We are so excited to release The ColdBox Security Module version 2.0.0. It has been quite a few years since we did a major version of our security module, but it is worth the wait. It is just easier to say we completely rewrote it in modern CFML and introduced modern Security practices, HMVC security to modules, annotation driven security and JWT token services. Never again write API security, we got you covered! We also completelty rewrote the documentation and now we have yet another awesome security book: https://coldbox-security.ortusbooks.com/

install cbsecurity
update cbsecurity

There are just too many things to talk about in this release, so we will just list out the major features and you can visit our docs for the complete rundown of ColdBox Security 2.0.0.

Introduction

The ColdBox cbsecurity module will enhance your ColdBox applications by providing out of the box security in the form of:

  • A security rule engine for incoming requests
  • Annotation driven security for handlers and actions
  • JWT (Json Web Tokens) generator, decoder and authentication services

Features

  • Ability to have global security rules
  • Ability for modules to add their own security rules and action overrides
  • Ability to distinguish between authentication and authorization issues
  • Annotation driven cascading security for handlers and actions
  • Security rules can exist in:
    • XML File
    • JSON File
    • Database
    • Models
  • The rules can be configured to use regular expressions or simple snippets
  • Can use ColdFusion authentication security
  • Can leverage any custom authentication provider
  • Plug any Authentication service or can leverage cbauth by default
  • Capability to distinguish between invalid authentication and invalid authorization and determine an outcome of the process.
  • Ability to load/unload security rules from contributing modules.
  • Ability for each module to define it's own validator

What's New With 2.0.0

New Features

  • Adobe 2016,2018 Support
  • Settings transferred to ColdBox 4/5 moduleSettings approach instead of root approach (See compat section)
  • The rulesModelMethod now defaults to getSecurityRules()
  • ColdFusion security validator has an identity now CFValidator@cbsecurity instead of always being inline.
  • You can now add an overrideEvent element to a rule. If that is set, then we will override the incoming event via event.overrideEvent() instead of doing a relocation using the redirect rule element.
  • You can now declare your rules inline in the configuration settings using the rules key. This will allow you to build the rules in your config instead of a rule source.
  • We now can distinguish between invalid auth and invalid authorizations
  • New interception block points cbSecurity_onInvalidAuthentication, cbSecurity_onInvalidAuhtorization
  • You now have a defaultAuthorizationAction setting which defaults to redirect
  • You now have a invalidAuthenticationEvent setting that can be used
  • You now have a defaultAuthenticationAction setting which defaults to redirect
  • You now have a invalidAuthorizationEvent setting that can be used
  • If a rule is matched, we will store it in the prc as cbSecurity_matchedRule so you can see which security rule was used for processing invalid access actions.
  • If a rule is matched we will store the validator results in prc as cbSecurity_validatorResults
  • Ability for modules to register cbSecurity rules and setting overrides by registering a settings.cbSecurity key.
  • New security rule visualizer for graphically seeing you rules and configuration. Can be locked down via the enableSecurityVisualizer setting. Disabled by default.
  • Annotation based security for handlers and actions using the secured annotation. Which can be boolean or a list of permissions, roles or whatever you like.
  • You can disable annotation based security by using the handlerAnnotationSecurity boolean setting.
  • JWT Token Security Support

Improvements

  • SSL Enforcement now cascades according to the following lookup: Global, rule, request
  • Interfaces documented for easier extension interfaces.*
  • Migration to script and code modernization
  • New Module Layout
  • Secured rules are now logged as warn() with the offending Ip address.
  • New setting to turn on/off the loading of the security firewall: autoLoadFirewall. The interceptor will auto load and be registered as cbsecurity@global in WireBox.