[cbsecurity (2.6.0)] Can I Use Roles If I Don't Use CFLoginUser?

I’m messing around with CBSecurity and using the JWTService as my validator. I am trying to create some security rules based on the type of the logged-in user (e.g. “Administrator” or “Consumer”). I am under the assumption that the proper way to do this is by using role-based rules as mentioned in the documentation.

How do I assign a role to my User entity that CBSecurity can pick up without using CFLoginUser? If I use the permissions key in my CBSecurity rules, the system will run hasPermission() on the User entity which makes sense. Is there similar functionality that I can use to also handle roles?

Here’s an example of how I have my rules set up:

[ {
secureList: “v1:admin”,
roles: “Administrator”
} ]

Thank you!


Using cfloginuser is just one example. See the docs section on authentication services: https://coldbox-security.ortusbooks.com/usage/authentication-services

As long as the authentication service has the correct methods in it, you can use any mechanism to store users/roles/auth.


Thanks Jon!

I see from the page you linked that cbsecurity.interfaces.IAuthUser has the method hasPermission() which I assume the JWTService uses when it needs to make sure the User has a particular permission. However, I don’t see anything about Roles. In other words, even if I created a method in my User entity called hasRole(), How would JWTService or CBAuth know to look for it? Were you suggesting that I would need to create my own authentication service instead of using the built-in ones?

It looks like the stock version of cbSecurity only does role checking if you’re using the CFValidator… so if my suspicions are right, if I want to use the JWTService service validator, I need to stay away from roles and use permissions only.

David, not sure if any help but a few months ago I went through cbsecurity pretty well and ended up making a template of sorts that might (or might not) be helpful. Is at GitHub - irvirv/cbsecurity_template: example Coldbox template using cbsecurity and cbauth

This looks really cool @Irvin, thank you for sharing. I will dig through the project to see what I can learn. :slight_smile: