cbsecurity
is no different, so it provides an:CBSecurity
service model to secure any code context anywhere.preProcess
interception point (The first execution of a ColdBox request) and will try to validate if the request has been authenticated and authorized to execute. This is done via security rules and/or annotations on the requested handler actions through a CBSecurity Validator
. The job of the validator is to make sure user requests have been authenticated and authorized:cflogin,cflogout
). It provides authentication and roles based security.validator
setting) with the interceptor that implements two validation functions: ruleValidator()
and annotationValidator()
that will allow the module to know if the user is logged in and has the right authorizations to continue with the execution.cbsecurity.interfaces.ISecurityValidator
annotationValidator()
function will look at security annotations in your handler and handler actions.Authentication
is when a user is NOT logged inAuthorization
is when a user does not have the right permissions to access an event/handler or action.
_securedURL
so it can be used in relocationsprc
as cbsecurity_matchedRule
prc
as cbsecurity_validatorResults
authentication
the cbSecurity_onInvalidAuthentication
interception will be announcedauthorization
the cbSecurity_onInvalidAuthorization
interception will be announcedauthentication
the default action (defaultAuthenticationAction
) for that type will be executed (An override or a relocation) will occur against the setting invalidAuthenticationEvent
which can be an event or a destination URL.authorization
the default action (defaultAuthorizationAction
) for that type will be executed (An override or a relocation) invalidAuthorizationEvent
which can be an event or a destination URL.config/ColdBox.cfc
in plain CFML or in any module's ModuleConfig.cfc
or they can come from the following global sources:getSecurityRules()
method from itsecureList
.config/ColdBox.cfc
or they can also be place in any custom module in your application:secured
annotation. This annotation can be added to the entire handler or to an action or both. The default value of the secured
annotation is a Boolean true
. Which means, we need a user to be authenticated in order to access it.validator
setting and will point to the WireBox ID that implements the following methods: ruleValidator() and annotationValidator().
struct
with the following keys:allow:boolean
A Boolean indicator if authentication or authorization was violatedtype:stringOf(authentication|authorization)
A string that indicates the type of violation: authentication or authorization.messages:string
Info or debugging messages[email protected]
which is the default validator in the configuration setting validator
setting.[email protected]
you also have to configure the cbauth module.CFSecurity
which has the following WireBox ID: [email protected]
and can be found at cbsecurity.models.CFSecurity
cfloginuser
to log in a user and set their appropriate roles in the system. The module can then match to these roles via the security rules you have created.invalidAuthenticationEvent
defaultAuthenticationAction
invalidAuthorizationEvent
defaultAuthorizationAction
cbSecurity_onInvalidAuthentication
cbSecurity_onInvalidAuthorization
interceptData
struct:ip
: The offending IP addressrule
: The security rule intercepted or empty if annotationssettings
: The firewall settingsvalidatorResults
: The validator resultsannotationType
: The annotation type intercepted, handler
or action
or empty if rule drivenprocessActions
: A Boolean indicator that defaults to true. If you change this to false, then the interceptor won't fire the invalid actions. Usually this means, you manually will do them.CBSecurity
model was introduced in version 2.3.0 and it provides you with a way to provide authorization checks and contexts anywhere you like: handlers, layouts, views, interceptors and even models.cbSecure()
mixin (handlers/layouts/views/interceptors) or injecting it via WireBox:NotAuthorized
secure( permissions, [message] )
secureAll( permissions, [message] )
secureNone( permissions, [message] )
secureWhen( context, [message] )
fail
closure is defined, execute that instead.when( permissions, success, fail )
whenAll( permissions, success, fail )
whenNone( permissions, success, fail )
has( permissions ):boolean
all( permissions ):boolean
none( permissions ):boolean
sameUser( user ):boolean
secureView( permissions, successView, failView )
enableSecurityVisualizer
setting to your config and mark it as true
. Once enabled you can navigate to: /cbsecurity
and you will be presented with the visualizer.