Here is an Application.cfc which implements HTTP Basic Authentication:
<cffunction name="onRequestStart" returnType="boolean" output="false">
<cfargument type="String" name="targetPage" required=true/>
<cfset var authHeader = GetPageContext().getRequest().getHeader("Authorization") />
<cfset var authString = "" />
<cfsetting showDebugOutput="false" />
<cfset authString = ToString(BinaryDecode(ListLast(authHeader, " "),"Base64")) />
<cfif GetToken(authString,1,":") eq "username" AND GetToken(authString,2,":") eq "password">
<cfreturn true />
<cfheader statusCode="401" statusText="UNAUTHORIZED" />
<cfheader name="WWW-Authenticate" value="Basic realm=""MXUnit""" />
<cfreturn false />
The above example has the username and password hard coded as "username" and "password", but it can easily be modified to look up credentials where ever you may have them stored. One thing to note is that I'm using GetPageContext() to get the Authorization header. In my first attempt I was using GetHttpRequestData() which worked fine for normal HTTP requests, but was causing SOAP requests to bomb out. I'm not sure what the issue was because, reading the ColdFusion docs, it seems you should be able to use GetHttpRequestData with SOAP requests:
So, why might you want to use this? Well, I'm using it to secure an mxunit RemoteFacade.cfc on a shared server that I don't administer. (The RemoteFacade.cfc is used by the mxunit Eclipse plugin, which supports basic authentication.)
Makes HTTP request headers and body available to CFML pages. Useful for capturing SOAP request data, which can be delivered in an HTTP header.
One thing to keep in mind about Basic Authentication, it is only secure if you use it over SSL as the username is password are sent over the wire in clear text. So if you do use this approach you may want to put an additional check in your Application.cfc to force secure connections.