CBSecurity 3 - Secure Your ColdBox Applications
Download as PPTX, PDF0 likes133 views
cbSecurity is a security module that provides authentication, authorization, and security services for ColdBox applications. It allows developers to validate user credentials, log users in and out, track security in sessions or custom storage, validate permissions and roles, and more. cbSecurity includes features like security firewalls, rules, handler annotations, and utilities to help secure events, URLs, and views based on roles and permissions. It also supports integrating with various authentication services and provides methods for authentication, authorization contexts, blocking access, securing views, and more.
![cbSecurity - Blocking Methods
secure( permissions, [message] )
secureAll( permissions, [message] )
secureNone( permissions, [message] )
secureSameUser( user, [message])
secureWhen( context, [errorMessage] )
If context = true, then throw a NotAuthorized exception](https://image.slidesharecdn.com/cbsecurity-230317190428-3fe430cf/85/CBSecurity-3-Secure-Your-ColdBox-Applications-22-320.jpg)
CBSecurity 3 - Secure Your ColdBox Applications
- 1. Secure All Things By Luis Majano www.intothebox.org
- 2. @lmajano @ortussolutions Luis Majano • Salvadorean Born! • Imported to the USA • Computer Engineering • CEO of Ortus Solutions
- 3. Inspiration Applying security concerns to our web applications is paramount. Every application will need it. Many forms of application security and many levels.
- 6. What is needed for security? ✴ Validates user credentials ✴ Logs them in and out ✴ Tracks their security in session, custom storage, or none. ✴ Validates Permissions ✴ Validates Roles ✴ Validates nothing 😜
- 7. What is needed for security? ✴ Use ANY auth service: IAuthenticationService ✴ Includes cbauth ✴ Login/Logout ✴ Session Tracking in session/request/cache ✴ You Provide a user service: IUserService ✴ You Provide a user object: IAuthUser ✴ Permission and Role Based ✴ Interfaces: ✴ IAuthUser - Roles and Permissions ✴ IJwtSubject - Jwt Scopes, etc.
- 8. Security Firewall 1. What do we secure? 1. Events 2. URIs 2. How do we secure? 1. Security Rules 2. Handler + Action Annotations 3. JWT Headers 4. cbSecurity explicit methods 3. Who validates?
- 9. Who Validates? ➡ Validators V
- 10. Validators ✴ Configured globally or per-module ✴ Determine the type of authentication/authorization services to use ✴ The firewall calls the validator for a 👍 or 👎 ✴ Core Validators ✴ Auth : role/permission-based security via IAuthService and IAuthUser interfaces ✴ CFML : Leverages CFML cflogin/cflogout features ✴ Basic Auth : Prompts users for credentials using HTTP Basic Auth ✴ JWT Validator : Checks headers for a JWT token and refresh token ✴ Custom Validators: ISecurityValidator
- 11. ` Security Rules
- 12. Security Rules ✴ Rules ✴ are evaluated from top to bottom (Order is important) ✴ secure incoming events/urls via regex patterns ✴ can have white-listed patterns ✴ can have roles and permissions ✴ can have ip, host header restrictions ✴ can be global or per-module ✴ can come from: ✴ Config Inline ✴ Database ✴ XML, JSON ✴ Object Calls
- 13. Security Rules
- 14. Security Rule Actions ✴ Each rule determines what action to occur if the request is not valid: ✴ Redirect to another event/URL ✴ Override the incoming event to another event ✴ Block the request with a 401 Not Authorized ✴ If there is no action in the rule, what happens? ✴ Cascades to module settings ➡ global settings ✴ defaultAuthenticationAction ✴ invalidAuthenticationEvent ✴ defaultAuthorizationAction ✴ invalidAuthorizationEvent
- 15. Security Rule
- 16. Handler Annotation Security ✴ Cascading Security ✴ Component ✴ Access to all actions ✴ Actions ✴ Specific action security ✴ Secure Annotation Value ✴ Nothing - Authenticated ✴ List - Authorizations
- 17. Security Rule
- 18. Secured URL ✴ cbSecurity stores & flashes the incoming URL ✴ rc._securedURL ✴ Better login experiences
- 19. cbSecurity Model ✴ Security Helper Object ✴ Fluent constructs ✴ cbsecure() mixin (handlers/layouts/views/interceptors) ✴ Injection @cbsecurity (models) ✴ Different Types of Methods: ✴ Authentication: Verify if logged in, logout, authenticate ✴ Authorization Contexts: Fluent secure block ✴ Blocking: Throw a NotAuthorized exception ✴ Secure Views: Secure rendering of views ✴ Utility: Generating passwords, checking ip, hostnames, etc ✴ Verification: Verify permissions, etc
- 20. cbSecurity - Authentication Methods getAuthService() getUserService() authenticate( username, password ) getUser() isLoggedIn() logout()
- 21. cbSecurity - Authorization Context Methods when( permissions, success, fail ) whenAll( permissions, success, fail ) whenNone( permissions, success, fail )
- 22. cbSecurity - Blocking Methods secure( permissions, [message] ) secureAll( permissions, [message] ) secureNone( permissions, [message] ) secureSameUser( user, [message]) secureWhen( context, [errorMessage] ) If context = true, then throw a NotAuthorized exception
- 23. cbSecurity - Secure Views Methods secureView( permissions, successView, failView )
- 24. cbSecurity - Utility Methods createPassword( length:32, letters:true, numbers:true, symbols:true ) getRealIP( trustUpstream:true ) getRealHost( trustUpstream:true )
- 25. cbSecurity - Verification Methods has( permissions ):boolean all( permissions ):boolean none( permissions ):boolean sameUser( user ):boolean
- 27. Security Visualizer ✴ Visualize all configuration settings ✴ Firewall activity ✴ Firewall rules simulator ✴ Security Headers ✴ Can also be secured
- 28. Firewall Logs ✴ Activate firewall logging ✴ Firewall > logs
- 29. ✴ Collection of security best practices ✴ Highly configurable ✴ Several on by default Security Headers
- 32. csrfToken() csrfVerify() csrf() csrfField() csrfRotate() CSRF Cross-Site Request Forgery ✴ Leverages the cbcsrf module ✴ Generate & validate tokens ✴ Highly configurable
- 33. JWT Security
- 36. Jwt-cfml ✴ https://forgebox.io/view/jwt-cfml ✴ Encode/Decode JSON Web Tokens ✴ HS256 ✴ HS384 ✴ HS512 ✴ RS256 ✴ RS384 ✴ RS512 ✴ ES256 ✴ ES384 ✴ ES512
- 38. Base Claims ✴ Issuer (iss) - The issuer of the token (defaults to the application's base URL) ✴ Issued At (iat) - When the token was issued (unix timestamp) ✴ Subject (sub) - This holds the identifier for the token (defaults to user id) ✴ Expiration time (exp) - The token expiry date (unix timestamp) ✴ Unique ID (jti) - A unique identifier for the token (md5 of the sub and iat claims) ✴ Scopes (scope) - A space-delimited string of scopes attached to the token ✴ Refresh Token (cbsecurity_refresh) - If you use refresh tokens, this custom claim will be added to the payload.
- 39. Base Claims
- 40. JWT SERVICE ✴ JWTService ✴ Helper: jwtAuth() ✴ Injection: JWTService@cbSecurity ✴ Rest and rest-hmvc templates give a full working example
- 41. JWT SERVICE
- 42. JWT SERVICE
- 43. JWT SERVICE
- 44. JWT SERVICE
- 45. JWT SERVICE
- 46. JWT SERVICE
- 47. JWT Routes
- 48. JWT Controller
- 49. Security Events cbSecurity_onInvalidAuthentication cbSecurity_onInvalidAuthorization Login Interceptions preAuthentication postAuthentication preLogin postLogin preLogout postLogout cbauth Interceptions Jwt Interceptions cbSecurity_onJWTCreation cbSecurity_onJWTInvalidation cbSecurity_onJWTValidAuthentication cbSecurity_onJWTInvalidUser cbSecurity_onJWTInvalidClaims cbSecurity_onJWTExpiration cbSecurity_onJWTStorageRejection cbSecurity_onJWTValidParsing cbSecurity_onJWTInvalidateAllTokens
- 50. GET AN EXTRA 10% OFF I N T O T H E B O X Offer ends Monday March 20th at 12:00 am Code: Early10 WWW.INTOTHEBOX.ORG Limited offer: 2 Days Only Early bird tickets