occur in sequence before accessis granted to protected resources.

ColdFusion enables you to authenticate against multiple system types. These types include LDAP, text files, Databases, NTLM, Client-Side certificates via LDAP, and others via custom modules. The section below describes using these credential stores according to best practices.

Best practices

  1. applicationTimeout = #CreateTimeSpan(0,8,0,0)#
  2. loginStorage = session
  3. sessionTimeout = #CreateTimeSpan(0,0,20,0)#
  4. sessionManagement = True
  5. scriptProtect = All
  6. setClientCookies = False (Use JSESSIONID)
  7. setDomainCookies = False
  8. name (This value is application-dependent; however, it should be set)

Tags : , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,