ColdBox Security Module
Search…
v2.x
Introduction
Intro
Release History
About This Book
Author
Getting Started
Installation
Overview
Configuration
Usage
Authentication Services
Security Rules
Security Annotations
Secured URL
Interceptions
cbSecurity Model
Cross Site Request Forgery
Security Validators
CBAuth Validator
CFML Security Validator
Custom Validator
JWT
JWT Services
JWT Validator
Refresh Tokens
Token Storage
JWT Interceptions
External links
Source code
Issue Tracker
cbauth
cbcsrf
JWT CFML
Powered By GitBook
Security Annotations
The security module also allows you to secure your events via annotations instead of using security rules. The setting that controls this security feature is the handlerAnnotationSecurity which can see in the configuration section.​
The security module has a tiered approach to annotation security as it will check the handler component first and then the requested action method second. You can apply different security contexts to each level as you see fit.
Please note that the security rules will be inspected first, annotations second.
See the diagram below for inspecting security based on annotations:
Annotation based security

Secure Annotation

The firewall will inspect handlers for a secured annotation. This annotation can be added to the entire handler or to an action method or both. The default value of the secured annotation is a Boolean true. Which means, we need a user to be authenticated in order to access it.
1
// Secure the entire handler
2
component secured{
3
​
4
function index(event,rc,prc){}
5
function list(event,rc,prc){}
6
​
7
}
8
// Same as this
9
component secured=true{
10
}
11
​
12
// Do NOT secure the handler
13
component secured=false{
14
}
15
// Same as this, no annotation!
16
component{
17
​
18
function index(event,rc,prc) secured{
19
}
20
​
21
function list(event,rc,prc) secured="list"{
22
​
23
}
24
25
}
Copied!

Authorization Context

You can also give the annotation a value, which can be anything you like: A list of roles, a role, a list of permissions, metadata, JSON, etc. Whatever it is, this is called the authorization context and the user validator must be able to not only authenticate but authorize the context or an invalid authorization will occur.
1
// Secure this handler
2
component secured="admin,users"{
3
​
4
function index(event,rc,prc) secured="list"{
5
​
6
}
7
8
function save(event,rc,prc) secured="write"{
9
​
10
}
11
​
12
}
Copied!
The secured value will be passed to the validator's for authorization.

Cascading Security

By having the ability to annotate the handler and also the action you create a cascading security model where they need to be able to access the handler first and only then will the action be evaluated for access as well.
​
​
​
​
Usage - Previous
Security Rules
Next - Usage
Secured URL
Last modified 1yr ago
Copy link
Edit on GitHub
Contents
Secure Annotation
Authorization Context
Cascading Security