User Guide
Catching Security Exceptions 361
Note
The ColdFusion Server does not check user authorization unless you specifically
request it with the
IsAuthorized function. It is up to you to decide what action to
take based on the results of the IsAuthorized call.
Catching Security Exceptions
You can use the cftry and cfcatch tags to catch security exceptions. Setting the
type attribute in cfcatch to "Security" enables you to catch failures in the
cfauthenticate tag. You can also catch failures from the IsAuthorized or
IsAuthenticated functions.
Set the
cfauthenticate throwOnFailure attribute to Yes and enclose the tag in a
cftry/cfcatch block if you want to handle possible exceptions programmatically.
For information on exception-handling strategies in ColdFusion, see “Exception
handling strategies” on page 208.
Example
This example shows the use of exception handling with cfauthenticate in an
Application.cfm file. The
cfauthenticate tag authenticates a user and sets the
security context for an application.
If the user is not already defined in the system, you can either reject the page, request
that the user respecify the username and password, or define a new user. The
following example just rejects the page request and displays a message:
<html>
<head>
<title>cfauthenticate Example</title>
</head>
<body>
<h3>cfauthenticate Example></h3>
<!--- This code is from an Application.cfm file --->
<cftry>
<cfauthenticate securityContext="MyApplicationSC"
username=#user#
password=#pwd#>
<cfcatch type="Security">
<!--- The message to display --->
<h3>Authentication error</h3>
<!--- display a message. Alternatively, you might place code
here to define the user to the security context. --->
<cfoutput>
<p>#cfcatch.Message#</p>
</cfoutput>