Luis Majano

September 27, 2019

Spread the word

Share your thoughts

We are so excited to release The ColdBox Security Module version 2.0.0. It has been quite a few years since we did a major version of our security module, but it is worth the wait. It is just easier to say we completely rewrote it in modern CFML and introduced modern Security practices, HMVC security to modules, annotation driven security and JWT token services. Never again write API security, we got you covered! We also completelty rewrote the documentation and now we have yet another awesome security book:

install cbsecurity
update cbsecurity

There are just too many things to talk about in this release, so we will just list out the major features and you can visit our docs for the complete rundown of ColdBox Security 2.0.0.


The ColdBox cbsecurity module will enhance your ColdBox applications by providing out of the box security in the form of:

  • A security rule engine for incoming requests
  • Annotation driven security for handlers and actions
  • JWT (Json Web Tokens) generator, decoder and authentication services


  • Ability to have global security rules
  • Ability for modules to add their own security rules and action overrides
  • Ability to distinguish between authentication and authorization issues
  • Annotation driven cascading security for handlers and actions
  • Security rules can exist in:
    • XML File
    • JSON File
    • Database
    • Models
  • The rules can be configured to use regular expressions or simple snippets
  • Can use ColdFusion authentication security
  • Can leverage any custom authentication provider
  • Plug any Authentication service or can leverage cbauth by default
  • Capability to distinguish between invalid authentication and invalid authorization and determine an outcome of the process.
  • Ability to load/unload security rules from contributing modules.
  • Ability for each module to define it's own validator

What's New With 2.0.0

New Features

  • Adobe 2016,2018 Support
  • Settings transferred to ColdBox 4/5 moduleSettings approach instead of root approach (See compat section)
  • The rulesModelMethod now defaults to getSecurityRules()
  • ColdFusion security validator has an identity now CFValidator@cbsecurity instead of always being inline.
  • You can now add an overrideEvent element to a rule. If that is set, then we will override the incoming event via event.overrideEvent() instead of doing a relocation using the redirect rule element.
  • You can now declare your rules inline in the configuration settings using the rules key. This will allow you to build the rules in your config instead of a rule source.
  • We now can distinguish between invalid auth and invalid authorizations
  • New interception block points cbSecurity_onInvalidAuthentication, cbSecurity_onInvalidAuhtorization
  • You now have a defaultAuthorizationAction setting which defaults to redirect
  • You now have a invalidAuthenticationEvent setting that can be used
  • You now have a defaultAuthenticationAction setting which defaults to redirect
  • You now have a invalidAuthorizationEvent setting that can be used
  • If a rule is matched, we will store it in the prc as cbSecurity_matchedRule so you can see which security rule was used for processing invalid access actions.
  • If a rule is matched we will store the validator results in prc as cbSecurity_validatorResults
  • Ability for modules to register cbSecurity rules and setting overrides by registering a settings.cbSecurity key.
  • New security rule visualizer for graphically seeing you rules and configuration. Can be locked down via the enableSecurityVisualizer setting. Disabled by default.
  • Annotation based security for handlers and actions using the secured annotation. Which can be boolean or a list of permissions, roles or whatever you like.
  • You can disable annotation based security by using the handlerAnnotationSecurity boolean setting.
  • JWT Token Security Support


  • SSL Enforcement now cascades according to the following lookup: Global, rule, request
  • Interfaces documented for easier extension interfaces.*
  • Migration to script and code modernization
  • New Module Layout
  • Secured rules are now logged as warn() with the offending Ip address.
  • New setting to turn on/off the loading of the security firewall: autoLoadFirewall. The interceptor will auto load and be registered as cbsecurity@global in WireBox.

Add Your Comment

Recent Entries

Secure your Agency Against Cyberattacks

Secure your Agency Against Cyberattacks

Recent incidents, such as the compromise of federal agencies through Adobe ColdFusion vulnerabilities, underscore the pressing need for comprehensive cybersecurity measures. In this blog post, we delve into the urgency of fortifying your agency's defenses and present "10 Reasons Why It's Time to Secure Your Agency Against Cyberattacks.”

Maria Jose Herrera
Maria Jose Herrera
December 07, 2023
Into the Box Latam 2023 | Rueda de Prensa

Into the Box Latam 2023 | Rueda de Prensa

En este artículo, exploraremos las reseñas, notas y publicaciones en redes sociales, revistas digitales y blogs de noticias que han surgido a raíz de este emocionante evento que tuvo lugar el jueves 30 de noviembre.

Maria Jose Herrera
Maria Jose Herrera
December 07, 2023
ColdBox 7.2.0 Released

ColdBox 7.2.0 Released

ColdBox, a widely used development platform for ColdFusion (CFML), has unveiled version 7.2. Packed with compelling new features, bug fixes, and enhancements, this release is designed to empower developers by boosting productivity, refining scheduled task capabilities, and enhancing the overall reliability and efficiency of application development. This article will delve into the key highlights of ColdBox 7.2 and elucidate how these advancements can positively impact developers in their daily coding endeavors.

Luis Majano
Luis Majano
November 20, 2023