Hi Guys, I have a site with ContentBox and I am doing some other security outside of ContentBox. I am using the coldbox.system.interceptor simple security interceptor.
What is the correct syntax for adding all of the ContentBox modules to a whitelist so they will be whitelisted by this interceptor?
whitelist = '"";
According to the docs, whitelist is a comma delimited list of events or patterns.
http://wiki.coldbox.org/wiki/Security.cfm#Security_Rules
What values have you tried and what was the result?
Thanks!
~Brad
ColdBox Platform Evangelist
Ortus Solutions, Corp
E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
Brad,
I tried contentbox, contentbox-admin and none of those worked. I removed the modules fwreinited and that is when I got the error about moduleServices@cb missing dependencies.
George,
Here is what I do.
[
{
“securelist”: “^cronus-facebook:.*”,
“roles”: “”,
“permissions”: “”,
“whitelist”: “^cronus-facebook:security\.”,
“redirect”: “facebook/security/login”,
“order”: “1”,
“match”: “event”,
“useSSL”: true
}
]
Now there is also a caveat that you also need to be aware, usually you will not do this often but if you do then your security will go out the window. Anytime you reset the rules they are wiped and recreated, so you will also need to create an interceptor to re-add these rules again.
In my module Config you will also need to do this, this will setup the module security when the module is activated and registered. But not when you reset the security rules from the dashboard, so just be aware of that.
{class = “coldbox.system.interceptors.Security”,
name = “security@facebook”,
properties = {
rulesSource = “json”,
rulesFile = “#moduleMapping#/data/rules.json”,
validatorModel = “securityService@cronusFacebook”}
}
I don’t have the name of the interceptor at hand, but its not hard to find out.
I think the whitelist needs to be a full event. The module name would just be a partial event. That means you probably need to use regex. Also, make sure you don’t have extra whitespace in the comma-delimited list.
http://wiki.coldbox.org/wiki/Security.cfm#Sample_JSON_Rules
Thanks!
~Brad
ColdBox Platform Evangelist
Ortus Solutions, Corp
E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
Hi Guys,
I am going to try this pattern for the whitelist="^contentbox:.,^contentbox-admin:.,^contentbox-filebrowser:.,^contentbox-security:.,^contentbox-ui:.*";
Thoughts?
Hi Guys, I was able to get this to work. contentbox-ui:blog.index However what I really need is a regex that can cover that entire module ^contentbox:.\.\.
I can’t seem to get the correct syntax for that.
Tried all of the suggested ones and from the sample JSON list.
Thanks
Module names are defined like this
moduleName:
the Carrot in front is to tell ColdFusion to start its regex search from the beginning of the string.
Hi this was suggested as a way to pickup that entire module and add it to the whitelist interceptor. I am using Railo 4.2.1.003 on windows 2012 server.
^contentbox-ui:.* If I do the entire event it works (contentbox-ui:page.index) but there are so many events in ContentBox I will never get them all.
What am I missing here?
Hey George,
To begin…
securelist": “^cronus-facebook:.*”
This secures, the entire module, notice the .* here. Then we have
whitelist": “^cronus-facebook:security\.”
Which then adds the handler to that module to the whitelist, if you need to do this on an event within the handler, then you will need to adjust the whitelist to allow.
Could you break it down to what you’re trying to achieve here.
Hi Andrew, what I am trying to achieve is to add all of the contentbox modules to the whitelist. I have contentbox inside another ColdBox application. Running security for another module. The list of ContentBox modules I want to add to the whitelist are contentbox,contentbox-admin,contentbox-filebrowser, and contentbox-security.
Can I not whitelist the entire module without listing each handler?
Would the whitelist be something like this?
whitelist = “^contentbox-ui:page\.,^contentbox-admin:allhandles\.”
Incomplete of course.
Yes, as it is all ContentBox then use regex to do that.
Not sure of the expression off the top of my head, but it would be something like this.
securelist": “^contentbox*”
but why would you add contentbox-admin to the whitelist, that we give it no security for the admin.
Hi Andrew, ContentBox is doing it’s own security. The interceptor does not override ContentBox security. It just allows Contentbox to pass through and then ContentBox enforces it’s security.
Then I am confused, do you have security that is stopping the whitelist to ContentBox then, that would be the only reason for your original question.