coldbox-modules / cbguard Goto Github PK

View Code? Open in Web Editor NEW

4.0 4.0 5.0 328 KB

Annotation driven guards for authentication and authorization in ColdBox apps

ColdFusion 99.12% HTML 0.88%

cbguard's People

Contributors

Stargazers

Watchers

Forkers

gpickin elpete blusol850 dlineg4 homestar9

cbguard's Issues

CBGuard errors if you have no handler / implicit handler

Instead of just skipping the handler that doesn't exist, this errors.
This could be an issue with implicit handlers.

This function will fail is the handlerBean.getHandler() is empty.

var handler = handlerService.getHandler(
            handlerBean,
            event
        );

Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\core\util\Util.cfc
-- | --
LINE: | 288: <cfset md = getMetaData( component )>289: <cfelse>290: <cfset md = getComponentMetaData( component )>291: </cfif>292: </cfif>
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\ioc\config\Mapping.cfc
LINE: | 602: }603: else{604: var produceMetadataUDF = function() { return injector.getUtil().getInheritedMetaData(instance.path, binder.getStopRecursions()); };605: 606: // Are we caching metadata?
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\ioc\config\Mapping.cfc
LINE: | 612: );613: } else {614: md = produceMetadataUDF();615: }616: }
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\ioc\Injector.cfc
LINE: | 346: try {347: // process inspection of instance348: mapping.process( binder=variables.binder, injector=this );349: } catch( any e ) {350: // Remove bad mapping
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\web\services\HandlerService.cfc
LINE: | 110: 111: // retrieve, build and wire from wirebox112: return wirebox.getInstance( arguments.invocationPath );113: }114:
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\web\services\HandlerService.cfc
LINE: | 126: 127: // Create Runnable Object via WireBox128: var oEventHandler = newHandler( arguments.ehBean.getRunnable() );129: 130: /* ::::::::::::::::::::::::::::::::::::::::: EVENT METHOD TESTING :::::::::::::::::::::::::::::::::::::::::::: */
Template: | C:\www\revagency\revagency-ap6-lucee\modules\cbguard\interceptors\SecuredEventInterceptor.cfc
LINE: | 30: handlerBean,31: event32: );33: 34: var handlerMetadata = getMetadata( handler );

```

Add ability to customize guard responses by moudule

If a module implements cbguard, the module should have the ability to customize the responses for authorization failures, when within the modules routing namespace.

Allow for nested cbguard settings within each module's settings.

Example:

settings = {
            "cbguard" : {
                "authenticationService"           = "SecurityService@myModule",
                "authenticationOverrideEvent"     = "myModule:Main.onAuthenticationFailure",
                "authenticationAjaxOverrideEvent" = "myModule:api.v1.BaseAPIHandler.onAuthenticationFailure",
                "authorizationOverrideEvent"      = "myModule:Main.onAuthorizationFailure",
                "authorizationAjaxOverrideEvent"  = "myModule:api.v1.BaseAPIHandler.onAuthorizationFailure"
            }
}

If a customized module setting is not detected, then the top-level module settings would apply.

Introducing Cbguard Breaks Coldbox invalidEventHandler Setting

The Coldbox invalidEventHandler setting allows us to create friendly 404 pages in our apps. However, if you install cbguard in an app that uses invalidEventHandler, it will break the functionality and users will see the following exception error: "The invalidEventHandler setting is also invalid: error.onInvalidEvent. Please check your settings"

For reference (and screenshots) I brought this issue up on Google Groups awhile back.

I've done my best to try and solve this problem on my own by closely following a request with an invalid event both with and without cbguard installed. Even though I was not able to figure out how to fix the issue, I did learn a few things that might help.

First of all, I took a look at Coldbox's own handler service in coldbox\system\web\services\HandlerService.cfc and noticed that this error gets triggered when a global request variable, request._lastInvalidEvent matches the currently called event. This was set up to initially prevent infinite loops.

What I figured out is that when cbguard is installed, the invalidEvent() method gets executed twice causing request._lastInvalidEvent to be set two times which makes the function think the invalidEventHandler is invalid. I cannot figure out why cbguard triggers the HandlerService method twice.

Steps to Reproduce:
If you want to create a simple test setup to demonstrate the problem, create a blank coldbox app, and utilize the invalidEventHandler in your config. Then, confirm that you can show a friendly 404 error when an invalid event gets called.
Next, install cbsecurity and reinit your app. You should see the problem occur.

Add a `guest` annotation that does the opposite of `secured`

guest handlers and/or actions would only be available if there is no logged in user.

There would also need to be override events set for this.

coldbox-modules / cbguard Goto Github PK

cbguard's People

Contributors

Stargazers

Watchers

Forkers

cbguard's Issues

CBGuard errors if you have no handler / implicit handler

Add ability to customize guard responses by moudule

Introducing Cbguard Breaks Coldbox invalidEventHandler Setting

Add a `guest` annotation that does the opposite of `secured`

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent