I have taken the 'sampleloginapp' as a blueprint for adding app
security; it rolls its own authentication via:
- A SessionStorage "loggedin" variable
- A SessionStorage "name" variable
It does nothing about authorization/roles.
I am using security rules, of course ! And after a while I got aware
of the following: The default security interceptor
- needs at least one role specified per rule !
- loops over CF roles; so one HAS to use cflogin, cfloginuser
(provides CF roles) and cflogout, too !
Questions/Remarks:
- Is there a reason for this double authentication approach ? Does it
make sense ?
- Or should one only go with cflogin, cfloginuser and cflogout ? If
using the default security interceptor ?
- Or should the default security interceptor perhaps offer a choice
when it comes to where to get the user roles from ?
- Not using any role in a rule was a beginners mistake I have made !
Perhaps it should be allowed ? Or the need for at least one specified
role per rule should be explicitly stated in the docs ?
- Also the need for CF roles should be stated explicitly in the docs
- Is there a reason for this double authentication approach ? Does it make sense ?
There isn't a double authentication approach? Not sure what you mean by this...
- Or should one only go with cflogin, cfloginuser and cflogout ? If using the default security interceptor ?
You can use cflogin, etc, but don't have to, this is just the default behavior. I don't use those at all but build my own user validator object based off what is in the docs.
- Or should the default security interceptor perhaps offer a choice when it comes to where to get the user roles from ?
It does, as the docs state, the roles can come from a DB, model object, IOC object, cache object, there are lots of options.
- Not using any role in a rule was a beginners mistake I have made !
Perhaps it should be allowed ? Or the need for at least one specified role per rule should be explicitly stated in the docs ?
Hmm, not sure I track on this one?
- Also the need for CF roles should be stated explicitly in the docs
Again, this is not required.
- Double authentication approach: I mean using SessionStorage
variables as well as cflogin
- Own user validator object: I wanted to avoid that for the
beginning ...
- The default security interceptor loops indeed over CF roles only !
The options are there when it comes to rules, not roles ...
Other than that I will take a look at the provided links !
Without further ado: Thank You very much for pointing me to Dan Vega's
Solitary Security Module ! My hope is that it could be a ColdBox
Security dream come true !