Roles and Permissions without Transfer

I'm working on setting up roles and permissions in my application.

I do not use Transfer and as most examples rely on the 'ORM'
functionality to attach roles and permissions to a user identity I'm
wondering if there are any examples out there of other ways to do it?


I’m not sure what examples you’re referring to, but the basic premise is the same whether you use an ORM or not.

  1. You have a User object that represents the requesting user

  2. You have a Security Interceptor that fires and checks to see if the event should be restricted based upon security rules

  3. If ‘yes’ to #2, you have a Security Service (or some such object) that checks the requesting User’s credentials against the database and the security rule(s) in place. If the User is authorized the request proceeds as normal. If not, the request is redirected to your login event or error event or whatever event you have established in the configs.


Thanks for replying Matt.

I'm using a security interceptor and have authentication working fine.
My question is around authorization and NOT going back and forth to
the database to those checks.

I perhaps didn't explain my question well enough. I'm interested in
seeing examples of how others are storing the roles and permissions
for an authenticated user and THEN subsequently checking

For example in most Transfer based applications, the user object has
the roles and permissions attached.

Hi Bill Tindal,

Coldbox have sample security application with transfer.

Check coldbox samples "securitysample"


Correct. And that was the point in my reply: whether or not you use an ORM, the process is essentially identical. An ORM simply has those methods already built into the object for you.