ColdBox Security Module
Search…
v2.x
Introduction
Intro
Release History
About This Book
Author
Getting Started
Installation
Overview
Configuration
Usage
Authentication Services
Security Rules
Security Annotations
Secured URL
Interceptions
cbSecurity Model
Cross Site Request Forgery
Security Validators
CBAuth Validator
CFML Security Validator
Custom Validator
JWT
JWT Services
JWT Validator
Refresh Tokens
Token Storage
JWT Interceptions
External links
Source code
Issue Tracker
cbauth
cbcsrf
JWT CFML
Powered By GitBook
Interceptions
The security firewall will announce some interception events when invalid access or authorizations occur within the system:
  • cbSecurity_onInvalidAuthentication
  • cbSecurity_onInvalidAuthorization
You will receive the following data in the interceptData struct in each interception call:
  • ip : The offending IP address
  • rule : The security rule intercepted or empty if annotations
  • settings : The firewall settings
  • validatorResults : The validator results
  • annotationType : The annotation type intercepted, handler or action or empty if rule driven
  • processActions : A Boolean indicator that defaults to true. If you change this to false, then the interceptor won't fire the invalid actions. Usually this means, you manually will do them.
With these interceptions you can build a nice auditing system, login tracking and much more.
interceptors/SecurityAudit.cfc
1
component extends="coldbox.system.Interceptor"{
2
​
3
function cbSecurity_onInvalidAuthentication( event, interceptData ){
4
// do what you like here
5
}
6
7
function cbSecurity_onInvalidAuthorization( event, interceptData ){
8
// do what you like here
9
}
10
​
11
}
Copied!

Stop Processing Actions

The intercept data has a key called processActions which defaults to true. This Boolean indicator tells the firewall to process the invalid authentication/authorization procedures. If you change this value to false, then the firewall will do NOTHING because it is expecting for YOU to have done the actions.

JWT Interception

If you are using our JWT facilities, then we will announce the following interceptions during JWT usage:
  • cbSecurity_onJWTCreation
  • cbSecurity_onJWTInvalidation
  • cbSecurity_onJWTValidAuthentication
  • cbSecurity_onJWTInvalidUser
  • cbSecurity_onJWTInvalidClaims
  • cbSecurity_onJWTExpiration
  • cbSecurity_onJWTStorageRejection
  • cbSecurity_onJWTValidParsing
  • cbSecurity_onJWTInvalidateAllTokens
Check them all out in our JWT Interceptions Page.

CBAuth Interceptions

You can always find the latest interception points here:
Interception points
cbAuth
cbauth announces several custom interception points. You can use these interception points to change request data or add additional values to session or request scopes. The preAuthentication and postAuthentication events fire during the standard authenticate() method call with a username and password. The preLogin and postLogin events fire during the login() method call. The preLogout and postLogout events fire during the logout() method call.
The preLogin and postLogin interception points will be called during the course of authenticate(). The order of the calls then are preAuthentication -> preLogin -> postLogin -> postAuthentication.
Usage - Previous
Secured URL
Next - Usage
cbSecurity Model
Last modified 22d ago
Copy link
Edit on GitHub
Contents
Stop Processing Actions
JWT Interception
CBAuth Interceptions