cbSecurity
CommunitySlackSupport
v3.x
v3.x
  • 🔏Introduction
    • Release History
      • What's New With 3.4.0
      • What's New With 3.3.0
      • What's New With 3.2.0
      • What's New With 3.1.0
      • What's New With 3.0.0
    • Upgrade to 3.0.0
    • About This Book
      • Author
  • Getting Started
    • Installation
    • Overview
    • Configuration
      • 🔏Authentication
      • 🥸Basic Auth
      • 🙈CSRF
      • 🌐JWT
      • 🧱Firewall
        • DB Rules
        • JSON Rules
        • Model Rules
        • XML Rules
      • ☢️Security Headers
      • 🔬Visualizer
  • Usage
    • Authentication Services
    • Basic Authentication
    • Security Rules
    • Security Annotations
    • cbSecurity Model
      • Authentication Methods
      • Authorization Contexts
      • Blocking Methods
      • Securing Views
      • Utility Methods
      • Verification Methods
    • Secured URL
    • Interceptions
    • Cross Site Request Forgery
    • Delegates
    • Auth User
  • Security Validators
    • Auth Validator
    • BasicAuth Validator
    • CFML Security Validator
    • Custom Validator
  • JWT
    • JWT Services
    • JWT Validator
    • Refresh Tokens
    • Token Storage
    • JWT Interceptions
  • External links
    • Issue Tracker
    • Source code
    • Sponsor Us
Powered by GitBook
On this page
  • What is Basic Authentication?
  • Configuration
  • Logout
  • ColdBox Request Context

Was this helpful?

Edit on GitHub
Export as PDF
  1. Usage

Basic Authentication

Basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request.

PreviousAuthentication ServicesNextSecurity Rules

Last updated 2 years ago

Was this helpful?

CBSecurity supports the concept of HTTP in your ColdBox applications. Please note that this is a quick and easy way to provide security, but not the safest by any means. You have been warned!

What is Basic Authentication?

In the context of an transaction, basic access authentication is a method for an (e.g. a ) to provide a username and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials is the encoding of ID and password joined by a single colon :.

HTTP Basic authentication (BA) implementation is the most straightforward technique for enforcing access controls to web resources because it does not require cookies, session identifiers, or login pages; instead, HTTP Basic authentication uses standard fields in the HTTP header.

Configuration

  • Validator: BasicAuthValidator@cbsecurity

  • Basic auth settings: Where you configure users, passwords, roles, permissions, and encryption

CBSecurity allows you to use basic authentication with ANY authentication service.

cbsecurity : {
    
    basicAuth : {
	users : {
	  "lmajano" : { password : 'test', permissions : "", roles : "admin" }
	}
    },
    
    firewall : {
        // Global Relocation when an invalid access is detected, instead of each rule declaring one.
        "invalidAuthenticationEvent" : "main.index",
        // Default invalid action: override or redirect when an invalid access is detected, default is to redirect
        "defaultAuthenticationAction" : "redirect",
        // Global override event when an invalid access is detected, instead of each rule declaring one.
        "invalidAuthorizationEvent"  : "main.index",
        // Default invalid action: override or redirect when an invalid access is detected, default is to redirect
        "defaultAuthorizationAction" : "redirect",
        // Firewall Validator
        "validator"                   : "BasicAuthValidator@cbsecurity"
    }

}

This is the most basic configuration where we register a single user and tell the firewall to use the basic auth validator. Since the default authentication service is cbauth I don't have to register it. Finally, since CBSecurity detects the BasicAuthValidatorand no registered user class, it will register the BasicAuthUserService as well for you.

You can explicitly set the UserServiceClass to be BasicAuthUserService@cbsecurity if you wanted to.

Logout

Since Basic Authentication ONLY focuses on login, logout is left out of the equation. In CBSecurity, we have created a special event so you can securely log out users from basic authentication, which you can hit with ANY HTTP verb.

/cbsecurity/basicauth/logout

This will call the logout method of the authentication service and set the following HTTP headers for you so your session can be rotated:

event
    .setHTTPHeader( name = "WWW-Authenticate", value = "basic realm='Please enter your credentials'" )
    .setHTTPHeader( name = "Cache-Control", value = "no-cache, must-revalidate, max-age=0" )
    .renderData( data = "<h1>Logout Successful!</h1>", statusCode = 401 );

Ultimately, you can close your browser too.

ColdBox Request Context

ColdBox also supports the concept of basic authentication retrieval since the early version 2 days. ColdBox can detect, parse and give you a struct of username and password by leveraging the request context's getHTTPBasicCredentials() method.

function preHandler( event, action, eventArguments ){
    var authDetails = event.getHTTPBasicCredentials();
    if( !securityService.authenticate( authDetails.username, authDetails.password ) ) {
        event.renderData( type="JSON", data={ message = 'Please check your credentials' }, statusCode=401, statusMessage="You're not authorized to do that");
    }
}

The first step is configuring your application to use as the of choice. We will configure two things:

All I have to do now is create or , and CBSecurity will leverage the browser's Basic Authentication Prompt when those resources are trying to be accessed. Once you put in your credentials, it will verify them against the registered users in the basicAuth configuration dictionary.

basic authentication
validator
security rules
annotations
basic authentication
HTTP
HTTP user agent
web browser
Base64
Building REST APIsColdBox HMVC Documentation
ColdBox HTTP Basic Auth Support
Logo
Basic Authentication Flow
Basic Authentication Prompt