Default Security Interceptor: Loops Over CF Roles; is this for a reason ?

I have taken the 'sampleloginapp' as a blueprint for adding app
security; it rolls its own authentication via:
- A SessionStorage "loggedin" variable
- A SessionStorage "name" variable

It does nothing about authorization/roles.

I am using security rules, of course ! And after a while I got aware
of the following: The default security interceptor
- needs at least one role specified per rule !
- loops over CF roles; so one HAS to use cflogin, cfloginuser
(provides CF roles) and cflogout, too !

Questions/Remarks:
- Is there a reason for this double authentication approach ? Does it
make sense ?
- Or should one only go with cflogin, cfloginuser and cflogout ? If
using the default security interceptor ?
- Or should the default security interceptor perhaps offer a choice
when it comes to where to get the user roles from ?
- Not using any role in a rule was a beginners mistake I have made !
Perhaps it should be allowed ? Or the need for at least one specified
role per rule should be explicitly stated in the docs ?
- Also the need for CF roles should be stated explicitly in the docs

http://wiki.coldbox.org/wiki/Interceptors:Security.cfm

- Is there a reason for this double authentication approach ? Does it make sense ?
There isn't a double authentication approach? Not sure what you mean by this...

- Or should one only go with cflogin, cfloginuser and cflogout ? If using the default security interceptor ?
You can use cflogin, etc, but don't have to, this is just the default behavior. I don't use those at all but build my own user validator object based off what is in the docs.

- Or should the default security interceptor perhaps offer a choice when it comes to where to get the user roles from ?
It does, as the docs state, the roles can come from a DB, model object, IOC object, cache object, there are lots of options.

- Not using any role in a rule was a beginners mistake I have made !
Perhaps it should be allowed ? Or the need for at least one specified role per rule should be explicitly stated in the docs ?
Hmm, not sure I track on this one?

- Also the need for CF roles should be stated explicitly in the docs
Again, this is not required.

You should also look at
http://www.coldbox.org/forgebox/view/Solitary

This is a module to help with securing your application.

Hope that helps,

Curt

- Double authentication approach: I mean using SessionStorage
variables as well as cflogin
- Own user validator object: I wanted to avoid that for the
beginning ...
- The default security interceptor loops indeed over CF roles only !
The options are there when it comes to rules, not roles ...

Other than that I will take a look at the provided links !

Hello Curt !

Without further ado: Thank You very much for pointing me to Dan Vega's
Solitary Security Module ! My hope is that it could be a ColdBox
Security dream come true !

Cheers and Tschüss

Kai