Multiple Security Rules and _securedURL

Hi all,

I have got multiple rules in my app (using the security interceptor)

2 of these rules (the first 2) do not redirect the user to the login page but only to a page that says "You do not have permission to access this page". These rules just make sure that the user has proper permissions to the access certain parts of the app.
The third rule (and last rule) makes sure that the whole app is secure (the first page is a login page in this app)

So here is what happens :-

1) User goes to /admin/whatever (user needs to be logged in and have admin roles)
2) First rule works - sends the user to /unauthorised page (because the user is not an admin)
2) Since user is not logged in at this point - the /unauthorised page also requires the user to be logged in and redirects the user to /login page
3) At the /login page - everything works fine except that at this point - the _securedURL points to /index.cfm/unauthorised instead of the actual URL the user was trying to go to in first place (/admin/whatever)

I can not change the order of the rules because of the way it's setup. So is there a way to get a hold of the original _securedURL here?

Thanks in advance.

Anuj Gakhar

Hi Anuj,

I find strange that the page showing unauthorised access is protected. What I’d suggest is to add a login form in the “unauthorised” page, where you can include the value of the _securedURL parameter.

The only thing a little odd with this setup is that when a user is logged in and tries to access a protected page where she is not allowed, the unauthorised page shows the login form to an already logged in user.

Another option is to allow all to the “unauthorised access” page and add a link in this page to the login including the _securedURL parameter.

HTH,

Pedro.

Hi Pedro,

I know it’s a bit strange to have an “unauthorised” page behind a login form. But let me explain the situation :-

A user can go to site.com - the whole site is password protected - so the first screen is a login screen. However, there are certain URLs that only admin’s can access. e.g. site.com/admin/users . If a normal user without admin privileges tries to go to site.com/admin/users - he will be redirected to the “unauthorised” page if he is logged in already. If he is not logged in, he will be redirected to the login screen because the “unauthorised” page can only be seen by users who are logged in but without admin privileges.

I can see how this is a little confusing. Because Security Interceptor is primarily used for redirecting to Login Screen, whereas, in this case, I am redirecting to a “information only” page. The whole setup works fine if the URL being accessed is not an admin only page. Because then the double redirection does not happen. It is only when the double redirection happens that I lose the original _SecuredURL.

So, lets say, I am an admin and I am not logged in. And I go to site.com/admin/users - what will happen is - first redirection will take me to unauthorised page, 2nd redirection will take me to login screen. And when I login as an admin, I will end up being on the “unauthorised” page - which for an admin does not make sense at all.

I can see that I will have to change this setup to accommodate this scenario - and I welcome any suggestions on the best way to achieve this.

Regards,
Anuj Gakhar

I understand the issue with the double redirection, you are redirected to the unauthorised page after login because that’s the url stored in the _securedURL.

The easiest way to solve this, IMHO is:

  • add the “unauthorised” page to your public views.
  • add a login form to that page that only appears when the user is not logged in. If the user is logged in, he only reads the “Unauthorised” message.
    Basically avoid the second redirect.

The other option I can think of is to modify the default Security interceptor. I have already done it to disallow by default: if no rule matches your request, no access is allowed. The default interceptor redirects when it finds the first “access denied” rule, and I needed the interceptor to check all the rules before redirecting… Anyway, the interceptor, as the rest of the framework is quite easy to understand… but someone might have better suggestions :stuck_out_tongue:

HTH,

Pedro.

Hi Pedro,

Thanks for the suggestions. I will give it a shot. I think adding the login form on the unauthorised page if the user is not logged in makes sense.

Thanks once again.