The ColdBox cbsecurity module is a collection of modules to help secure your ColdBox applications. In this session, we will explore all the features behind CBSecurity 3. We will build an application using the module to showcase authentication, authorization, and JWT authentication.
https://coldbox-security.ortusbooks.com/
https://intothebox.org
https://cfcasts.com/
3. Inspiration
Applying security concerns to our web applications is paramount.
Every application will need it.
Many forms of application security and many levels.
7. • Validates user credentials
• Logs them in and out
• Tracks their security in session, custom
storage, or none.
• Validates Permissions
• Validates Roles
• Validates nothing 😜
What is needed for security?
8. What is needed for security?
• Use ANY auth service: IAuthenticationService
• Includes cbauth
• Login/Logout
• Session Tracking in session/request/cache
• You Provide a user service: IUserService
• You Provide a user object: IAuthUser
• Permission and Role Based
• Interfaces:
• IAuthUser - Roles and Permissions
• IJwtSubject - Jwt Scopes, etc.
9. 1. What do we secure?
1. Events
2. URIs
2. How do we secure?
1. Security Rules
2. Handler + Action Annotations
3. JWT Headers
4. cbSecurity explicit methods
3. Who validates?
Security Firewall
11. • Con
fi
gured globally or per-module
• Determine the type of authentication/authorization services to use
• The
fi
rewall calls the validator for a 👍 or 👎
• Core Validators
• Auth: role/permission-based security via IAuthService and IAuthUser interfaces
• CFML : Leverages CFML c
fl
ogin/c
fl
ogout features
• Basic Auth : Prompts users for credentials using HTTP Basic Auth
• JWT Validator : Checks headers for a JWT token and refresh token
• Custom Validators: ISecurityValidator
Validators
13. • Rules
• are evaluated from top to bottom (Order is important)
• secure incoming events/urls via regex patterns
• can have white-listed patterns
• can have roles and permissions
• can have ip, host header restrictions
• can be global or per-module
• can come from:
• Con
fi
g Inline
• Database
• XML, JSON
• Object Calls
Security Rules
15. • Each rule determines what action to occur if the request is not valid:
• Redirect to another event/URL
• Override the incoming event to another event
• Block the request with a 401 Not Authorized
• If there is no action in the rule, what happens?
• Cascades to module settings ➡ global settings
• defaultAuthenticationAction
• invalidAuthenticationEvent
• defaultAuthorizationAction
• invalidAuthorizationEvent
Security Rule Actions
17. • Cascading Security
• Component
• Access to all actions
• Actions
• Speci
fi
c action security
• Secure Annotation Value
• Nothing - Authenticated
• List - Authorizations
Handler Annotation Security
28. • Visualize all con
fi
guration settings
• Firewall activity
• Firewall rules simulator
• Security Headers
• Can also be secured
Security Visualizer
39. • Issuer (iss) - The issuer of the token (defaults to the application's base URL)
• Issued At (iat) - When the token was issued (unix timestamp)
• Subject (sub) - This holds the identi
fi
er for the token (defaults to user id)
• Expiration time (exp) - The token expiry date (unix timestamp)
• Unique ID (jti) - A unique identi
fi
er for the token (md5 of the sub and iat claims)
• Scopes (scope) - A space-delimited string of scopes attached to the token
• Refresh Token (cbsecurity_refresh) - If you use refresh tokens, this custom claim
will be added to the payload.
Base Claims