We've got an Apache module here on campus that provides us centralized security (called Websec) that I'd like to roll into Spectra. I did this before in 1.01 & need to revise for 1.5, so I thought I'd see if anyone has any better ideas than what I came up with.

Websec gets fired off by an .htaccess file, and I can additionally provide parameters so certain IPs and ranges & also only certain people can get through. When the user has authenticated successfully, I get a websec_token cookie and also their remote_user name is available to me as a cgi variable. I keep the valid usernames in a separate security context with all the same passwords; if they've passed websec authentication, I know they're who they say they are, and I've removed the ability to change logins once you're past the websec wall o'security (so you can't gain access above your level).

The problem is primarily that since Websec security is directory based, I had to get around the fact that I obviously wanted anyone to be able to see, for example, faculty CV pages, and only fire off Websec when attempting to edit the pages. And I couldn't just set the .htaccess file inside the Websec directory since several pages need to make calls there & wouldn't function. What I ended up doing was making an entirely separate /secure/ directory with an include file inside of it, and any call I needed to secure I added a cflocation to a file there. That fires off Websec, people authenticate (or not), and the file has stored what page they came from & if authentication was successful, sends them back to it. So once they've hopped the wall of authentication, they can get back to what they intended to do. I have to do it this way, incidentally, as Websec for some reason drops any URL parameters when it passes you back from authentication.

In any case, while this works well enough it's a bit kludgey and I was wondering if anyone else had come up with a smoother mechanism for rolling in Apache style directory based authentication mechanisms. I do also have a command line utility which I have rolled into a custom tag for other purposes which, once there's a websec_token available, can query the security database & return limited identification information, but I haven't figured out to use this to my advantage in rolling into the Spectra security model.

Many thanks for any ideas or suggestions.

-- Peter Ivanick Web Developer School of Veterinary Medicine, University of Pennsylvania Email: ivanick@vet.upenn.edu Phone: 215.573.2306 Fax: 215.573.8777 http://www.vet.upenn.edu/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/spectra_talk or send a message to spectra-talk-request@houseoffusion.com with 'unsubscribe' in the body.