Application Portal | Tech Docs
Contents
Application Details
Developer: Joe Gautreau | Programmer / Web Application Developer | jgautreau@judsonisd.org | (210) 945-5558
Development Platform: ColdFusion MX 7, SQL Server, Model-Glue Framework, CSS Layout
Development Server: Testweb
Development Database: ERCSQL
Production Server: Web1
Production Database: ERCSQL2K5
Launch Date: August 21, 2007
Application Overview
The Application Portal was designed to be the facilitator between users and in-house developed web applications. The goal here was to use the Application Portal to authenticate users against Active Directory. If authenticated, any groups they are members of through recursion are brought back, as well as employeeID, employee name, and employee email. These attributes are placed into session variables for the duration of the user's stay. We then go to our "userRole" table in the Application Security table and look for any groups that match the list of user groups brought back from Active Directory, following this up with a look up by employeeID to override any previously set permissions. Application permissions are then set based on the data set returned. These items are set into session via a User Key Chain.
The user is then taken to a landing page with all of the applications they have permission to displayed. They then have their choice of where they would like to go from there.
To sum it all up, the Application Portal is for user authentication, assigning of permissions, and a gateway to any in-house applications.
Roles
There are no "Roles" for this application. This application simply performs the function of user authentication and permissioning.
Database Schema
Below you will find the Application Portal database schema along with a short description for each table.
Application Table: This table is used to store data about in-house applications. The application name, url, description, developer, owner, active or not, and manageable or not information are stored in this table. If you want to create a new in house application this is the first place you would start. Here your AppID is created to be used elsewhere.
AppRole Table: This table is used to store the different types of roles that an application may have. For instance "Application A" may have User, Manager and Admin roles, so in this table you'll find three entries for those role types, once a role is defined, a roleID is created to be used in the userRole table.
UserRole Table: This table is used to store all user permissions. The user's employeeID is the stored with the applicationID and roleID that they have access to. A user can have multiple entries in this table because access to multiple applications is probable.
FailedLoginLog Table: This table off to it self it used simply to store all failed logins to the Application Portal. This is for tracking purposes only.
Flow
Application Portal Data Flow Document - Click to download the PDF.
CFC's & Functions
MyAuthenticator.cfc
init:
- Purpose: When called this function returns an instance of the entire object / cfc with all methods available.
- Arguments: None
- Return Type: CFC
getAllGroups:
- Purpose: This is a recursive function. The first thing done is to loop over the passed in group list from AD and look for more groups inside those groups, this process is repeated until all groups have been found. If there are duplicate groups they are removed and the final group list is passed back in a string.
- Arguments: groupList (comma seperated list of groups to recurse through)
- Return Type: String
authenticateUser:
- Purpose: This function authenticates the user. First of all all arguments are validated for length, then depending on the type of login authentication is performed. Using cfAuthenticate to query Active Directory the user is authenticated, and also cfLDAP to get back user attributes. The result is then placed into the result structure and if authenticated the user's attributes are added to the struct, if not a message of failure is set in the struct after the failed login attempt is logged in the failedLoginLog table. The results are then passed back by way of a structure.
- Arguments: username (string), password (string), loginType (string)
- Return Type: Struct (structure)
setUserKeyChain:
- Purpose: A few things happen here. This is the function where permissioning of the user is done and set. First we get all of the available applications to the user by way of their group permissions. Next we get all of the available applicatios to the user by way of their employeeID (userID). We then loop over the group permissions and insert them into our keyChain structure (appID, appName, appURL, roleLevel, roleName, and appDescription), following that we do the same for the individual user application permissions, overwriting any prior group permissions with the application specific permissions for the user. This keyChain structure is then passed back and set in session in the controller.
- Arguments: userID (numeric), groups (comma seperated list of groups)
- Return Type: Struct (structure)
Security.cfc
init:
- Purpose: When called this function returns an instance of the entire object / cfc with all methods available.
- Arguments: None
- Return Type: CFC
checkSecurityLevel:
- Purpose: This function checks the user's security level against the required security level of the Model-Glue event. Each event that requires some type of role is assigned a required securityKey, each time that event is requested by the application, this function is passed the user's keyChain and the securityKey to check them against eachother to make sure the user has the proper permissions to enter or access that event.
- Arguments: userKeyChain (structure), securityKey (numeric), throwURL (string), appADName (string)
- Return Type: Void - There is no return, if there is not the proper permissions the user is thrown.
Notes
Future revisions to this application would be to tie it together with the Application Manager tool and fix error handling. We probably need to re-think our application security methodology now that the "Portal" is in place.