What's New With 3.0.0
January 2023
Compatibility
Dropped Adobe ColdFusion 2016
New
JwtAuthValidator
instead of mixing concerns with theJwtService
. You will have to update your configuration to use thisvalidator
instead of theJwtService
All settings have changed. They are not single-level anymore. They are now grouped by functionality. Please see the Configuration area for the new approach.
Added
New ability for the firewall to log all action events to a database table.
If enabled, a new visualizer can visualize all settings and firewall events via the log table.
New Basic Auth validator and basic auth user credentials storage system. This will allow you to secure apps where no database interaction is needed or required.
New global and rule action:
block
and the firewall will block the request with a 401 Unauthorized page.New event
cbSecurity_onFirewallBlock
announced whenever the firewall blocks a request into the system with a 403.DBTokenStorage
now rotates using the async scheduler and not direct usage anymore.Ability to set the
cbcsrf
module settings into thecbsecurity
settings ascsrf
.We now default the user service class and the auth token rotation events according to the user authentication service (cbauth, etc.); no need to duplicate work.
New rule-based IP security. You can add a
allowedIPs
key into any rule and add which IP Addresses are allowed into the match. By default, it matches all IPs.New rule-based HTTP method security. You can add a
httpMethods
key into any rule and add which HTTP methods are allowed into the match. By default, it matches all HTTP Verbs.New
securityHeaders
configuration to allow a developer to protect their apps from common exploits: XSS, HSTS, Content Type Options, host header validation, IP validation, clickjacking, non-SSL redirection, and much more.The security firewall now stores the authenticated user according to the
prcUserVariable
on authenticated calls viapreProcess()
no matter the validator usedDynamic Custom Claims: You can pass a function/closure as the value for a custom claim, and it will be evaluated at runtime, passing in the current claims before being encoded
Allow passing in custom refresh token claims to
attempt()
andfromUser()
andrefreshToken()
:refreshCustomClaims
Added
TokenInvalidException
andTokenExpiredException
to therefreshToken
endpoint
Fixed
Disable lastAccessTimeouts for JWT CacheTokenStorage BOX-128
Fix spelling of property
datasource
onqueryExecute
that was causing a read issue.
Last updated