Can't load the "security visualizer"

Box Modules cbsecurity
1

I’ve got a fresh site setup. All through Commandbox. Coldbox is: 6.3.0+1436. Installed cbsecurity-2.11.0+168. I’ve done some basic tests creating annotations of “secured” and created a simple event for redirect when not logged in.

The docs all say to hit /cbsecurity to get that visualizer. All I keep getting is simple text of “Page not Found”. This is coming from this line in cbsecurity\handlers\home:
if ( !prc.properties.enableSecurityVisualizer || getSetting( “environment” ) == “production” ) {

Adding some writeDump()'s in there, I see that my environment is, indeed, “development”. The enableSecurityVisualizer setting, though, is false. I followed the instructions at: GitHub - coldbox-modules/cbsecurity: Annotation, rule driven security and authentication for ColdBox Applications!

Those instructions indicate to create a moduleSettings section in the config\Coldbox file, and have enableSecurityVisualizer=true, which is in place.

It seems to me that the cbsecurity module is somehow NOT picking up the override settings in the primary Coldbox config.

Thoughts on this? Am I doing something wrong or have I discovered a bug?

(Also: There’s nothing in this cbsecurity to actually create tables, users, etc, is there?)

Thanks, y’all!

2

@CaptainPalapa Did you reinit the framework :slight_smile:
Without that setting, the visualizer does’t show.

modulesettings = {

  cbSecurity = {
      enableSecurityVisualizer : true
  }

}
3

I’m the KING of reinit, Luis! Of course, I did that!

I have what you show above. The module just isn’t reading the moduleSettings.cbSecurity.enableSEcurityVisualizer setting from the primary Coldbox config.

I could be wrong. It does happen from time to time! I’m trying to really get into the swing of building from commandbox “install”. Otherwise, I’d just modify the code.

My basic test would be (in Commandbox):

  1. coldbox create app
  2. install cbsecurity
  3. Add function “test” to the main handler, keep same view, modify messageBox message, add “secured” to that handler.
  4. Add function “unauthorized” to the main handler, keep same view, modify messageBox message to show what I’m hitting.
  5. Add the visualizer setting to \config\coldbox.cfc
  6. Reinit
  7. Hit main.index to load
  8. Hit main.test to get to main.unauthorized.
  9. Hit /cbsecurity to see what handlers are secured and which rules are in effect.
  10. Get “Page not Found”
4

Can you paste your config

5

I just got it working following your instructions

component {

	/**
	 * Configure the ColdBox App For Production
	 */
	function configure() {
		/**
		 * --------------------------------------------------------------------------
		 * ColdBox Directives
		 * --------------------------------------------------------------------------
		 * Here you can configure ColdBox for operation. Remember tha these directives below
		 * are for PRODUCTION. If you want different settings for other environments make sure
		 * you create the appropriate functions and define the environment in your .env or
		 * in the `environments` struct.
		 */
		coldbox = {
			// Application Setup
			appName                  : getSystemSetting( "APPNAME", "Your app name here" ),
			eventName                : "event",
			// Development Settings
			reinitPassword           : "",
			reinitKey                : "fwreinit",
			handlersIndexAutoReload  : true,
			// Implicit Events
			defaultEvent             : "",
			requestStartHandler      : "Main.onRequestStart",
			requestEndHandler        : "",
			applicationStartHandler  : "Main.onAppInit",
			applicationEndHandler    : "",
			sessionStartHandler      : "",
			sessionEndHandler        : "",
			missingTemplateHandler   : "",
			// Extension Points
			applicationHelper        : "includes/helpers/ApplicationHelper.cfm",
			viewsHelper              : "",
			modulesExternalLocation  : [],
			viewsExternalLocation    : "",
			layoutsExternalLocation  : "",
			handlersExternalLocation : "",
			requestContextDecorator  : "",
			controllerDecorator      : "",
			// Error/Exception Handling
			invalidHTTPMethodHandler : "",
			exceptionHandler         : "main.onException",
			invalidEventHandler      : "",
			customErrorTemplate      : "",
			// Application Aspects
			handlerCaching           : false,
			eventCaching             : false,
			viewCaching              : false,
			// Will automatically do a mapDirectory() on your `models` for you.
			autoMapModels            : true,
			// Auto converts a json body payload into the RC
			jsonPayloadToRC          : true
		};

		/**
		 * --------------------------------------------------------------------------
		 * Custom Settings
		 * --------------------------------------------------------------------------
		 */
		settings = {};

		/**
		 * --------------------------------------------------------------------------
		 * Environment Detection
		 * --------------------------------------------------------------------------
		 * By default we look in your `.env` file for an `environment` key, if not,
		 * then we look into this structure or if you have a function called `detectEnvironment()`
		 * If you use this setting, then each key is the name of the environment and the value is
		 * the regex patterns to match against cgi.http_host.
		 *
		 * Uncomment to use, but make sure your .env ENVIRONMENT key is also removed.
		 */
		// environments = { development : "localhost,^127\.0\.0\.1" };

		/**
		 * --------------------------------------------------------------------------
		 * Module Loading Directives
		 * --------------------------------------------------------------------------
		 */
		modules = {
			// An array of modules names to load, empty means all of them
			include : [],
			// An array of modules names to NOT load, empty means none
			exclude : []
		};

		/**
		 * --------------------------------------------------------------------------
		 * Application Logging (https://logbox.ortusbooks.com)
		 * --------------------------------------------------------------------------
		 * By Default we log to the console, but you can add many appenders or destinations to log to.
		 * You can also choose the logging level of the root logger, or even the actual appender.
		 */
		logBox = {
			// Define Appenders
			appenders : { coldboxTracer : { class : "coldbox.system.logging.appenders.ConsoleAppender" } },
			// Root Logger
			root      : { levelmax : "INFO", appenders : "*" },
			// Implicit Level Categories
			info      : [ "coldbox.system" ]
		};

		/**
		 * --------------------------------------------------------------------------
		 * Layout Settings
		 * --------------------------------------------------------------------------
		 */
		layoutSettings = { defaultLayout : "", defaultView : "" };

		/**
		 * --------------------------------------------------------------------------
		 * Custom Interception Points
		 * --------------------------------------------------------------------------
		 */
		interceptorSettings = { customInterceptionPoints : [] };

		/**
		 * --------------------------------------------------------------------------
		 * Application Interceptors
		 * --------------------------------------------------------------------------
		 * Remember that the order of declaration is the order they will be registered and fired
		 */
		interceptors = [];

		/**
		 * --------------------------------------------------------------------------
		 * Module Settings
		 * --------------------------------------------------------------------------
		 * Each module has it's own configuration structures, so make sure you follow
		 * the module's instructions on settings.
		 *
		 * Each key is the name of the module:
		 *
		 * myModule = {
		 *
		 * }
		 */
		moduleSettings = {
			cbSecurity = {
				// The global invalid authentication event or URI or URL to go if an invalid authentication occurs
				"invalidAuthenticationEvent"	: "",
				// Default Auhtentication Action: override or redirect when a user has not logged in
				"defaultAuthenticationAction"	: "redirect",
				// The global invalid authorization event or URI or URL to go if an invalid authorization occurs
				"invalidAuthorizationEvent"		: "",
				// Default Authorization Action: override or redirect when a user does not have enough permissions to access something
				"defaultAuthorizationAction"	: "redirect",
				// You can define your security rules here or externally via a source
				"rules"							: [],
				// The validator is an object that will validate rules and annotations and provide feedback on either authentication or authorization issues.
				"validator"						: "CBAuthValidator@cbsecurity",
				// The WireBox ID of the authentication service to use in cbSecurity which must adhere to the cbsecurity.interfaces.IAuthService interface.
				"authenticationService"  		: "authenticationService@cbauth",
				// WireBox ID of the user service to use
				"userService"             		: "",
				// The name of the variable to use to store an authenticated user in prc scope if using a validator that supports it.
				"prcUserVariable"         		: "oCurrentUser",
				// If source is model, the wirebox Id to use for retrieving the rules
				"rulesModel"					: "",
				// If source is model, then the name of the method to get the rules, we default to `getSecurityRules`
				"rulesModelMethod"				: "getSecurityRules",
				// If source is db then the datasource name to use
				"rulesDSN"						: "",
				// If source is db then the table to get the rules from
				"rulesTable"					: "",
				// If source is db then the ordering of the selecta
				"rulesOrderBy"					: "",
				// If source is db then you can have your custom select SQL
				"rulesSql" 						: "",
				// Use regular expression matching on the rule match types
				"useRegex" 						: true,
				// Force SSL for all relocations
				"useSSL"						: false,
				// Auto load the global security firewall
				"autoLoadFirewall"				: true,
				// Activate handler/action based annotation security
				"handlerAnnotationSecurity"		: true,
				// Activate security rule visualizer, defaults to false by default
				"enableSecurityVisualizer"		: true,
				// JWT Settings
				"jwt"                     		: {
					// The issuer authority for the tokens, placed in the `iss` claim
					"issuer"				  : "",
					// The jwt secret encoding key to use
					"secretKey"               : getSystemSetting( "JWT_SECRET", "" ),
					// by default it uses the authorization bearer header, but you can also pass a custom one as well or as an rc variable.
					"customAuthHeader"        : "x-auth-token",
					// The expiration in minutes for the jwt tokens
					"expiration"              : 60,
					// If true, enables refresh tokens, longer lived tokens (not implemented yet)
					"enableRefreshTokens"     : false,
					// The default expiration for refresh tokens, defaults to 30 days
					"refreshExpiration"       : 43200,
					// encryption algorithm to use, valid algorithms are: HS256, HS384, and HS512
					"algorithm"               : "HS512",
					// Which claims neds to be present on the jwt token or `TokenInvalidException` upon verification and decoding
					"requiredClaims"          : [] ,
					// The token storage settings
					"tokenStorage"            : {
						// enable or not, default is true
						"enabled"       : true,
						// A cache key prefix to use when storing the tokens
						"keyPrefix"     : "cbjwt_",
						// The driver to use: db, cachebox or a WireBox ID
						"driver"        : "cachebox",
						// Driver specific properties
						"properties"    : {
							"cacheName" : "default"
						}
					}
				}
			}
		};

		/**
		 * --------------------------------------------------------------------------
		 * Flash Scope Settings
		 * --------------------------------------------------------------------------
		 * The available scopes are : session, client, cluster, ColdBoxCache, or a full instantiation CFC path
		 */
		flash = {
			scope        : "session",
			properties   : {}, // constructor properties for the flash scope implementation
			inflateToRC  : true, // automatically inflate flash data into the RC scope
			inflateToPRC : false, // automatically inflate flash data into the PRC scope
			autoPurge    : true, // automatically purge flash data for you
			autoSave     : true // automatically save flash scopes at end of a request and on relocations.
		};

		/**
		 * --------------------------------------------------------------------------
		 * App Conventions
		 * --------------------------------------------------------------------------
		 */
		conventions = {
			handlersLocation : "handlers",
			viewsLocation    : "views",
			layoutsLocation  : "layouts",
			modelsLocation   : "models",
			eventAction      : "index"
		};
	}

	/**
	 * Development environment
	 */
	function development() {
		// coldbox.customErrorTemplate = "/coldbox/system/exceptions/BugReport.cfm"; // static bug reports
		coldbox.customErrorTemplate = "/coldbox/system/exceptions/Whoops.cfm"; // interactive bug report
	}

}
6

That’s insane. I went through those steps, as I wrote the post with the steps, and that did NOT happen. I copied your config directly over the one I had (in this brand new site setup test, “webtrash”) and it worked exactly as expected. Grrr. I’ve since somehow overwrote the original work, so I can’t compare.

I WILL ask this, though: Can a submodule’s ENTRY POINT be altered this way? I’m a little confused (and maybe I should start a new post, but afraid Brad might get testy with me! Ha ha) about how one does “install” to get uncommitted modules to build out. Rather, if I alter a ModuleConfig directly (let’s say for contentbox-ui, to change it’s entry point, I’m not sure how that will affect the “box install” operations upon release. Obviously, to keep those direct ModuleConfig modifications, one has to commit it to their code repo, but nothing else in that module’s folder. And I would assume one must also QUOTE the module when the name is like ‘contentbox-ui’ as opposed to a clear variable name of ‘cbsecurity’.