Login Extension

It is very common to have the need to authenticate users to your parts of your CFML application. One of the areas that security auditors often look for is who touches the username/password combination as it flows through the various applications. Within the web world, it is common for the web server to handle this, prompting the user with a browser login panel. However has gone out of vogue as it offers the designer no styling opportunity or enhanced user experience.

The problem however of putting a login panel on a page is that the developer has the opportunity to capture the username/password as it flows through their application. This problem does not exist if you utilise web server authentication techniques, as by the time the request gets to the application, it is unaware of any sensitive data.

The OpenBD Login Extension looks to solve this problem by removing the security call away from the developer and delegating it to the underlying OpenBD engine without them ever getting access to the sensitive data. This is achieved by the engine looking for a combination of a couple of FORM fields and once detected, will attempt to authenticate the user and zero/blank out the password field. So by the time it reaches the CFML page, all the sensitive data has been removed and you are left with a token detailing success or failure.

You can utilize this extension to authenticate users against remote LDAP servers or Microsoft Active Directory servers.

Configuration

To enable this extension, you must edit your OpenBD bluedragon.xml file and add this block of XML inside the <server> ... <server/> tags. This determines how the CFML application will interact with the login extension. There are 4 elements that are required.

  • returnfield
    This is the name of the FORM field that will be created that will contain the result of the login attempt. If it starts with "[exception]" or "[failed]" then it has failed to login and this will contain the error message from the LDAP server. Otherwise it will contain the user token from the LDAP server to note this user has been authenticated.
  • userfield
    This is the name of the FORM field that will contain the username. The extension will automatically listen to all POST requests for this variable.
  • passwordfield
    This is the name of the FORM field that will contain the password. The extension will automatically listen to all POST requests for this variable. If it see's this field along with the 'userfield' then it will be read by the extension and subsequently blanked out with ****** so the CFML developer does not see the password.
  • ini
    The full path name of the configuration connector file for this extension. Any changes in this file will require a restart of the engine.

Sample bluedragon.xml snippet

<plugin>
  <login>
    <returnfield>_loggedin</returnfield>
    <passwordfield>_password</passwordfield>
    <ini>/opt/login/ldap.ini</ini>
    <userfield>_username</userfield>
  </login>
 </plugin>

This example would look for the FORM fields, _username and _password in any FORM submissions, placing the result in _loggedin form field. If you were to do a <cfdump var="#form#"> you would see these fields, with the _password starred out.

The following is a sample login.ini file that will authenticate against an LDAP server (Microsoft Active Directory).

[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = {0}@MYDOMAIN.COM
ldapRealm.contextFactory.url = ldap://10.0.0.1:389

This extension will log all attempts for login to the main bluedragon.log file. No sensitive data is logged there. Common problems include:

  • Make sure the server can connect to the remote server. ping/telnet to the given port to determine this
  • The DN template can be specific to your LDAP/Windows server. Try playing around with various combinations if the default one shown does not work
    ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com
  • Make sure you are consistent to how you ask your users to login. Is the username "lewis" or "lewis@mydomain.com". This will be dependent on your LDAP and DN template

More information

This extension utilises the secure library from Apache Shiro project. For more information on configuration options please refer to http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/ldap/JndiLdapRealm.html