What's New With 3.0.0
- Dropped Adobe ColdFusion 2016
JwtAuthValidatorinstead of mixing concerns with the
JwtService. You will have to update your configuration to use this
validatorinstead of the
- All settings have changed. They are not single-level anymore. They are now grouped by functionality. Please see the Configuration area for the new approach.
- New ability for the firewall to log all action events to a database table.
- If enabled, a new visualizer can visualize all settings and firewall events via the log table.
- New Basic Auth validator and basic auth user credentials storage system. This will allow you to secure apps where no database interaction is needed or required.
- New global and rule action:
blockand the firewall will block the request with a 401 Unauthorized page.
- New event
cbSecurity_onFirewallBlockannounced whenever the firewall blocks a request into the system with a 403.
DBTokenStoragenow rotates using the async scheduler and not direct usage anymore.
- Ability to set the
cbcsrfmodule settings into the
- We now default the user service class and the auth token rotation events according to the user authentication service (cbauth, etc.); no need to duplicate work.
- New rule-based IP security. You can add a
allowedIPskey into any rule and add which IP Addresses are allowed into the match. By default, it matches all IPs.
- New rule-based HTTP method security. You can add a
httpMethodskey into any rule and add which HTTP methods are allowed into the match. By default, it matches all HTTP Verbs.
securityHeadersconfiguration to allow a developer to protect their apps from common exploits: XSS, HSTS, Content Type Options, host header validation, IP validation, clickjacking, non-SSL redirection, and much more.
- The security firewall now stores the authenticated user according to the
prcUserVariableon authenticated calls via
preProcess()no matter the validator used
- Dynamic Custom Claims: You can pass a function/closure as the value for a custom claim, and it will be evaluated at runtime, passing in the current claims before being encoded
- Allow passing in custom refresh token claims to
- Disable lastAccessTimeouts for JWT CacheTokenStorage BOX-128
- Fix spelling of property
queryExecutethat was causing a read issue.