I’v been a long time user of cbsecurity v1.x, a security rule engine for. validation incoming request. I think most people have written code for authenticating users and validation their request in some ways, and probably many of you have written and modified this code over and over again. Cbsecurity v1 has been around for a long time, but some people complained it was hard to understand and/or too complex. in the mean time other security modules such as cbauth and cbguard were released which were a bit more limited but easier to use. In februari Ortus released cbsecurity version 2 and in subsequent months more and more features were added, resulting in a product which covers a lot of your security needs.

In my opinion the usability of cbsecurity has increased a lot, but there are many options to choose from. In a series of blog posts I will try to show you what different possibilities you’ll have to use cbsecurity to your advantage.

What’s new

So there is a lot of new stuff in cbsecurity 2.x. Let me summarize the most important changes.

  • v1 only had one set of security rules, in the new version modules can have their own rules
  • Now you have a choice: use rules or annotation driven security. So instead of specifying rules with regular expressions for handlers or url’s you can specify a handler or actions is secured, including syntax for specifying roles or permissions for these handlers and actions. Often these annotation based security is easier to manage, but the best thing is: you can also use both, depending on your use case
  • multiple ways of authentication: use cbauth, coldfusion cflogin security, or roll your own.
  • Capability to distinguish between invalid authentication and invalid authorization. This was a lot harder in v1, now you can define different actions for authentication and authorization errors.
  • cbsecurity model, so you can add authorization checks in interceptors, models, layout and views.
  • JSON Web Tokens (JWT). In v2 you can use JWT based authentication and authorization, which is very handy for all kind of API requests. Although I managed to use JWT in v1, this is a LOT easier!
  • Cross Site Request Forgery: Since v 2.4 the cbcsrf module is included to protect your application.

Choices, choices

As stated, there are many, many choices to make in cbsecurity which can make it a bit intimidating. But in most cases it boils down to only two or three choices

  1. Which authentication mechanism do you want to use?
    cbauth is a wrapper around authentication, which provides a standard API for logging in and out, retrieving the logged in user and userID. If you always want to provide the same mechanisms for authentication in your app, cbauth is your ticket to standardization. It is the default in cbsecurity, but it could use some more explanation (I will deal with that in my next blog post).
    CFML security validator is for people who like the cflogin facilities of ColdFusion. I am not going to explain this, because I would never use it. But you can find the documentation here
    A Custom Validator makes sense if you already have some code in place, or need maximum flexibility, although I doubt if it provides more flexibility than cbauth. In a next installment of this series I will provide you with a working example for custom validation.
  2. Do you want to secure your events with annotations or do you want to provide a list of rules? Annotations are easy, just mark your handler or action with the keyword secured or secured = "permission1,anotherpermission" and you are done. In this case you are limited to securing your events. When you want to use the more powerful rules validation, you can secure events or url’s, and it is easier to add dynamic permissions. If you are migration from v1 to v2 you probably have a ruleset already. For maximum flexibility you could use both mechanisms.
  3. If you want to built a secure API you probably want to use the JWT services for JSON Web Tokens. The builtin jwt services will help you with many aspects of JWT. I will provide you with a working example of this in this series.

So were do we start? In my next post I will explain cbauth and setup cbsecurity for use with cbauth and annotation based validation.