Wes,
It depends on the authentication mechanism for your API. CBSecurity was designed to protect and MVC application, specifically the “V” and “C”. Since API’s are really only “MC”, relocation isn’t desirable.
A couple of things to remember, though: Even if your API is whitelisted, your interceptors still fire at preProcess
and preEvent
and preHandler
. This means that your methods of authentication can be universal and the API doesn’t need to re-do the work.
Let’s say you are using token authentication, but you want to bypass that if an existing session meets the permissions required. The latter isn’t really “stateless” as REST is supposed to be, by definition, but it’s a workable authentication pattern if your API is being consumed by the internal interface.
What I typically do is put an interceptor in front of the Security Interceptor that checks for the expected authentication payloads - headers, request context collection form submissions, etc. Then security interceptor already has the information it needs by the time it runs its own preProcess
interception, but my API also has the ability to verify permissions and authentication status, once it reaches the handler:
[
{
class=“interceptors.UserAuthentication”,
name=“UserAuthentication”
},
{
class = “cbsecurity.interceptors.Security”,
name = “CBSecurity”,
properties = {
rulesFile = “/config/security.json.cfm”,
rulesSource = “json”,
validatorModel = “SecurityService”
}
}
]
Note that the validatorModel
in the CBSecurity settings. That SecurityService
implements the interface which provides cbsecurity
the validation check. Have a look at the ContentBox SecurityService object, a close approximation of how that’s implemented: ContentBox/SecurityService.cfc at development · Ortus-Solutions/ContentBox · GitHub
There is also a value of prc.currentUser
that is set by the UserAuthentication
interceptor, if the user is logged in. All my API has to do is to use the available methods within the prc.currentUser
object to verify login, roles, permissions, etc. So, I can add a preHandler
to my BaseAPIHhandler that contains something like this.
if( isNull( prc.currentUser ) || !isNull( prc.currentUser.getPermissions() ) {
event.overrideEvent( “API.BaseHandler.onAuthoriziationFailure” );
}
That covers every single request and will override the requested event, if the user is not logged in. Depending on the application, there may be additional permissions checks and the like at the individual handler level, but the methodology is pretty much the same.
If your app only has an API, then you can simply add that to your authorized user interceptor and the event will automatically be overridden.
HTH,
Jon