CFML Security Validator

The CFML Security validator leverages the ColdFusion security functions for authentication and role based authorization.

ColdBox security has had this security validator since version 1, in which it will talk to the ColdFusion engine's security methods to authenticate and authorize users using roles.

All you need to do is use the WireBox ID of CFValidator@cbsecurity in your validator setting:

cbsecurity = {

    firewall : {
        validator = "CFValidator@cbsecurity"


ColdFusion Security Functions

A container for user authentication and login code. The body of the tag runs only if the user is not logged in. When using application-based security, you place code in the body of the cflogin tag to check the user-provided ID and password against a data source, LDAP directory, or other repository of login identification. The body of the tag includes a cfloginuser tag (or a ColdFusion page that contains a cfloginuser tag) to establish the authenticated user's identity in ColdFusion.

Identifies (logs in) a user to ColdFusion. Specifies the user's ID, password, and roles. This tag is typically used inside a cflogin tag. The cfloginuser tag requires three attributes, name, password, and roles, and does not have a body. The roles attribute is a comma-delimited list of role identifiers to which the logged-in user belongs. All spaces in the list are treated as part of the role names, so you should not follow commas with spaces.While the user is logged-in to ColdFusion, security functions access the user ID and role information.

Logs out the current user. Removes knowledge of the user ID and roles from the server. If you do not use this tag, the user is automatically logged out as described in Logging out users in Using ColdFusion security tags and functions.The cflogout tag does not take any attributes, and does not have a body.

Authenticates a user name and password against the NT domain on which ColdFusion server is running, and optionally retrieves the user's groups.

If you include a roles attribute, the function executes only when there is a logged-in user who belongs to one of the specified roles.

Returns True if the current user is a member of the specified role.

Returns the ID of the currently logged-in user.This tag first checks for a login made with cfloginuser tag. If none exists, it checks for a web server login (cgi.remote_user.



	function login( event, rc, prc ){
		event.setView( "security/login" );
	function doLogin( event, rc, prc ){
			idletimeout=getSetting( "LoginTimeout" ), 
			applicationtoken=getSetting( "AppName" ), 
				type        = "Google",
				clientid    = "YOUR_CLIENT_ID",
				secretkey   = "YOUR_GOOGLE_CLIENTSECRET",
				redirecturi = "YOUR_CALLBACK_URI",
				result      = "res",
				scope       = "YOUR_SCOPES",
				state       = "cftoken=#cftoken#"

				name     = "", 
				password = "#res.access_token#", 
				roles    = "user"
	function doLogout( event, rc, prc ){
	 	relocate( "security.login" );


For more information about cflogin, cfloginuser and cflogout, please visit the docs

The configured authentication service must adhere to our IAuthService interface and the User object must adhere to the IAuthUser interface.

Remember that a validator can exist globally and on a per ColdBox Module level.

Last updated