Mach-II + Reactor - A powerful combination
ColdFusionWorking for a financial software company, we obviously have to be very concerned with web app security, both traditional username/password management and industry standards/federal regulations.
One of the newest of these challenges came down from some rulings surrounding some mandatory multi-factor authentication on secure areas of the site.
Luckily for me, we are developing this new application with the dynamic duo Mach-II+Reactor. Utilizing this powerful combination has resulted in, in my opinion, a great sub-application to levy N layers of security upon the unsuspecting user :).
Without digging too far into the specifics of my app, I eventually ended up with a Reactor Iterator that contained the event names of my multi-factor authentication processes (whose parent is some other session scoped object). An iterator is created by Reactor when you determine a hasMany relationship for your parent object.
A stripped down example of the Iterator array:
|
Id |
Ordinal |
EventName |
|---|---|---|
|
1 |
1 |
checkSomething |
|
2 |
2 |
checkSomethingElse |
The next very powerful tool in the collection is the Mach-II filter. Simply stated, a filter is a great solution for locking down events.
Sample event with filter in place:
|
<event-handler event="quickApp" access="public"> |
What my <filter name="MultifactorAuthenticationFilter" /> is doing, is checking to see whether or not the user has passed through the mandated multi-factor steps, and if he/she has, then let them proceed.
But what we really care about is when the user HASN'T passed through those necessary steps!
NOTE: What you are about to read is very simplified for brevity, hopefully it still brings the point across.
Stepping through the filter logic:
|
Check if my Iterator 'hasMore()' ? |
YES |
'getNext()' from the iterator of authentication events |
user must pass through the 'next' event as determined in the Iterator |
|---|---|---|---|
|
NO |
PROCEED |
user gets to see what he/she wanted to...
The End |
|
|
If the iterator had more...Does the user pass that announced event's checkpoints? |
YES |
'getNext()' from the iterator of authentication events |
user must pass through the 'next' event as determined in the Iterator |
|
NO |
Iterator is not incremented and user can either be kicked out or locked down to that event until successfully passing. |
sorry user, you can't escape this! |
|
|
Et cetera |
ETC. |
Et cetera |
we can do this all day long. |
Obviously you can just keep adding methods to your Multi-factor Auth. family of methods, and let the filter+iterator tag-team do its thing.
Add Comment
Loading....