1 of 15

v1.x

Introduction

WELCOME TO THE COLDBOX SECURITY MODULE

This module will provide your application with a security rule engine.

LICENSE Apache License, Version 2.0.

IMPORTANT LINKS

SYSTEM REQUIREMENTS

Lucee 4.5+
ColdFusion 9+

INSTRUCTIONS

Just drop into your modules folder or use CommandBox to install

box install cbsecurity

You will then need to configure the interceptor via the cbsecurity settings in your main ColdBox.cfc or you can also declare the interceptor manually by leveraging the class: cbsecurity.interceptors.Security. If you define the cbsecurity settings, then the module will load the interceptor automatically for you with those settings.

You can find all the documentation here:

Security Rules

Security rules can come from xml, json, query, memory or custom locations. You will find some examples in this module's config folder.

Settings

Below are the security settings you can use for this module. Remember you must create the cbsecurity struct in your ColdBox.cfc:

Manual Interceptor Declaration

Here is a sample declaration you can use in your ColdBox.cfc:

Overview

The topic of security is always an interesting and essential one. However, most MVC frameworks offer very loose security when it comes down to an event-oriented architecture. ColdBox Interceptors change this behavior as we have the ability to intercept requests in any point in time during our application executions. With this feature we introduce our Security Module that implements what we call ColdBox Security. With the ColdBox security module you will be able to secure all your public and private ColdBox events from execution and incoming URL patterns. However, as we all know, every application has different requirements and since we are keen on extensibility, the module can be configured to work with whatever security authentications and permissions you might have.

The module wraps itself around the preProcess execution of your request and also (if configured) on any `runEvent()`` methods that get executed internally. The module is based on a custom rules engine that will validate a request against a set of rules that you define and then if a rule is matched, it will try to see if the user is authenticated and in a specific criteria (as specified by you). The two available authentication algorithms are the following:

(default) By using cflogin, cfloginuser, cflogout
Security Validation Object that you create and implement.

The default security is based on what ColdFusion gives you for basic security using their security tags. You basically use cfloginuser to log in a user and set their appropriate roles in the system. The module can then match to these roles via the security rules you have created.

The second method of authentication is based on your custom security logic. You will be able to register a validation object with the module. Once a rule is matched, the module will call your validation object, send in the rule and ask if the user can access it or not. It will be up to your logic to determine if the rule is satisfied or not.

Features

Secures incoming events and URIs
If enabled, secure internal event executions via preEvent() interceptions
Security rules can exist in:

Resources

cflogin -
cfloginuser -
cflogout

How It Works

The basics of the security validation is that you define a set of rules, much like how you define a firewall. Each rule is composed of several elements: securelist, whitelist, roles, permissions, match, and redirect. However, each rule can be expanded by the developer as needed with custom elements, etc. Each rule will be evaluated in the order that it is declared and the follow validation via our flow diagram below.

An incoming request or internal event reaches the first rule and the type of matching is determined: event or URI matching
The incoming event or URI is matched against the whitelist element
1. If matched, then the event is whitelisted so it continues to the next rule
2. Else, continue
The incoming event or URI is matched against the securelist element
1. If not matched, then continue to next rule
2. Else, continue validation
Do we have a custom validator or not?
1. Yes, validate against the custom validator
2. No, validate against ColdFusion's logged in user roles or logged in credentials
If validation fails, redirect the user via the redirect element

Declaring the Interceptor

In order to enable ColdBox security you must register the Security interceptor in your parent or other module configuration's interceptors section:

interceptors = [
    { 
        class       = "cbSecurity.interceptors.Security", 
        name        = "ApplicationSecurity", 
        properties  = {
            // Security properties go here.
        }
    }
];

IMPORTANT If you are using SES or URL mappings in your ColdBox 4 application, make sure that you declare the security interceptor after the SES interceptor. Interceptors require order, so security needs for the URL to be translated first. In coldbox 5 SES is handled by the Routing service, so you don't need this SES interceptor.

Global Properties

XML Properties

The following are properties used when the source of the rules is xml

Property

Type

Required

Default

Description

rulesfile

JSON Properties

The following are properties used when the source of the rules is json

Property

Type

Required

Default

Description

rulesfile

DB Properties

The following are properties used when the source of the rules is db or coming from the database.

IOC Properties

The following are properties used when the source of the rules is ioc or coming from an IoC module

Property

Type

Required

Default

Description

rulesBean

OCM Properties

The following are properties used when the source of the rules is ocm or coming from the CacheBox

Property

Type

Required

Default

Description

Security Rules

Now that we have seen all the properties of this module, how to configure it and declare it, let's look at how the rules work. All the security rules follows the following format, however, you can append as many columns as you like for your own custom validations and the interceptor will register all the columns you pass to it:

Sample JSON Rules

[
    {
        "whitelist": "user\\.login,user\\.logout,^main.*",
        "securelist": "^user\\.*, ^admin",
        "match": "event",
        "roles": "admin",
        "permissions": "",
        "redirect": "user.login",
        "useSSL": false
    },
    {
        "whitelist": "",
        "securelist": "^shopping",
        "match": "url",
        "roles": "",
        "permissions": "shop,checkout",
        "redirect": "user.login",
        "useSSL": true
    }
]

Sample XML Rules

IMPORTANT Please remember to white list your main events (implicit), login and logout events if you will be securing the entire application.

First Rule Analysis

As you can see from the sample, the first rule has the following elements

So it will match the incoming event.

_securedURL key

When the security module is about to relocate redirect element, it will save the incoming URL that was requested in a flash RAM variable called: _securedURL. This key will be persisted in the flash memory of the framework and when the user get's relocated to the redirect element, this key will exist in the request collection. You can then use this to store where they came from and do proper redirections. So always remember to use this key if you want to provide a seamless login experience to your users. You can easily place it in the login form:

Default Security

This module will try to use ColdFusion's cflogin + cfloginuserauthentication by default. However, if you are using your own authentication mechanisms you can still use this module by implementing a Security Validator Object (See next section). Below we can see a sample on how to use the cflogin tag:

Example:

<cflogin>
    
    Your login logic here
    
    <---  Log in the user with appropriate credentials --->
    <cfloginuser name="name" password="password" roles="ROLES HERE">
</cflogin>

<---  Some Real sample --->
<cflogin>
    <cfif getUserService().authenticate(rc.username,rc.password)>
        <cfloginuser name="#rc.username#" password="#rc.password#" roles="#getUserService().getRoles(rc.username)#" />
    </cfif>
</cflogin>

For more information about cflogin, cfloginuser and cflogout, please visit the docs http://cfdocs.org/security-functions

Custom Security Validator Object

A security validator object is a simple CFC that implements the following function:

This function must return a boolean variable and it must validate a user according to the rule that just ran by testing the fields that get sent in as a rule. Where this method exists is up to you. It will also receive a reference to the current ColdBox controller. You can use the controller to call other plugins, persist keys, or anything you like (please see the controller API). The important note here is that the rule structure contains all the elements/columns you defined in your xml or query. Below is a real life example:

Or, in cfscript:

Overview

(default) By using cflogin, cfloginuser, cflogout
Security Validation Object that you create and implement.

Features

Secures incoming events and URIs
If enabled, secure internal event executions via preEvent() interceptions
Security rules can exist in:

Resources

cflogin -
cfloginuser -
cflogout

v1.x

Introduction

hashtagWELCOME TO THE COLDBOX SECURITY MODULE

hashtagLICENSE Apache License, Version 2.0.

hashtagIMPORTANT LINKS

hashtagSYSTEM REQUIREMENTS

hashtagINSTRUCTIONS

hashtagSecurity Rules

hashtagSettings

hashtagManual Interceptor Declaration

Overview

hashtagFeatures

hashtagResources

How It Works

Declaring the Interceptor

hashtagGlobal Properties

XML Properties

JSON Properties

DB Properties

IOC Properties

OCM Properties

Security Rules

Sample JSON Rules

Sample XML Rules

hashtagFirst Rule Analysis

_securedURL key

Default Security

Custom Security Validator Object

Overview

hashtagFeatures

hashtagResources

Introduction

hashtagWELCOME TO THE COLDBOX SECURITY MODULE

hashtagLICENSE Apache License, Version 2.0.

hashtagIMPORTANT LINKS

hashtagSYSTEM REQUIREMENTS

hashtagINSTRUCTIONS

hashtagSecurity Rules

hashtagSettings

hashtagManual Interceptor Declaration

How It Works

Default Security

Declaring the Interceptor

hashtagGlobal Properties

XML Properties

OCM Properties

JSON Properties

DB Properties

Sample JSON Rules

IOC Properties

Security Rules

Sample XML Rules

hashtagFirst Rule Analysis

hashtagSecond Rule Analysis

hashtagThird Rule Analysis

Custom Security Validator Object

_securedURL key

WELCOME TO THE COLDBOX SECURITY MODULE

LICENSE Apache License, Version 2.0.

IMPORTANT LINKS

SYSTEM REQUIREMENTS

INSTRUCTIONS

Security Rules

Settings

Manual Interceptor Declaration

Features

Resources

Global Properties

First Rule Analysis

Features

Resources

WELCOME TO THE COLDBOX SECURITY MODULE

LICENSE Apache License, Version 2.0.

IMPORTANT LINKS

SYSTEM REQUIREMENTS

INSTRUCTIONS

Security Rules

Settings

Manual Interceptor Declaration

Global Properties

First Rule Analysis

Second Rule Analysis

Third Rule Analysis