How to have user access control?


Thanks to the kind help of the Tech Advisory Group, I have got CommandBox up and running! I am impressed by its ease of use.

Now I need help with the road ahead.

My project is an online English language learning tool.

At the moment, the site is working. The client side was done by me, using html5+js+CSS3; I used apache as the webserver, but I could not get the “user access control” function using apache alone. A friend of mine implemented that function using Nodejs without apache.

I personally don’t like Node.js’s omnipresence of lambda functions. I still remember the good old days in the early 2000s of using the awesome ColdFusion. After some exploration, I’ve decided to switch to Lucee, CommandBox with Lucee engine in particular.

Right now, the workflow of my project is like this:

  1. a student accesses a login.html page, and logins in with his username and password.

  2. the login.html page sends a request to the server which checks a sqlite db to see if the account exists. If yes, return the course the student has enrolled in; return the dir structure including the names of the subdirs and of the files to the client in the form of json. No other directory structures should be returned. - This is what I mean by “user access control”. Currently, this control is done by Node.js, to be replaced by Lucee, I hope.

  3. the client side has a tree view js plugin to display the server-returned file structure, similar to Windows Explorer.

  4. When the student clicks a file in the file tree, the client sends a request to the server, and the server returns the requested file and the client displays it.

I would like the server side to be as simple as possible. If I can use CommandBox alone without having to bother a separate installation of Lucee or Tomcat, nor apache /nginx, that would be great.

I wonder if CommandBox alone can satisfy my needs. Do I need to install ajax for CommandBox Lucee? Are there any instructions or tutorials for that? I can see the ajax extension for Lucee, but I don’t know how to get it to work with CommandBox. I also don’t know where CommandBox installs Lucee.

Is there any ready-made module or library for user access control that can work with CommanBox or Lucee? If so, that would be even greater.

My environment is CentOS7 + JRE SE1.8. I have sys admin access to the CentOS.

Any help or pointers to some documentation or tutorials are greatly appreciated.
best regards

Don’t forget to tell us about your stack!

OS: CentOS7
Java Version: SE1.8
Tomcat Version: ???
Lucee Version: ???

‘Access control’ is a very broad term that typically refers to the following:

Authentication - ensuring the user has an account and can log in

Session Management - ensuring the user remains logged in (state is maintained) and is automatically logged out after a period of inactivity

Access Control - ensuring the user has access rights to specific resources after they have authenticated.

There are a myriad number of ways to handle these three things. Most web servers have basic auth built in - this requires a user to enter their username and password to access resources directly from the web server. The drawback to basic auth is the information is sent in plain text, on each request to the web server. This obviously has serious security implications and is why basic auth has been avoided for over a decade. From what you described, it sounds like you were attempting to implement basic auth with Apache.

From a purely CFML perspective, there are a number of ways to meet these three requirements. If you’re looking for a canned solution might I suggest investigating ColdBox and the cbsecurity module as potential ways to implement authentication, session management and access controls.

If you want to understand the soup to nuts workings of authentication and session management, might I suggest reading the authentication and session management sections of cfdocs ( - these will provide an alternative (not tied to ColdBox) method of implementing authentication and session management. It doesn’t sound like you’ll have specific roles for users from your description, so actual access control might not be needed once authentication and session management are in place, however there are also a number of ways to implement access control once those are in place - including simply ensuring the user has the right role(s) to access whatever part of the application you are trying to protect.


– Denny

Thank you very much Denny for your help.

What I need is to:

  1. Check against an sqlite db whether a user has an account.
  2. If yes, what course he has enrolled in. The same sqlite db has a usre-resource mapping.
  3. Give him access to the directories corresponding his course.

Basic auth is not what I want. I would explore ColdBox as you have kindly suggested.
Thank you again for giving me the pointers.

best regards

I think the more critical part is to create access of your users to the “none cfm” files. Because these are not cfm files, you will have to figure out how to block access to these. You can easily create a login and access to cfm pages, but not block access to a plain JPG, a plain PDF file or a plain word file. This is basically only possible by giving access through the webserver. BUT (!!!) fortunately there are ways around it by using CFCONTENT. But of course, it depends on the type of files you are giving access to (size, streaming media, etc). I know you don’t want to use basic authentication, but I would also think that over as a possible solution if CFCONTENT is not what you want, or at least if you are having problems with certain files: For example you could create a temporary folder for that user. This temporary folder is named with a unique identifier, and the folder contains a .htaccess file (created dynamically by cfml with an additional username and password) and you can point the links to these files with a basic authentication string passed in the URL ( e.g. ). Doing that you would let the webserver do all the rest of the job, without routing/streaming/buffering it to tomcat/lucee. But of course, it depends on how many users you have (each one would hold a copy of the files and that will need storage) and it depends on how you want to put it all together. If the access is over, delete the folder. There are many ways to do it. Wish you good luck.

Thank you very much andreas for your kind help.
My files are mp3, pdf, Word, txt and html files, maybe image and video files in the future.
I will explore cfcontent as you have suggested and see if it works for me. My current Nodejs solution has done away with a separate web server like apache, or nginx, so I thought Lucee (CommandBox) could do the same.
I also stumbled upon ContentBox. Will it satisfy my needs - serve files and have access control to directories and files according to user account?
Thank you again. Any pointers, or advice is appreciated.
best regards

Oh, I should make it clear that I want to have user access to folders, and the files in that folder. I mean, if a user has enrolled in a TOEFL-entry-level course, he will only see the TOEFL-entry-level folder, and not TOEFL-Medium, nor the TOEFL-advanced folders. And all the folders and files are in a CentOS server. I don’t know if this bit of info makes the solution easier for CF. Do-able?

best regards