We are happy to announce our first minor release for CBSecurity v3.1.0, with some nice updates and a new password generator.
CBSecurity 3.x Released
We are incredibly excited to release CBSecurity 3. This is a significant release with over six months of work invested in it. We have completely revamped our security module to make ColdBox applications secure, flexible, and ready for the upcoming ColdBox 7 release. The first major announcement for this release is that we have a brand-new logo!
CommandBox 5.6.0 Released!
We are pleased to announce the release of CommandBox 5.6.0, a minor release of the CFML CLI and package manager. This release contains 25 completed tickets including bug fixes, some big new features, and library updates! Please enjoy the new release, and as always, let us know if you have any issues or questions!
cbSecurity 2.13 Released with Refresh Tokens Support
We are incredibly excited to release cbSecurity version 2.13.0 today. This release packs a big punch in terms of features for our JWT support for RESTFul APIs. We are excited to announce full refresh token support and much more.
# Install install cbsecurity # Update update cbsecurity
ColdBox Security supports the concept ...
How to override a single server rule in CommandBox's new Server Profiles
CommandBox 5.2.0 added a new feature called Server Profiles which allow you to dial in a bevy of development or production lockdown rules in a single setting. Each profile can be tweaked with individual settings to customize them.
CommandBox 5.2.0 Released
Today we are pleased to announce the final release of CommandBox 5.2.0. This release has been 5 months in the making and covers nearly 50 tickets. We've already covered the full list of new features and enhancements in our release candidate announcement which you can read here:
After a month of RC testing, we've made several additional improvements and are ready to release.
Using CFConfig to apply Government STIGs to ColdFusion servers
I wanted to highlight a recent project I help a client out with, where we used CFConfig to help automate the process of applying government STIGs to ColdFusion servers. A STIG, or Security Technical Implementation Guide, is meant to standardize the process of setting up and auditing secure servers. If you manage servers in a government or corporate setting, you may be familiar with this. If not, you should still be automating your locks downs anyway, so keep reading.
CommandBox Web Server Lockdown Example
More and more people are using CommandBox or our Ortus Docker containers (powered by CommandBox) for production deployments. Commandbox uses JBoss Undertow which is very lightweight and fast, and capable of service traffic just as fast as IIS or Apache. A lot of people ask me about running CommandBox in production and I always say it's find so long as you follow the same basic lockdown procedures you'd take on any web server. If you have IIS or Apache sitting in front of CommandBox, most of this configuration can happen there, but for people who want drop-dead simply prod servers, here's some quick tips on locking down your CommandBox server.
ColdBox Security v2.0.0 Released!
We are so excited to release The ColdBox Security Module version 2.0.0. It has been quite a few years since we did a major version of our security module, but it is worth the wait. It is just easier to say we completely rewrote it in modern CFML and introduced modern Security practices, HMVC security to modules, annotation driven security and JWT token services. Never again write API security, we got you covered! We also completelty rewrote the documentation and now we have yet another awesome security book: https://coldbox-security.ortusbooks.com/
install cbsecurity update cbsecurity
There are just too many things to talk about in this release, so we will just list out the major features and you can visit our docs for the complete rundown of ColdBox Security 2.0.0.
The ColdBox cbsecurity module will enhance your ColdBox applications by providing out of the box security in the form of:
- A security rule engine for incoming requests
- Annotation driven security for handlers and actions
- JWT (Json Web Tokens) generator, decoder and authentication services
- Ability to have global security rules
- Ability for modules to add their own security rules and action overrides
- Ability to distinguish between authentication and authorization issues
- Annotation driven cascading security for handlers and actions
- Security rules can exist in:
- XML File
- JSON File
- The rules can be configured to use regular expressions or simple snippets
- Can use ColdFusion authentication security
- Can leverage any custom authentication provider
- Plug any Authentication service or can leverage cbauth by default
- Capability to distinguish between invalid authentication and invalid authorization and determine an outcome of the process.
- Ability to load/unload security rules from contributing modules.
- Ability for each module to define it's own validator