Hi,
I'm new to the ColdBox Framework, and I'm trying to figure out how to
use the Security interceptor properly. I had it working at first, and
then changed the interceptor definition to use routes, and now I'm
getting circular redirects that never end. I'm not quite sure what I'm
doing wrong here, but any help would be appreciate.
Here's my Security interceptor definition in coldbox.xml.cfm:
<Interceptor class="coldbox.system.interceptors.security">
<Property name="useRoutes">true</Property>
<Property name="rulesSource">xml</Property>
<Property name="rulesFile">_config/security.xml.cfm</
<Property name="debugMode">true</Property>
<Property name="preEventSecurity">true</Property>
</Interceptor>
And in my security.xml.cfm file I have the following:
<rules>
<rule>
<whitelist>user/login,user/logout,^main/*</whitelist>
<securelist>^user/*</securelist>
<roles>user</roles>
<permissions></permissions>
<redirect>user/login</redirect>
</rule>
<rule>
<whitelist></whitelist>
<securelist>^admin</securelist>
<roles>admin</roles>
<permissions></permissions>
<redirect>user/login</redirect>
</rule>
</rules>
I've tried the rules with both the forward slashes, and the period
notation, but I get the same result regardless, a recurring redirect
to the user/login event:
http://local.mydomain.com/index.cfm/user
GET /index.cfm/user HTTP/1.1
Host: local.mydomain.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:
1.9.0.1) Gecko/2008070206 Firefox/3.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: CFID=302; CFTOKEN=45160156;
HTTP/1.x 302 Moved Temporarily
Connection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie:
COLDBOX_DEBUGMODE_4D7A5D708305DE7A6D15442D6EC9B6FB=true;path=/
Location: http://local.mydomain.com/index.cfm/user/login
Content-Type: text/html; charset=UTF-8