You should definitely read the security guide. Here is a quick rundown
if you want to use a custom validator...
If you have a rule such as:
<cfset temp = QuerySetCell(myQuery, "whitelist", "", 1)>
<cfset temp = QuerySetCell(myQuery, "securelist",
"ehGeneral.dspHello", 1)>
<cfset temp = QuerySetCell(myQuery, "roles", "admin", 1)>
<cfset temp = QuerySetCell(myQuery, "permissions", "", 1)>
<cfset temp = QuerySetCell(myQuery, "redirect", "ehGeneral.dspLogin",
1)>
(there are many ways to store the rules, XML, database, etc, I just
happened to create a query here in my getRules() function, check the
cbSecurity guide)
This rule gets matched when any event in the securelist is called. It
passes the query for the matching rule into the validator to be used.
In the validator you would check what your user's settings are (if
they are logged in via a session or cflogin, what their roles are,
etc) and then check them against the roles and permissions list in the
rule query with your own logic. So, you check the user's roles against
the roles in the rule and see if they match up, if so, you allow the
event with return true, if not, you return false and setNextEvent()
will take the user to the event specified in the redirect column of
the rule.
So, if you had two rules:
<cfset temp = QuerySetCell(myQuery, "whitelist", "", 1)>
<cfset temp = QuerySetCell(myQuery, "securelist",
"ehGeneral.dspHello", 1)>
<cfset temp = QuerySetCell(myQuery, "roles", "admin", 1)>
<cfset temp = QuerySetCell(myQuery, "permissions", "", 1)>
<cfset temp = QuerySetCell(myQuery, "redirect", "ehGeneral.dspLogin",
1)>
and
<cfset temp = QuerySetCell(myQuery, "whitelist", "", 2)>
<cfset temp = QuerySetCell(myQuery, "securelist", "ehGeneral.dspHi", 2)
<cfset temp = QuerySetCell(myQuery, "roles", "test", 2)>
<cfset temp = QuerySetCell(myQuery, "permissions", "", 2)>
<cfset temp = QuerySetCell(myQuery, "redirect", "ehGeneral.dspLogin",
2)>
If a user visits ehGeneral.dspHi it will match the second rule and
send that query to the validator, if they visit ehGeneral.dspHello it
sends the first rule to the validator. In the validator, you then
check session.roles or use the built-in cflogin functions to check the
roles and either return true or false if the user is validated.
For example, if you send in the second rule, your user would have to
be in the "test" role to be validated.
You can also use ColdBox's built-in validation based on cflogin, which
is a very simple example provided in the docs.
Let me know if I can help you out with anything else