Next Issue with Security Service

Hi,

I'm following the example in the ColdBox documentation to set up a
custom security interceptor. To do so I've added the following to my
coldbox.xml.cfm:

    <Interceptor class="coldbox.system.interceptors.security">
      <Property name="validator">_model.SecurityService</Property>
      <Property name="useRoutes">true</Property>
          <Property name="rulesSource">xml</Property>
          <Property name="rulesFile">_config/security.xml.cfm</Property>
          <Property name="debugMode">true</Property>
          <Property name="preEventSecurity">true</Property>
    </Interceptor>

In my SecurityService I added the sample code provided in the
documentation here:
http://ortus.svnrepository.com/coldbox/trac.cgi/wiki/cbSecurity

When I hit a page that requires authentication I get the following error:

Application Execution Exception
Error Type: Application : [N/A]
Error Messages: The CONTROLLER parameter to the userValidator function
is required but was not passed in.

So to get around this error and see if there's something else going
on, I changed required to false on the argument and refresh. I then
got the following error:

Application Execution Exception
Error Type: Expression : [N/A]
Error Messages: Element authorize_check is undefined in a CFML
structure referenced as part of an expression.

A dump of the rules reveals the following values:

PERMISSIONS [empty string]
REDIRECT user/login
ROLES user
SECURELIST user\.*
WHITELIST user\.login,user\.logout,^general\.*

Either I'm doing something totally wrong, or the example isn't
accurate for a base install of ColdBox. I have no idea where to go
from here.

Dan

So I figured out the authorize_check stuff (deleted it since i was
"custom"), but I still don't have the SecurityService working. If I
make it so that the coldbox controller isn't required, then I can get
the script to run, but I don't have access to the request collection
in order to get at the _securedURL value... I have no idea how to get
the coldbox controller into that method.

Rock and a hard place. Once I get this all figured out perhaps I'll
put together an example that shows how I got mine working. I think the
docs in this section just aren't quite ready for us ColdBox noobs :slight_smile:

Dan

No Dan, the problem is that the Docs are in sync with what is on SVN at the moment, what the final 2.6 release will be. The controller argument is part of what is on SVN and its not part of RC2. Therefore, it seems you are either running RC2 or an old nightly build. I recommend you download from SVN for the controller changes or just remove the controller reference for now.

The joys of bleeding edge releases. Anyways, sunday is the final 2.6 release date.

Luis

No Dan, the problem is that the Docs are in sync with what is on SVN at the
moment, what the final 2.6 release will be. The controller argument is part
of what is on SVN and its not part of RC2. Therefore, it seems you are
either running RC2 or an old nightly build. I recommend you download from
SVN for the controller changes or just remove the controller reference for
now.

The joys of bleeding edge releases. Anyways, sunday is the final 2.6 release
date.

Got it, and I am running RC 2.0 FAITH.

I found the "error" in the code:

<cfreturn getValidator().userValidator(arguments.rule,getPlugin("messagebox"))>

Is it safe to assume that on Sunday it will be passing the controller
into the userValidator?

Dan

yes

I should have downloaded the SVN source before asking that question :).

I've installed the latest FAITH build, and I can now do this in my
userValidator when the securityInterceptor secures a page:

<cfdump var="#arguments.controller.getRequestService().getContext().getCollection()#">

That gets me the request collection, but it only has the event value in it...

Where do I get the magic _securedURL key mentioned in the
documentation? It's mentioned in the docs, but I can't find it
anywhere in any request collection, and the docs don't have an example
of how to use it.

Thanks again, I finally feel like I'm making progress :). I'll be at
the training in Dallas (I live in Austin) in October if I can scratch
together the funds.

Dan

Hi Dan,
the _securedURL gets persisted once the routing or relocating occurs. Basically after the validator call. So when you are relocated, the next event will have the _securedURL in the request collection. You can then save that variable in the login form as a hidden element or intercept it at on request start or something.

I’ll try to make some samples of it.

Luis

I'm not seeing that either. If I take out my dumps and aborts, then
when I land on the user.logout event, the _securedURL isn't in the
request collection.

Dan

I forgot, did you download from SVN? The fix for the securedURL is there, if not it will always be blank.

Luis

Damnit, I'm sorry...

I was dumping the wrong scope... It's working :slight_smile:

Dan