I have a legacy app that I am in the process of converting to ColdBox.
We have a /webservices folder, that has a method which acts as a proxy, and is a wrapper to any cf webservice cfc we have created.
My question is that because these are accessed as a webservice request, they don’t get routed through the CB framework.
I have some security interceptors and directory security interceptors that run on every CB request.
When these webservices are called I do not want these interceptors bypassed.
How do I get the security interceptor to run before any webservice is called?
Again these are webservices written in CF which exist in our application structure.
Do I need to add some condition to my OnRequestStart method in Application.cfc? if so, how would that look?
Is there a way I can call the interceptor?
Basically, they just need to extend coldbox.system.remote.ColdboxProxy. Now they will have access to the entire ColdBox framework.
Now, by default, proxies run outside of the event lifecycle (unless you run a ColdBox event via process()), but you can call models or even announce interception points if you wish.
You can place:
getWireBox().autowire(this);
at the top of the component and then you can use AOP to automatically wrap methods with security advices.
Thanks so much for your response.
I am intrigued by your suggestion. By calling the wirebox method, would I be able to call my security interceptor?
If it’s in interceptors/directorySecurity.cfc, do I just need to create a mapping to that in wirebox?
The autowire bit is only necessary if you want to autowire objects or apply AOP advices.
To interact with an interceptor, the proxy doesn’t need any direct access to it. This is because you never “call” an interceptor. They follow a publish/subscribe design pattern which means your code “announces” and event that the interceptor is “listening” to.
Proxies are already capable of announcing interception points like so:
announceInterception(state, interceptData);
Now, regarding your interceptor-- is it listening to system events like preProcess, or custom interception points that you have created for your application? You can announce system interception points, but I wouldn’t recommend it. Also, manually pasting the code to announce and interception point in every remote method should be a code smell.
Your actual security logic should be in a service somewhere and the interceptor is just a convenient way to run it on every request. Since remote proxies don’t fire any interception points (unless you run a ColdBox event) I’d recommend using AOP here. AOP is a way to automatically intercept method calls and run your own logic before, after , or around them.
The concept can be a brain bender, but it truly is pretty simple. In fact, I just set up an example proxy the other day with a “before” AOP advice and it was just a simple CFC and a few lines of code config code in /config/Wirebox.cfc. I would recommend mapping your aspect and matching it to classes in your proxy directory and methods annotated with something like “secure”. Then, all you have to do is this:
remote function getData() secure {
}
and that method will automatically run your AOP Advice, which in turn will just delegate to your security service. That’s about as easy as you’ll get.
And remember, the AOP method will require you to autowire the proxy. I actually have a pull request in for ColdBox to automatically autowire proxies here:
This interceptor is actually my first attempt at writing an interceptor in Colbox. To answer your question, it’s responding to a system interception point “preProcess”.
Basically it’s code that used to be in the onRequestStart method, and I just cut it out and pasted it into an interceptor.
I know this logic should be in a security service instead, however I haven’t gotten that to work yet.
I’m not entirely sure how to break it out into a separate function. I’ll try and pseudocode it out here for you.
<cfif securityResult.failureCode is “LoginRequired” or securityResult.failureCode is “FullLoginRequired” >
Are you sure you want that same chunk of code to run for remote proxies? I assume the proxies are not going to be loaded directly in people’s browsers, but instead hit via Ajax calls or remote server side clients. You can’t output JavaScript to the screen or redirect to an HTML page if the “client” is an ajax call expecting JSON back.
One of your areas of opportunity for this code right now is to separate your logic from your presentation. You have service calls and if statements deciding the state of the application mixed in with the response you want to see back. Work on abstracting JUST the logic into the service call. Go through and make a note of every piece of data that code needs access to that doesn’t originate in the method itself. This code isn’t encapsulated and has no clear API. Diagram out what specific peices of information you need to accomplish the security checks and all the possible outcomes that can result. That, is your method. The arguments to the method represent the data it needs to work, and the return type/object represents it’s possible replies.
That kind of code is easier to test, easier to mock, and easier to understand. It also doesn’t bother itself with what output or actions the application will take based on the result. Now, once you have done that-- call the service check both from your preProcess interceptor as well as an AOP advice applied to your remote proxies. The preProcess can redirect to an event that renders a view if it needs to output HTML or Java Script and the proxies can reply with JSON, XML, etc in a format that the caller will be able to understand and parse.
Once you have a clear separation of the “brains” in your app, the output of presentation, and the glue that ties them together you will be on your way to coding in true MVC style!