Setting up Security Roles in ColdBox

Fake Jake is back. He wants to secure some of his events based on 'roles' within ColdBox. ColdBox has security baked in with it's core security interceptor, so this should be easy....

ColdBox 3 (I am using M6 version) gives us a .cfc based config file, and this is where I will be declare the security interceptor.

view plain print about
1//Interceptors
2interceptors = [
3 //security
4 {class="coldbox.system.interceptors.security",
5 properties={rulesSource="xml",
6 rulesFile="/config/securityRules.xml.cfm",
7 debugMode="false",
8 preEventSecurity="true"}}    
9    ];

From the above you can see I have told the interceptor where to find my security rules. In this example I have placed my security rules in an xml file called 'securityRules.xml.cfm'. But these rules could also be pulled from a database, model and ORM etc.

Now lets have a look at the rules in this file...

view plain print about
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!--Security rule
3ex: All events in the user handler
4 user\..*
5ex: All events
6 .*
7ex: All events that start with admin
8 ^admin
9If you are not using regular expression,
10just write the text
11that can be found in an event.-->
12
13<rules>
14 <rule>
15 <whitelist>
16 general\..*,
17    login\..*
18 </whitelist>
19 <securelist>
20 dashboard\..*
21 </securelist>
22 <roles>user,admin</roles>
23 <permissions>read,write</permissions>
24 <redirect>login.index</redirect>
25 </rule>
26</rules>

As you can see we have a 'whitelist' of events that will not be verified by the security interceptor. We also have a 'securelist'. In my example this means that any event starting 'dashboard' will be secured and redirected to 'redirect' rule, in this case it's the event login.index.

Roles in my case mean that only users with the role assigned of 'user' or 'admin' will be allowed to visit the secure list of events.

That's it! We have setup our role based security in ColdBox. Now lets look at a simple login event. This event fires after the user has clicked login and it's where I will be validating their login credentials.

view plain print about
1/* validate login credentials */    
2function validateCredentials(any){
3    var rc = event.getCollection();
4    var userBean = "";
5    userBean = userService.new();//new object
6    populateModel(userBean);//populate object from scope
7    userCount = userService.countWhere(entityName="user",
8 user_name="#userBean.getuser_name()#",
9    user_password="#userBean.getuser_password()#");
10        
11    if (userCount eq 1){//correct login
12    userBean = userService.findUser();
13    userService.save(userBean);//update user login details
14    loginUser(username=userBean.getuser_name(),
15 password=userBean.getuser_password(),
16 role=userBean.getuser_role());
17    return true;            
18}
19    else {
20return false;
21}
22    }

Because I am using CFScript for my components you can see that I have to call another function called 'loginUser'. loginUser is just inside a none script based CFC that I call by extending this component. for example....

view plain print about
1<cffunction name="loginUser" returntype="void" output="false">
2<cfargument name="username" required="true">
3<cfargument name="password" required="true">
4<cfargument name="role" required="true">
5<!--- log the user in --->
6    <cflogin
7    idletimeout = "1800">
8
9     <cfloginuser
10     name = "arguments.name"
11 password = "arguments.password"
12     roles = "arguments.role">
13    </cflogin>
14
15</cffunction>

The reason for this is that CF9 does not have a script version of login.

That's really it, I have now secured my events based on user roles. For more reading visit the ColdBox Doc's

Related Blog Entries

Oct06

Post Info

Comments 0

There are no comments for this entry.

[Add Comment] [Subscribe to Comments]