declaring two different security rules with the security interceptor..

Hi there

I have secured my application using the security interceptor using a
custom security object...

<cffunction name="userValidator">
Test if user is logged in

Now is there any way of creating another custom security object with
different criteria, to secure alternative sections of my
application....for example

<cffunction name="userValidator2">
Check is user is logged in and called john


securityrules.xml is used for securing different sections.

Normally you use ONE Validator object.


Also, note that your user validator object can do what YOU need it to do. It is an entry point for the security. What you do with it, is up to you, so you can really get creative.

Also, remember that the security rules are basic fields, you can extend those and add more fields to the rules. You are not restricted.


Remember that the order of the security rules is very important.

So you have to use one validator and then place variables in there
which determine different security criteria?

Essentially what I have done is set up my application so that some
pages can only be accessed if you signed in, but I also want to be
able to secure some pages, so you can only access them if you arent
logged in..if that makes sense..

I know there must be an easy way of doing this, but cant think at the

Securityrules is what you need.

Take a look at the security sample application.

You define which pages need login.

Take a look at the regex comments in securityrules.xml.cfm


will have a try and get back to you


You should definitely read the security guide. Here is a quick rundown
if you want to use a custom validator...

If you have a rule such as:

<cfset temp = QuerySetCell(myQuery, "whitelist", "", 1)>
<cfset temp = QuerySetCell(myQuery, "securelist",
"ehGeneral.dspHello", 1)>
<cfset temp = QuerySetCell(myQuery, "roles", "admin", 1)>
<cfset temp = QuerySetCell(myQuery, "permissions", "", 1)>
<cfset temp = QuerySetCell(myQuery, "redirect", "ehGeneral.dspLogin",

(there are many ways to store the rules, XML, database, etc, I just
happened to create a query here in my getRules() function, check the
cbSecurity guide)

This rule gets matched when any event in the securelist is called. It
passes the query for the matching rule into the validator to be used.

In the validator you would check what your user's settings are (if
they are logged in via a session or cflogin, what their roles are,
etc) and then check them against the roles and permissions list in the
rule query with your own logic. So, you check the user's roles against
the roles in the rule and see if they match up, if so, you allow the
event with return true, if not, you return false and setNextEvent()
will take the user to the event specified in the redirect column of
the rule.

So, if you had two rules:

<cfset temp = QuerySetCell(myQuery, "whitelist", "", 1)>
<cfset temp = QuerySetCell(myQuery, "securelist",
"ehGeneral.dspHello", 1)>
<cfset temp = QuerySetCell(myQuery, "roles", "admin", 1)>
<cfset temp = QuerySetCell(myQuery, "permissions", "", 1)>
<cfset temp = QuerySetCell(myQuery, "redirect", "ehGeneral.dspLogin",


<cfset temp = QuerySetCell(myQuery, "whitelist", "", 2)>
<cfset temp = QuerySetCell(myQuery, "securelist", "ehGeneral.dspHi", 2)

<cfset temp = QuerySetCell(myQuery, "roles", "test", 2)>
<cfset temp = QuerySetCell(myQuery, "permissions", "", 2)>
<cfset temp = QuerySetCell(myQuery, "redirect", "ehGeneral.dspLogin",

If a user visits ehGeneral.dspHi it will match the second rule and
send that query to the validator, if they visit ehGeneral.dspHello it
sends the first rule to the validator. In the validator, you then
check session.roles or use the built-in cflogin functions to check the
roles and either return true or false if the user is validated.

For example, if you send in the second rule, your user would have to
be in the "test" role to be validated.

You can also use ColdBox's built-in validation based on cflogin, which
is a very simple example provided in the docs.

Let me know if I can help you out with anything else :slight_smile:

Hello whostheJBoss ,

I have been struggling with a similar issue…basically, not sure how to implement the db rules. The guide does not have very clear information…unless I’ve been reading an old version. I am not sure who/where should be calling getRules… (handler, SecurityService…?)

If you know of any good tutorial, please point me to the right direction. I’d appreciate it very much.

I agreed. The guide, is not clear, but it explains how it works. Also, take a peek the code in ContentBox 3 that uses this ColdBox Security.