Greetings,
I'm using CF Server 4.51 (Enterprise) w/ IIS4 on an NT4 Server.
I'm using NT user authentication in my Application.cfm file for a page I want to secure.
I've created local users and divided them into 2 local groups on my NT server.
What I'm trying to do is to properly setup Security Contexts in CF Administrator so that a designated resource in my page is available to only 1 of the 2 groups I created.
This is what I've done so far:
1. Assigned User Directories for my Security Context.
2. Created a Security Context:
3. Linked to User Directory I created and NT_Directory.
4. Created a Rule.
5. Created a Policy.
6. Assigned Rule and user group to Policy.
The problem is that any user in either group has access to the resources I'm protecting. I've also noticed that unless I assign NT_Directory, I cannot view any users or groups when attempting to assign them to my Policy.
Is there a step I'm missing in setting up the Security Contexts?
Any help is greatly appreciated. I've included a copy of my Application.cfm file below.
Thanks,
JMP
<!--- Check for a username --->
<CFPARAM name="HaveUsername" default="Yes">
<CFIF IsDefined("Cookie.Username"
>
<CFSET USERNAME=Cookie.Username>
<CFELSE>
<CFSET USERNAME="">
<CFIF IsDefined ("Form.Username">
<CFSET USERNAME=Form.Username>
<CFCOOKIE name="username" value="#Form.Username#">
<CFELSE>
<CFSET HaveUsername = "No">
</CFIF>
</CFIF>
<!--- Check for a password --->
<CFPARAM name="HavePassword" default="yes">
<CFIF IsDefined("Cookie.Password">
<CFSET password=Cookie.Password>
<CFELSE>
<CFSET password="">
<CFIF IsDefined("Form.Password">
<CFSET password=Form.password>
<CFCOOKIE name="password" value="#Form.Password#">
<CFELSE>
<CFSET HavePassword = "No">
</CFIF>
</CFIF>
<!--- Check authentication status and if not authenticated handle it --->
<CFIF HaveUsername and HavePassword>
<CFTRY>
<CFAUTHENTICATE
SecurityContext="Test"
Username="#username#"
Password="#password#"
setcookie="Yes">
<!-- If an exception is thrown, handle it -->
<CFCATCH type="Security">
<CFCOOKIE name="username" value="" expires="now">
<CFCOOKIE name="password" value="" expires="now">
<CFLOCATION url="denied.html">
</CFCATCH>
</CFTRY>
<CFELSE>
<!--- Output a Login Form --->
Enter Username and Password to Access this Web Page.<P>
<FORM action="Test.cfm" method="post">
Username: <INPUT type="text" name="username"><br>
Password: <INPUT type="password" name="password"><br>
<INPUT type=submit value="Login">
</FORM>
<CFABORT>
</CFIF>
I'm using CF Server 4.51 (Enterprise) w/ IIS4 on an NT4 Server.
I'm using NT user authentication in my Application.cfm file for a page I want to secure.
I've created local users and divided them into 2 local groups on my NT server.
What I'm trying to do is to properly setup Security Contexts in CF Administrator so that a designated resource in my page is available to only 1 of the 2 groups I created.
This is what I've done so far:
1. Assigned User Directories for my Security Context.
2. Created a Security Context:
3. Linked to User Directory I created and NT_Directory.
4. Created a Rule.
5. Created a Policy.
6. Assigned Rule and user group to Policy.
The problem is that any user in either group has access to the resources I'm protecting. I've also noticed that unless I assign NT_Directory, I cannot view any users or groups when attempting to assign them to my Policy.
Is there a step I'm missing in setting up the Security Contexts?
Any help is greatly appreciated. I've included a copy of my Application.cfm file below.
Thanks,
JMP
<!--- Check for a username --->
<CFPARAM name="HaveUsername" default="Yes">
<CFIF IsDefined("Cookie.Username"
><CFSET USERNAME=Cookie.Username>
<CFELSE>
<CFSET USERNAME="">
<CFIF IsDefined ("Form.Username"
><CFSET USERNAME=Form.Username>
<CFCOOKIE name="username" value="#Form.Username#">
<CFELSE>
<CFSET HaveUsername = "No">
</CFIF>
</CFIF>
<!--- Check for a password --->
<CFPARAM name="HavePassword" default="yes">
<CFIF IsDefined("Cookie.Password"
><CFSET password=Cookie.Password>
<CFELSE>
<CFSET password="">
<CFIF IsDefined("Form.Password"
><CFSET password=Form.password>
<CFCOOKIE name="password" value="#Form.Password#">
<CFELSE>
<CFSET HavePassword = "No">
</CFIF>
</CFIF>
<!--- Check authentication status and if not authenticated handle it --->
<CFIF HaveUsername and HavePassword>
<CFTRY>
<CFAUTHENTICATE
SecurityContext="Test"
Username="#username#"
Password="#password#"
setcookie="Yes">
<!-- If an exception is thrown, handle it -->
<CFCATCH type="Security">
<CFCOOKIE name="username" value="" expires="now">
<CFCOOKIE name="password" value="" expires="now">
<CFLOCATION url="denied.html">
</CFCATCH>
</CFTRY>
<CFELSE>
<!--- Output a Login Form --->
Enter Username and Password to Access this Web Page.<P>
<FORM action="Test.cfm" method="post">
Username: <INPUT type="text" name="username"><br>
Password: <INPUT type="password" name="password"><br>
<INPUT type=submit value="Login">
</FORM>
<CFABORT>
</CFIF>