So this weekend, Bruce Phillips pointed out on my last Flex Homework post that he only needed to run the CFLOGIN tag once in his Flex application. My code was running it for every hit in the onRequestStart method.
So this really bugged me because it was my understanding that ColdFusion had to run the CFLOGIN tag during a request to "enable" Roles Based Security. I knew that ColdFusion would skip the stuff inside - but from what I had remembered, CF had to actually encounter the tag to use Roles Based Security for the test.
But when I tested what Bruce had done in his Flex app, it worked as he had said. I was truly perplexed. Then I did a test:
<cfapplication name="goobercflogin" sessionManagement="true">
<cflogin>
<cfloginuser name="ray2" password="ray" roles="admin">
</cflogin>
<cfoutput>#getAuthUser()#</cfoutput>
<cfif isUserInRole("admin")>
<p>
yes, admin role
</p>
</cfif>
I ran this - and then ran it again with the cflogin block commented out - and it worked just fine. Bruce was definitely right. But then I tried this:
<cfapplication name="goobercflogin2" sessionManagement="true" loginStorage="session">
<cflogin>
<cfloginuser name="ray2" password="ray" roles="admin">
</cflogin>
<cfoutput>#getAuthUser()#</cfoutput>
<cfif isUserInRole("admin")>
<p>
yes, admin role
</p>
</cfif>
Notice the loginStorage? That tells ColdFusion to use the session scope for the authentication. Now in theory, this should ONLY change the storage method for the authentication information. But when you comment out CFLOGIN, you no longer get a value for getAuthUser and the roles check failed.
I'll wrap with one final word: Ugh.