cbSecurity
CommunitySlackSupport
v3.x
v3.x
  • 🔏Introduction
    • Release History
      • What's New With 3.4.0
      • What's New With 3.3.0
      • What's New With 3.2.0
      • What's New With 3.1.0
      • What's New With 3.0.0
    • Upgrade to 3.0.0
    • About This Book
      • Author
  • Getting Started
    • Installation
    • Overview
    • Configuration
      • 🔏Authentication
      • 🥸Basic Auth
      • 🙈CSRF
      • 🌐JWT
      • 🧱Firewall
        • DB Rules
        • JSON Rules
        • Model Rules
        • XML Rules
      • ☢️Security Headers
      • 🔬Visualizer
  • Usage
    • Authentication Services
    • Basic Authentication
    • Security Rules
    • Security Annotations
    • cbSecurity Model
      • Authentication Methods
      • Authorization Contexts
      • Blocking Methods
      • Securing Views
      • Utility Methods
      • Verification Methods
    • Secured URL
    • Interceptions
    • Cross Site Request Forgery
    • Delegates
    • Auth User
  • Security Validators
    • Auth Validator
    • BasicAuth Validator
    • CFML Security Validator
    • Custom Validator
  • JWT
    • JWT Services
    • JWT Validator
    • Refresh Tokens
    • Token Storage
    • JWT Interceptions
  • External links
    • Issue Tracker
    • Source code
    • Sponsor Us
Powered by GitBook
On this page
  • Login Interceptions
  • Stop Processing Actions
  • JWT Interceptions
  • CBAuth Interceptions

Was this helpful?

Edit on GitHub
Export as PDF
  1. Usage

Interceptions

CBSecurity has many events that you can listen to for an event-driven experience.

Login Interceptions

The security firewall will announce some interception events when invalid access or authorizations occur within the system:

  • cbSecurity_onInvalidAuthentication

  • cbSecurity_onInvalidAuthorization

You will receive the following data in the interceptData struct in each interception call:

  • ip : The offending IP address

  • rule : The security rule intercepted or empty if annotations

  • settings : The firewall settings

  • validatorResults : The validator results

  • annotationType : The annotation type intercepted, handler or action or empty if rule driven

  • processActions : A Boolean indicator that defaults to true. If you change this to false, then the interceptor won't fire the invalid actions. Usually this means, you manually will do them.

With these interceptions you can build a nice auditing system, login tracking and much more.

interceptors/SecurityAudit.cfc
component extends="coldbox.system.Interceptor"{

    function cbSecurity_onInvalidAuthentication( event, interceptData ){
        // do what you like here
    }
    
    function cbSecurity_onInvalidAuthorization( event, interceptData ){
        // do what you like here
    }

}

Stop Processing Actions

The received event data has a Boolean key called processActions which defaults to true. This Boolean indicator tells the firewall to process the invalid authentication/authorization procedures. If you change this value to false, then the firewall will do NOTHING because it is expecting for YOU to have done the actions.

JWT Interceptions

  • cbSecurity_onJWTCreation

  • cbSecurity_onJWTInvalidation

  • cbSecurity_onJWTValidAuthentication

  • cbSecurity_onJWTInvalidUser

  • cbSecurity_onJWTInvalidClaims

  • cbSecurity_onJWTExpiration

  • cbSecurity_onJWTStorageRejection

  • cbSecurity_onJWTValidParsing

  • cbSecurity_onJWTInvalidateAllTokens

CBAuth Interceptions

cbauth announces several custom interception points.

  • preAuthentication

  • postAuthentication

  • preLogin

  • postLogin

  • preLogout

  • postLogout

You can use these interception points to change request data or add additional values to session or request scopes. The preAuthentication and postAuthentication events fire during the standard authenticate() method call with a username and password. The preLogin and postLogin events fire during the login() method call. The preLogout and postLogout events fire during the logout() method call.

You can always find the latest interception points here:

The preLogin and postLogin interception points will be called during the course of authenticate(). The order of the calls then are preAuthentication -> preLogin -> postLogin -> postAuthentication.

PreviousSecured URLNextCross Site Request Forgery

Last updated 2 years ago

Was this helpful?

If you are using our , then we will announce the following interceptions during JWT usage:

Check them all out in our .

JWT facilities
JWT Interceptions Page
Interception pointscbAuth
Logo