Welcome to the ColdBox Security, the best way to secure your ColdBox apps.

1. Secure All Things
By Luis Majano
www.intothebox.org

2. @lmajano
@ortussolutions
Luis Majano
• Salvadorean Born!
• Imported to the USA
• Computer Engineering
• CEO of Ortus Solutions

3. Inspiration
Applying security concerns to our web
applications is paramount.
Every application will need it.
Many forms of application security and many
levels.

4. What is cbSecurity?
https://coldbox-

5. Module Composition

6. What is needed for security?
✴ Validates user credentials
✴ Logs them in and out
✴ Tracks their security in session,
custom storage, or none.
✴ Validates Permissions
✴ Validates Roles
✴ Validates nothing 😜

7. What is needed for security?
✴ Use ANY auth service: IAuthenticationService
✴ Includes cbauth
✴ Login/Logout
✴ Session Tracking in session/request/cache
✴ You Provide a user service: IUserService
✴ You Provide a user object: IAuthUser
✴ Permission and Role Based
✴ Interfaces:
✴ IAuthUser - Roles and Permissions
✴ IJwtSubject - Jwt Scopes, etc.

8. Security Firewall
1. What do we secure?
1. Events
2. URIs
2. How do we secure?
1. Security Rules
2. Handler + Action Annotations
3. JWT Headers
4. cbSecurity explicit methods
3. Who validates?

9. Who Validates? ➡ Validators
V

10. Validators
✴ Configured globally or per-module
✴ Determine the type of authentication/authorization services to use
✴ The firewall calls the validator for a 👍 or 👎
✴ Core Validators
✴ Auth : role/permission-based security via IAuthService and IAuthUser
interfaces
✴ CFML : Leverages CFML cflogin/cflogout features
✴ Basic Auth : Prompts users for credentials using HTTP Basic Auth
✴ JWT Validator : Checks headers for a JWT token and refresh token
✴ Custom Validators: ISecurityValidator

11. `
Security Rules

12. Security Rules
✴ Rules
✴ are evaluated from top to bottom (Order is important)
✴ secure incoming events/urls via regex patterns
✴ can have white-listed patterns
✴ can have roles and permissions
✴ can have ip, host header restrictions
✴ can be global or per-module
✴ can come from:
✴ Config Inline
✴ Database
✴ XML, JSON
✴ Object Calls

13. Security Rules

14. Security Rule Actions
✴ Each rule determines what action to occur if the request is not valid:
✴ Redirect to another event/URL
✴ Override the incoming event to another event
✴ Block the request with a 401 Not Authorized
✴ If there is no action in the rule, what happens?
✴ Cascades to module settings ➡ global settings
✴ defaultAuthenticationAction
✴ invalidAuthenticationEvent
✴ defaultAuthorizationAction
✴ invalidAuthorizationEvent

15. Security Rule

16. Handler Annotation Security
✴ Cascading Security
✴ Component
✴ Access to all actions
✴ Actions
✴ Specific action security
✴ Secure Annotation Value
✴ Nothing - Authenticated
✴ List - Authorizations

17. Security Rule

18. Secured URL
✴ cbSecurity stores & flashes the incoming URL
✴ rc._securedURL
✴ Better login experiences

19. cbSecurity Model
✴ Security Helper Object
✴ Fluent constructs
✴ cbsecure() mixin (handlers/layouts/views/interceptors)
✴ Injection @cbsecurity (models)
✴ Different Types of Methods:
✴ Authentication: Verify if logged in, logout, authenticate
✴ Authorization Contexts: Fluent secure block
✴ Blocking: Throw a NotAuthorized exception
✴ Secure Views: Secure rendering of views
✴ Utility: Generating passwords, checking ip, hostnames, etc
✴ Verification: Verify permissions, etc

20. cbSecurity - Authentication Methods
getAuthService()
getUserService()
authenticate( username, password )
getUser()
isLoggedIn()
logout()

21. cbSecurity - Authorization Context Methods
when( permissions, success, fail )
whenAll( permissions, success, fail )
whenNone( permissions, success, fail )

22. cbSecurity - Blocking Methods
secure( permissions, [message] )
secureAll( permissions, [message] )
secureNone( permissions, [message] )
secureSameUser( user, [message])
secureWhen( context, [errorMessage] )
If context = true, then throw a NotAuthorized exception

23. cbSecurity - Secure Views Methods
secureView( permissions, successView, failView )

24. cbSecurity - Utility Methods
createPassword( length:32, letters:true, numbers:true, symbols:true )
getRealIP( trustUpstream:true )
getRealHost( trustUpstream:true )

25. cbSecurity - Verification Methods
has( permissions ):boolean
all( permissions ):boolean
none( permissions ):boolean
sameUser( user ):boolean

26. Security Visualizer

27. Security Visualizer
✴ Visualize all configuration settings
✴ Firewall activity
✴ Firewall rules simulator
✴ Security Headers
✴ Can also be secured

28. Firewall Logs
✴ Activate firewall logging
✴ Firewall > logs

29. ✴ Collection of security best
practices
✴ Highly configurable
✴ Several on by default
Security Headers

30. CSRF
Cross-Site Request Forgery

31. CSRF
Cross-Site Request Forgery

32. csrfToken()
csrfVerify()
csrf()
csrfField()
csrfRotate()
CSRF
Cross-Site Request Forgery
✴ Leverages the cbcsrf module
✴ Generate & validate tokens
✴ Highly configurable

33. JWT Security

34. JWT Security
https://jwt.io/introduction/

36. Jwt-cfml
✴ https://forgebox.io/view/jwt-cfml
✴ Encode/Decode JSON Web Tokens
✴ HS256
✴ HS384
✴ HS512
✴ RS256
✴ RS384
✴ RS512
✴ ES256
✴ ES384
✴ ES512

37. Settings
Database
CacheBox
WireBox ID
IJwtStorage

38. Base Claims
✴ Issuer (iss) - The issuer of the token (defaults to the application's base URL)
✴ Issued At (iat) - When the token was issued (unix timestamp)
✴ Subject (sub) - This holds the identifier for the token (defaults to user id)
✴ Expiration time (exp) - The token expiry date (unix timestamp)
✴ Unique ID (jti) - A unique identifier for the token (md5 of the sub and iat claims)
✴ Scopes (scope) - A space-delimited string of scopes attached to the token
✴ Refresh Token (cbsecurity_refresh) - If you use refresh tokens, this custom
claim will be added to the payload.

39. Base Claims

40. JWT SERVICE
✴ JWTService
✴ Helper: jwtAuth()
✴ Injection: JWTService@cbSecurity
✴ Rest and rest-hmvc templates give a full working example

41. JWT SERVICE

42. JWT SERVICE

43. JWT SERVICE

44. JWT SERVICE

45. JWT SERVICE

46. JWT SERVICE

47. JWT Routes

48. JWT
Controller

49. Security Events
cbSecurity_onInvalidAuthentication
cbSecurity_onInvalidAuthorization
Login Interceptions
preAuthentication
postAuthentication
preLogin
postLogin
preLogout
postLogout
cbauth Interceptions
Jwt Interceptions
cbSecurity_onJWTCreation
cbSecurity_onJWTInvalidation
cbSecurity_onJWTValidAuthentication
cbSecurity_onJWTInvalidUser
cbSecurity_onJWTInvalidClaims
cbSecurity_onJWTExpiration
cbSecurity_onJWTStorageRejection
cbSecurity_onJWTValidParsing
cbSecurity_onJWTInvalidateAllTokens

50. GET AN
EXTRA 10%
OFF
I N T O T H E B O X
Offer ends Monday March 20th at 12:00 am
Code: Early10
WWW.INTOTHEBOX.ORG
Limited offer: 2 Days Only
Early bird tickets