3. Inspiration
Applying security concerns to our web
applications is paramount.
Every application will need it.
Many forms of application security and many
levels.
6. What is needed for security?
✴ Validates user credentials
✴ Logs them in and out
✴ Tracks their security in session,
custom storage, or none.
✴ Validates Permissions
✴ Validates Roles
✴ Validates nothing 😜
7. What is needed for security?
✴ Use ANY auth service: IAuthenticationService
✴ Includes cbauth
✴ Login/Logout
✴ Session Tracking in session/request/cache
✴ You Provide a user service: IUserService
✴ You Provide a user object: IAuthUser
✴ Permission and Role Based
✴ Interfaces:
✴ IAuthUser - Roles and Permissions
✴ IJwtSubject - Jwt Scopes, etc.
8. Security Firewall
1. What do we secure?
1. Events
2. URIs
2. How do we secure?
1. Security Rules
2. Handler + Action Annotations
3. JWT Headers
4. cbSecurity explicit methods
3. Who validates?
10. Validators
✴ Configured globally or per-module
✴ Determine the type of authentication/authorization services to use
✴ The firewall calls the validator for a 👍 or 👎
✴ Core Validators
✴ Auth : role/permission-based security via IAuthService and IAuthUser
interfaces
✴ CFML : Leverages CFML cflogin/cflogout features
✴ Basic Auth : Prompts users for credentials using HTTP Basic Auth
✴ JWT Validator : Checks headers for a JWT token and refresh token
✴ Custom Validators: ISecurityValidator
12. Security Rules
✴ Rules
✴ are evaluated from top to bottom (Order is important)
✴ secure incoming events/urls via regex patterns
✴ can have white-listed patterns
✴ can have roles and permissions
✴ can have ip, host header restrictions
✴ can be global or per-module
✴ can come from:
✴ Config Inline
✴ Database
✴ XML, JSON
✴ Object Calls
14. Security Rule Actions
✴ Each rule determines what action to occur if the request is not valid:
✴ Redirect to another event/URL
✴ Override the incoming event to another event
✴ Block the request with a 401 Not Authorized
✴ If there is no action in the rule, what happens?
✴ Cascades to module settings ➡ global settings
✴ defaultAuthenticationAction
✴ invalidAuthenticationEvent
✴ defaultAuthorizationAction
✴ invalidAuthorizationEvent
38. Base Claims
✴ Issuer (iss) - The issuer of the token (defaults to the application's base URL)
✴ Issued At (iat) - When the token was issued (unix timestamp)
✴ Subject (sub) - This holds the identifier for the token (defaults to user id)
✴ Expiration time (exp) - The token expiry date (unix timestamp)
✴ Unique ID (jti) - A unique identifier for the token (md5 of the sub and iat claims)
✴ Scopes (scope) - A space-delimited string of scopes attached to the token
✴ Refresh Token (cbsecurity_refresh) - If you use refresh tokens, this custom
claim will be added to the payload.
50. GET AN
EXTRA 10%
OFF
I N T O T H E B O X
Offer ends Monday March 20th at 12:00 am
Code: Early10
WWW.INTOTHEBOX.ORG
Limited offer: 2 Days Only
Early bird tickets