cbSecurity
CommunitySlackSupport
v3.x
v3.x
  • 🔏Introduction
    • Release History
      • What's New With 3.4.0
      • What's New With 3.3.0
      • What's New With 3.2.0
      • What's New With 3.1.0
      • What's New With 3.0.0
    • Upgrade to 3.0.0
    • About This Book
      • Author
  • Getting Started
    • Installation
    • Overview
    • Configuration
      • 🔏Authentication
      • 🥸Basic Auth
      • 🙈CSRF
      • 🌐JWT
      • 🧱Firewall
        • DB Rules
        • JSON Rules
        • Model Rules
        • XML Rules
      • ☢️Security Headers
      • 🔬Visualizer
  • Usage
    • Authentication Services
    • Basic Authentication
    • Security Rules
    • Security Annotations
    • cbSecurity Model
      • Authentication Methods
      • Authorization Contexts
      • Blocking Methods
      • Securing Views
      • Utility Methods
      • Verification Methods
    • Secured URL
    • Interceptions
    • Cross Site Request Forgery
    • Delegates
    • Auth User
  • Security Validators
    • Auth Validator
    • BasicAuth Validator
    • CFML Security Validator
    • Custom Validator
  • JWT
    • JWT Services
    • JWT Validator
    • Refresh Tokens
    • Token Storage
    • JWT Interceptions
  • External links
    • Issue Tracker
    • Source code
    • Sponsor Us
Powered by GitBook
On this page
  • ColdFusion Security Functions
  • Example:

Was this helpful?

Edit on GitHub
Export as PDF
  1. Security Validators

CFML Security Validator

The CFML Security validator leverages the ColdFusion security functions for authentication and role based authorization.

PreviousBasicAuth ValidatorNextCustom Validator

Last updated 2 years ago

Was this helpful?

ColdBox security has had this security validator since version 1, in which it will talk to the ColdFusion engine's security methods to authenticate and authorize users using roles.

All you need to do is use the WireBox ID of CFValidator@cbsecurity in your validator setting:

cbsecurity = {

    firewall : {
        validator = "CFValidator@cbsecurity"
    }

}

ColdFusion Security Functions

A container for user authentication and login code. The body of the tag runs only if the user is not logged in. When using application-based security, you place code in the body of the cflogin tag to check the user-provided ID and password against a data source, LDAP directory, or other repository of login identification. The body of the tag includes a cfloginuser tag (or a ColdFusion page that contains a cfloginuser tag) to establish the authenticated user's identity in ColdFusion.

Identifies (logs in) a user to ColdFusion. Specifies the user's ID, password, and roles. This tag is typically used inside a cflogin tag. The cfloginuser tag requires three attributes, name, password, and roles, and does not have a body. The roles attribute is a comma-delimited list of role identifiers to which the logged-in user belongs. All spaces in the list are treated as part of the role names, so you should not follow commas with spaces.While the user is logged-in to ColdFusion, security functions access the user ID and role information.

Authenticates a user name and password against the NT domain on which ColdFusion server is running, and optionally retrieves the user's groups.

If you include a roles attribute, the function executes only when there is a logged-in user who belongs to one of the specified roles.

Returns True if the current user is a member of the specified role.

Returns the ID of the currently logged-in user.This tag first checks for a login made with cfloginuser tag. If none exists, it checks for a web server login (cgi.remote_user.

Example:

handlers/security.cfc
component{

	function login( event, rc, prc ){
		event.setView( "security/login" );
	}
	
	function doLogin( event, rc, prc ){
		cflogin(
			idletimeout=getSetting( "LoginTimeout" ), 
			applicationtoken=getSetting( "AppName" ), 
			cookiedomain='myapp.com'
		){
			cfoauth(
				type        = "Google",
				clientid    = "YOUR_CLIENT_ID",
				secretkey   = "YOUR_GOOGLE_CLIENTSECRET",
				redirecturi = "YOUR_CALLBACK_URI",
				result      = "res",
				scope       = "YOUR_SCOPES",
				state       = "cftoken=#cftoken#"
			);

			cfloginuser(
				name     = "#res.other.email#", 
				password = "#res.access_token#", 
				roles    = "user"
			);
		}
	}
	 
	function doLogout( event, rc, prc ){
	   
	    cflogout();
	 	relocate( "security.login" );
	}

}

The configured authentication service must adhere to our IAuthService interface and the User object must adhere to the IAuthUser interface.

Remember that a validator can exist globally and on a per ColdBox Module level.

Logs out the current user. Removes knowledge of the user ID and roles from the server. If you do not use this tag, the user is automatically logged out as described in Logging out users in .The cflogout tag does not take any attributes, and does not have a body.

For more information about cflogin, cfloginuser and cflogout, please visit the docs

http://cfdocs.org/security-functions
cflogin
cfloginuser
cflogout
Using ColdFusion security tags and functions
cfNTauthenticate
cffunction
IsUserInAnyRole
GetAuthUser
Using ColdFusion security tags and functions
Logo