cbsecurityis no different, so it provides an:
CBSecurityservice model to secure any code context anywhere.
preProcessinterception point (The first execution of a ColdBox request) and will try to validate if the request has been authenticated and authorized to execute. This is done via security rules and/or annotations on the requested handler actions through a CBSecurity
Validator. The job of the validator is to make sure user requests have been authenticated and authorized:
cflogin,cflogout). It provides authentication and roles based security.
validatorsetting) with the interceptor that implements two validation functions:
annotationValidator()that will allow the module to know if the user is logged in and has the right authorizations to continue with the execution.
Authenticationis when a user is NOT logged in
Authorizationis when a user does not have the right permissions to access an event/handler or action.
_securedURLso it can be used in relocations
cbSecurity_onInvalidAuthenticationinterception will be announced
cbSecurity_onInvalidAuthorizationinterception will be announced
authenticationthe default action (
defaultAuthenticationAction) for that type will be executed (An override or a relocation) will occur against the setting
invalidAuthenticationEventwhich can be an event or a destination URL.
authorizationthe default action (
defaultAuthorizationAction) for that type will be executed (An override or a relocation)
invalidAuthorizationEventwhich can be an event or a destination URL.
config/ColdBox.cfcin plain CFML or in any module's
ModuleConfig.cfcor they can come from the following global sources:
getSecurityRules()method from it
config/ColdBox.cfcor they can also be place in any custom module in your application:
securedannotation. This annotation can be added to the entire handler or to an action or both. The default value of the
securedannotation is a Boolean
true. Which means, we need a user to be authenticated in order to access it.
validatorsetting and will point to the WireBox ID that implements the following methods:
ruleValidator() and annotationValidator().
structwith the following keys:
allow:booleanA Boolean indicator if authentication or authorization was violated
type:stringOf(authentication|authorization)A string that indicates the type of violation: authentication or authorization.
messages:stringInfo or debugging messages
CFSecuritywhich has the following WireBox ID:
[email protected]and can be found at
cfloginuserto log in a user and set their appropriate roles in the system. The module can then match to these roles via the security rules you have created.
ip: The offending IP address
rule: The security rule intercepted or empty if annotations
settings: The firewall settings
validatorResults: The validator results
annotationType: The annotation type intercepted,
actionor empty if rule driven
processActions: A Boolean indicator that defaults to true. If you change this to false, then the interceptor won't fire the invalid actions. Usually this means, you manually will do them.
CBSecuritymodel was introduced in version 2.3.0 and it provides you with a way to provide authorization checks and contexts anywhere you like: handlers, layouts, views, interceptors and even models.
cbSecure()mixin (handlers/layouts/views/interceptors) or injecting it via WireBox:
secure( permissions, [message] )
secureAll( permissions, [message] )
secureNone( permissions, [message] )
secureWhen( context, [message] )
failclosure is defined, execute that instead.
when( permissions, success, fail )
whenAll( permissions, success, fail )
whenNone( permissions, success, fail )
has( permissions ):boolean
all( permissions ):boolean
none( permissions ):boolean
sameUser( user ):boolean
secureView( permissions, successView, failView )
enableSecurityVisualizersetting to your config and mark it as
true. Once enabled you can navigate to:
/cbsecurityand you will be presented with the visualizer.