Fusebox and Frameworks Conference

Lock/key security plugin

  • "Lock/key security plugin" interview with Sandy Clark
  • ****************************************************

  • Michael Smith: This time we are talking with Sandy Clark about her Fusebox and Frameworks-05 talk "Lock/key security plugin". So why should a developer come to your session Sandy ?

  • Sandy Clark: Well, security seems to be a big issue in the FB Community and there has long been a call for a security plugin. I have written one and am planning on releasing it to the FB Community at this conference. This plugin contains both a plugin for security as well as a back end adminstration arm for maintaining security.

  • MS: So this gives you logon/password screens for any app?

  • SC: No, what this does is allow you to secure circuits, fuseactions and xfas (via locks) so that only people who have the proper security permissions (keys) can access them. While there is a requirement for a user to be logged on in order to access secured areas, the login/password requirements are different enough for each application that I didn't even try to accommodate that. (Tho there is a logon feature in the sample We Got Widgets application that can be used as an example)

  • MS: So this a roles based security system? Or group based?

  • SC: Its actually a lock/key based system. Roles based security (such as ColdFusion uses with CFLogin and isUserinRole() doesn't expand well when needs arise for a user to expand or contract a role. Roles are typically hardcoded into the source which make it harder to maintain. While users are assigned to groups in this system, its more dynamic than that. Each item to be secured is locked, profiles are created which contain specific keys to those locks and finally users are assigned to those profiles. If a user has a key, they are allowed in, otherwise, they aren't.

  • MS: What happens if a user is promoted or changes role?

  • SC: If a user's needs change, they can either be reassigned to another security profile or a brand new security profile can be created. The system is dynamic and expandable. I've been using variations of this since 1997 (from a custom tag originally created by Peter Amiri) and while I have rewritten the system numerous times to make it faster and more reusable, the basic premise of it has served me well in that time.

    • MS: That is cool! What level of code does your plug work at?

  • SC: The plugin itself is set up at the prefuseaction level, that way it checks prior to executing a fuseaction. The administration is built on MVC with a CFC acting as the model. The validatePermissions() function operates from the CFC so that the controller or display fuse can call it if necessary

  • MS: What about links and buttons? Does you code let you protect those too?

  • SC: Yes, the validatePermissions() function in the CFC can be called wherever you need to protect individual items such as links or buttons.

  • MS: Cool - I am looking forward to your talk and to seeing your code released!


If you have any questions, contact michael(at)teratech.com


|  HOME  |  DIRECTIONS  |  HOTEL  |
|  TOPICS  |  SPEAKERS  |  REGISTER  |  CF CONF CENTRAL  |