This TechNote describes how to use Flash Remoting with ColdFusion's built-in authentication mechanism and ColdFusion components. It shows how to use the ActionScriptsetCredentials method on the Flash side to pass credential information to the cflogin tag on the ColdFusion side. This TechNote assumes that you are already familiar with using Flash Remoting to pass data between Flash applications and ColdFusion components. It also assumes that you are familiar with application security in ColdFusion MX.

Step 1:

Create a function within your Flash application which will use thesetCredentials method to pass a user name and password from Flash to a ColdFusion component (cfc). ThesetCredentials method is a method of the NetConnection object. The use of setCredentials in a Flash application is analogous to using an HTML form with j_username and j_password form fields to pass login information to ColdFusion in a non-Flash application.

For example, if you have an ActionScript function called CallSecureCFC, the following code would pass a user ID and password from Flash text boxes to a ColdFusion cfc function called mySecureFunction:

function CallSecureCFC() {   CFCResponse_txt.text = "";   CFCError_txt.text = "";   gatewayConnection.setCredentials      (userid_txt.text, pwd_txt.text);   myCFCService.mySecureFunction();   } function mySecureFunction_Result(result) {   CFCResponse_txt.text = result;   } function mySecureFunction_Status(error) {   CFCError_txt.text = error.description;   }

This code assumes that you have previously established a gatewayConnection from Flash to ColdFusion using theNetServices.createGatewayConnection() method. It also assumes that you have created a service object called myCFCService which is bound to your CFC. In this example, I have also created two Flash text boxes, CFCResponse_txt and CFCError_txt, to capture the results of calling the ColdFusion function.

Step 2:

Use the cflogin and cfloginuser tags to authenticate the user name and password passed with thesetCredentials method and assign one or more roles to the user. For example, the following code, typically included in the Application.cfm, would validate a user name and password against security information stored in a database table:

<CFAPPLICATION NAME="FlashCredentials"><CFLOGIN><CFIF isDefined("cflogin")><CFQUERY NAME="qSecurity"        DATASOURCE="UserRolesDb">        SELECT Roles FROM SecurityRoles        WHERE username=''        and password='#cflogin.password#'</CFQUERY><CFIF qSecurity.recordcount gt 0><CFLOGINUSER NAME = ""           PASSWORD = "#cflogin.password#"           ROLES = "#trim(qSecurity.Roles)#" ></CFIF></CFIF></CFLOGIN>

Step 3:

Create a ColdFusion component with a function that uses the "Roles" attribute to limit access to that specific function. Specify a comma-delimited list of roles that have access to your function.

<CFCOMPONENT><CFFUNCTION NAME="mySecureFunction"     ACCESS="remote"     RETURNTYPE="string"     ROLES="Dude"><CFRETURN "Hi #getAuthUser()# - Welcome aboard!" ></CFFUNCTION></CFCOMPONENT>

While testing this functionality, it is important to note that the body of the cflogin tag only executes if there is no logged-in user. Therefore, if you try to test intentionally passing a bad password, or changing users, after you have already been successfully authenticated, the cflogin tag will not execute again and ColdFusion will continue to recognize you as the user you logged in as previously. In this scenario, you will have to close the Flash development environment to remove your authentication cookie from memory. If you have already published your Flash movie to a .swf file, you will have to close your browser or flash player to remove the authentication cookie. An alternative to this would be to code a logout function in your cfc which could be called from Flash. This will remove the authentication cookie from memory without having to close Flash or your browser. For example:

<CFFUNCTION NAME="LogMeOut" ACCESS="remote"  RETURNTYPE="string"><CFSET AuthUser = getAuthUser()><CFLOGOUT><CFRETURN "User #AuthUser# logged out" ></CFFUNCTION>

It is also important to use conditional logic to run cfloginuser only if a valid user has logged in. This example accomplishes this task with <CFIF qSecurity.recordcount gt 0>. This test works because the query returns a result only if the user supplied a valid name-password pair, and all users have at least one role. If this check were not included, the code would log in an invalid user (who would be assigned an empty role list (Roles = "" )). Without this check, if a user accidentally had a typo in the password, they would not have a valid role and not be able to try to log in again until they logged out. Again, this is because the cflogin tag would not execute because a user was logged in (even though the list of roles is empty).

Additional information

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy