ColdBox Security Module
Search…
v2.x
Introduction
Intro
Release History
About This Book
Author
Getting Started
Installation
Overview
Configuration
Usage
Authentication Services
Security Rules
Security Annotations
Secured URL
Interceptions
cbSecurity Model
Cross Site Request Forgery
Security Validators
CBAuth Validator
CFML Security Validator
Custom Validator
JWT
JWT Services
JWT Validator
Refresh Tokens
Token Storage
JWT Interceptions
External links
Source code
Issue Tracker
cbauth
cbcsrf
JWT CFML
Powered By GitBook
Custom Validator

Registration

In order to register your own custom security validator just open the config/Coldbox.cfc and add the validator key with the value being a WireBox ID that points to your object that will provide the validation.
config/Coldbox.cfc
moduleSettings = {
cbSecurity = {
validator = "SecurityService"
}
}

Validator Interface

A security validator object is a simple CFC that implements the following functions
cbsecurity/interfaces/IUserValidator.cfc
/**
* Copyright since 2016 by Ortus Solutions, Corp
* www.ortussolutions.com
* ---
* All security validators must implement the following methods
*/
interface{
​
/**
* This function is called once an incoming event matches a security rule.
* You will receive the security rule that matched and an instance of the ColdBox controller.
*
* You must return a struct with two keys:
* - allow:boolean True, user can continue access, false, invalid access actions will ensue
* - type:string(authentication|authorization) The type of block that ocurred. Either an authentication or an authorization issue.
*
* @return { allow:boolean, type:string(authentication|authorization) }
*/
struct function ruleValidator( required rule, required controller );
​
/**
* This function is called once access to a handler/action is detected.
* You will receive the secured annotation value and an instance of the ColdBox Controller
*
* You must return a struct with two keys:
* - allow:boolean True, user can continue access, false, invalid access actions will ensue
* - type:string(authentication|authorization) The type of block that ocurred. Either an authentication or an authorization issue.
*
* @return { allow:boolean, type:string(authentication|authorization) }
*/
struct function annotationValidator( required securedValue, required controller );
​
}
Each validator must return a struct with the following keys:
  • allow:boolean A Boolean indicator if authentication or authorization was violated
  • type:stringOf(authentication|authorization) A string that indicates the type of violation: authentication or authorization.

Example

Here is a sample validator using permission based security in both rules and annotation context
models/SecurityService.cfc
struct function ruleValidator( required rule, required controller ){
return permissionValidator( rule.permissions, controller, rule );
}
​
struct function annotationValidator( required securedValue, required controller ){
return permissionValidator( securedValue, controller );
}
​
private function permissionValidator( permissions, controller, rule ){
var results = { "allow" : false, "type" : "authentication", "messages" : "" };
var user = security.getCurrentUser();
​
// First check if user has been authenticated.
if( user.isLoaded() AND user.isLoggedIn() ){
// Do we have the right permissions
if( len( arguments.permissions ) ){
results.allow = user.checkPermission( arguments.permission );
results.type = "authorization";
} else {
results.allow = true;
}
}
​
return results;
}
That's it! Go validate!
Security Validators - Previous
CFML Security Validator
Next - JWT
JWT Services
Last modified 2yr ago
Copy link
Edit on GitHub
Outline
Registration
Validator Interface
Example