Installation

Leverage CommandBox to install into your ColdBox app:
1
# Latest version
2
install cbsecurity
3
​
4
# Bleeding Edge
5
install [email protected]
Copied!
System Requirements
Lucee 5.x+
ColdFusion 2016+
Module Settings
The module can be configured by adding a cbsecurity key in the moduleSettings structure within the config/Coldbox.cfc
config/Coldbox.cfc
1
// Module Settings
2
moduleSettings = {
3
    // CB Security
4
    cbSecurity : {
5
        // The global invalid authentication event or URI or URL to go if an invalid authentication occurs
6
        "invalidAuthenticationEvent"    : "",
7
        // Default Authentication Action: override or redirect when a user has not logged in
8
        "defaultAuthenticationAction"    : "redirect",
9
        // The global invalid authorization event or URI or URL to go if an invalid authorization occurs
10
        "invalidAuthorizationEvent"        : "",
11
        // Default Authorization Action: override or redirect when a user does not have enough permissions to access something
12
        "defaultAuthorizationAction"    : "redirect",
13
        // You can define your security rules here or externally via a source
14
        "rules"                            : [],
15
        // The validator is an object that will validate rules and annotations and provide feedback on either authentication or authorization issues.
16
        "validator"                        : "[email protected]",
17
        // The WireBox ID of the authentication service to use in cbSecurity which must adhere to the cbsecurity.interfaces.IAuthService interface.
18
        "authenticationService"          : "[email protected]",
19
        // WireBox ID of the user service to use
20
        "userService"                     : "",
21
        // The name of the variable to use to store an authenticated user in prc scope if using a validator that supports it.
22
        "prcUserVariable"                 : "oCurrentUser",
23
        // If source is model, the wirebox Id to use for retrieving the rules
24
        "rulesModel"                    : "",
25
        // If source is model, then the name of the method to get the rules, we default to `getSecurityRules`
26
        "rulesModelMethod"                : "getSecurityRules",
27
        // If source is db then the datasource name to use
28
        "rulesDSN"                        : "",
29
        // If source is db then the table to get the rules from
30
        "rulesTable"                    : "",
31
        // If source is db then the ordering of the select
32
        "rulesOrderBy"                    : "",
33
        // If source is db then you can have your custom select SQL
34
        "rulesSql"                         : "",
35
        // Use regular expression matching on the rule match types
36
        "useRegex"                         : true,
37
        // Force SSL for all relocations
38
        "useSSL"                        : false,
39
        // Auto load the global security firewall
40
        "autoLoadFirewall"                : true,
41
        // Activate handler/action based annotation security
42
        "handlerAnnotationSecurity"        : true,
43
        // Activate security rule visualizer, defaults to false by default
44
        "enableSecurityVisualizer"        : false,
45
        // JWT Settings
46
 			  "jwt"                         : {
47
     				// The issuer authority for the tokens, placed in the `iss` claim
48
     				"issuer"                     : "",
49
     				// The jwt secret encoding key to use. This key is only effective within the `config/Coldbox.cfc`. Specifying within a module does nothing.
50
     				"secretKey"                  : getSystemSetting( "JWT_SECRET", "" ),
51
     				// by default it uses the authorization bearer header, but you can also pass a custom one as well or as an rc variable.
52
     				"customAuthHeader"           : "x-auth-token",
53
     				// The expiration in minutes for the jwt tokens
54
     				"expiration"                 : 60,
55
     				// If true, enables refresh tokens, token creation methods will return a struct instead
56
     				// of just the access token. e.g. { access_token: "", refresh_token : "" }
57
     				"enableRefreshTokens"        : false,
58
     				// The default expiration for refresh tokens, defaults to 30 days
59
     				"refreshExpiration"          : 10080,
60
     				// The Custom header to inspect for refresh tokens
61
     				"customRefreshHeader"        : "x-refresh-token",
62
     				// If enabled, the JWT validator will inspect the request for refresh tokens and expired access tokens
63
     				// It will then automatically refresh them for you and return them back as
64
     				// response headers in the same request according to the customRefreshHeader and customAuthHeader
65
     				"enableAutoRefreshValidator" : false,
66
     				// Enable the POST > /cbsecurity/refreshtoken API endpoint
67
     				"enableRefreshEndpoint"      : true,
68
     				// encryption algorithm to use, valid algorithms are: HS256, HS384, and HS512
69
     				"algorithm"                  : "HS512",
70
     				// Which claims neds to be present on the jwt token or `TokenInvalidException` upon verification and decoding
71
     				"requiredClaims"             : [],
72
     				// The token storage settings
73
     				"tokenStorage"               : {
74
         					// enable or not, default is true
75
         					"enabled"    : true,
76
         					// A cache key prefix to use when storing the tokens
77
         					"keyPrefix"  : "cbjwt_",
78
         					// The driver to use: db, cachebox or a WireBox ID
79
         					"driver"     : "cachebox",
80
         					// Driver specific properties
81
         					"properties" : { "cacheName" : "default" }
82
     				}
83
 			}
84
    }
85
};
Copied!
If you are using cbauth as your authenticationService (the default), you also need to configure cbauth.​
Intro - Previous
Author
Next - Getting Started
Overview
Last modified 21d ago
Copy link
Edit on GitHub
Contents
System Requirements
Module Settings