Please Help with Security Interceptor and Security Config

Hey all,

I have the following security interceptor definition in my config:

xml config/security.xml.cfm true true

My security interceptor checks if a session var exists and if not runs an event with the following login info:

Inside config/security.xml.cfm I have the following:

poll\.doVote ^poll\..* pollAdmin read,write security.login

For some reason when I access any event in the poll controller (such as poll/list or poll/details) I am not blocked even tho I’m not in the correct role. Is there something more I have to do to make the security roles work?

Few observations.

If you do “preEventSecurity” this means that APART from doing security in the preProcess point, anytime events are fired internally, security will be checked also. This is very specific if you are trying to secure internal calls. If not, just eliminate this setting.


That seems fine to me. Look at this:

cflogin sometimes is iffy!

hmm… I removed the preEventSecurity setting and fwreinit the app but I’m still able to access poll/list and poll/details and poll/doSave even tho I’m not in the correct role. An unauthorized user should only be able to access poll/doVote.

Is the role being set for some reason?
any testing on what the role is doing?

Basically we want to secure all poll events except doVote. The only users that should be able to acces the other events must first be in the pollAdmin role.

I thought the security interceptor automatically checks to see if the cflogin roles variable contains the string in the roles setting of the security.xml.cfm file and then behaves according to the whitelist and securelist?

It does, so that is why I said, maybe turn on debuging on the interceptor to see what roles it detects. Maybe that is the case, that the login is not worrking correctly.

But yes, it tries to see if the event is in the whitelist regex, if not, then it tries to match it with the secure regex, and IF it matches, then it secures it.


This may be a dumb question but somehow I’ve overlooked where it says how to turn debuging on for the interceptor. How would I go about that?

well, or you can try some good old fashion dump/abort's on the
security interceptor if you like.

Are you using cbox 2.6.4 or 3.0.0

I’m using 2.6.4. There is a way to dump the actual interceptor?

Do this on the security interceptor:


Then in your log files you will see all the activity