Question regarding circular redirects, Security interceptor and useRoutes

Hi,

I'm new to the ColdBox Framework, and I'm trying to figure out how to
use the Security interceptor properly. I had it working at first, and
then changed the interceptor definition to use routes, and now I'm
getting circular redirects that never end. I'm not quite sure what I'm
doing wrong here, but any help would be appreciate.

Here's my Security interceptor definition in coldbox.xml.cfm:

    <Interceptor class="coldbox.system.interceptors.security">
      <Property name="useRoutes">true</Property>
          <Property name="rulesSource">xml</Property>
          <Property name="rulesFile">_config/security.xml.cfm</

          <Property name="debugMode">true</Property>
          <Property name="preEventSecurity">true</Property>
    </Interceptor>

And in my security.xml.cfm file I have the following:

<rules>
    <rule>
        <whitelist>user/login,user/logout,^main/*</whitelist>
        <securelist>^user/*</securelist>
        <roles>user</roles>
        <permissions></permissions>
        <redirect>user/login</redirect>
    </rule>

    <rule>
        <whitelist></whitelist>
        <securelist>^admin</securelist>
        <roles>admin</roles>
        <permissions></permissions>
        <redirect>user/login</redirect>
    </rule>
</rules>

I've tried the rules with both the forward slashes, and the period
notation, but I get the same result regardless, a recurring redirect
to the user/login event:

http://local.mydomain.com/index.cfm/user

GET /index.cfm/user HTTP/1.1

Host: local.mydomain.com

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:
1.9.0.1) Gecko/2008070206 Firefox/3.0.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Cookie: CFID=302; CFTOKEN=45160156;

HTTP/1.x 302 Moved Temporarily

Connection: close

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Set-Cookie:
COLDBOX_DEBUGMODE_4D7A5D708305DE7A6D15442D6EC9B6FB=true;path=/

Location: http://local.mydomain.com/index.cfm/user/login

Content-Type: text/html; charset=UTF-8

Not an expert here but have you tried adding user/* to your whitelist?

But that's exactly what I don't want

I want the user.login and user.logout events whitelisted, and all
other user events secured. I have user/login and user/logout both in
the whitelist, but it's still locking them down.

Dan

Your event redirect is not including the login - should the event you noted below:

http://local.mydomain.com/index.cfm/user

Be:

http://local.mydomain.com/index.cfm/user/login

?

If you look closer at the http headers It's doing this:

GET /index.cfm/user HTTP/1.1

Location: http://local.mydomain.com/index.cfm/user/login

GET /index.cfm/user/login HTTP/1.1

Location: http://local.mydomain.com/index.cfm/user/login

GET /index.cfm/user/login HTTP/1.1

Location: http://local.mydomain.com/index.cfm/user/login

GET /index.cfm/user/login HTTP/1.1

Location: http://local.mydomain.com/index.cfm/user/login

GET /index.cfm/user/login HTTP/1.1

So the first request is to index.cfm/user (which with my ColdBox
config runs the user.index event). That's what I want to secure,
someone trying to view the user index view. The security interceptor
then grabs it and redirects to user/login, and then the security
interceptor grabs that and redirects to user/login again, ad infinitum
until FireFox stops processing the redirects.

So the question is how to get the security rules to *not* intercept
the user/login event.

Dan

I just went back and verified, but the following rules work *perfect*
until I add the useRoutes property to my coldbox config:

    <rule>
        <whitelist>user\.login,user\.logout,^general\.*</whitelist>
        <securelist>user\.*</securelist>
        <roles>user</roles>
        <permissions></permissions>
        <redirect>user.login</redirect>
    </rule>

Dan

I guess I should note that I'm using the ColdBox 2.6.0 RC2: FAITH release.

Hi Dan,

Welcome to the ColdBox club!

Did you check the transfer sample (with security interceptor) of the nightly build?

It contains a sample of what you want to achieve.

Ernst

Euh, sorry Dan, Luis Majano renamed it to ‘security sample’!

Your redirect, you be a valid route, so user.login needs to be user/login

I do not automatically translate it to “slashes” because you can have routes with periods in them. SES is kinda unique that way. Just make sure they are valid routes.

Luis

I do not automatically translate it to "slashes" because you can have routes
with periods in them. SES is kinda unique that way. Just make sure they are
valid routes.

For the life of me I don't know why that wasn't working earlier... but
it's working now. The next issue (there's always one isn't there) is
that the login isn't actually working...

Here's a code snippet:

  <cffunction name="login" access="public" returntype="void" output="false">
    <cfargument name="Event" type="coldbox.system.beans.requestContext">
    <cfset var rc = Event.getCollection() />
    <cfset var LOCAL = StructNew() />

    <cfset rc.PageTitle = "iKeepTally.com - Login" />

    <!--- If the form has been submitted to login, do validation and
then login as appropriate --->
    <cfif IsDefined("rc.j_username")>

      <cflogin>
          <!--- Code to authenticate the user based on the cflogin.user
and cflogin.password values goes here. --->
        <!--- TODO: Authenciate against Security Service and return roles
to be inserted into the Roles attribute --->
        <cfset LOCAL.isAuthenticated = StructNew() />
        <cfset LOCAL.isAuthenticated.result = True />
        <cfset LOCAL.isAuthenticated.roles = "user" />

          <!--- If User is authenticated, determine any roles and use a
line like the following to log in the user. --->
          <cfif LOCAL.isAuthenticated.result>
<!---
<cfdump var="#cflogin#">
<cfabort showerror="logging in" />
--->
              <cfloginuser name="#cflogin.name#" Password =
"#cflogin.password#" roles="user">

          <cfset setNextRoute("user/home") />

          <cfelse>
          <cfset getPlugin('messagebox').setMessage('error',updateResult.message) />

        </cfif>
      </cflogin>

    </cfif>

    <cfset Event.setView("user/login") />

  </cffunction>

The cfabort that's currently commented out there fires if I remove the
comments, so I know that the cfloginuser is running, but it's not
setting any values that I can find, and I always end up back on
user/login. The HTTP headers show that it's sending to user/home, but
then the Security interceptor is sending it right back to
user/login...

Not sure what I'm doing wrong here, as this seems very
straightforward. Should I not be redirecting here? And if not, how do
I send the user where they ultimately need to go (I'm also not seeing
the _secureURL key on the user/login event collection).

Dan

Please ignore all of this. I'm going to write a custom interceptor. I
don't think the cflogin is going to do it for me (never has in the
past, I don't know why I thought it would this time around).

Thanks regardless for the other help.

Dan

I think this might be related to the cflogin tag. I know I had difficulties with it, if the cflogin was not executed in each request. Can’t remember where I saw that.

I will try to look into it more, but I believe is something to do with cf.

I think this might be related to the cflogin tag. I know I had difficulties
with it, if the cflogin was not executed in each request. Can't remember
where I saw that.

It is... The cflogin tag relies on cookies, which means that, in order
for the cflogin values to be set properly, you can't do any sort of
redirect. Well, the setNextRoute redirects, so the cflogin cookies
never get set. I'm going the custom route from here on out.

Already have the authentication working, just have to build the new
securityInterceptor now.

Thanks,

Dan

Yes, you can select, this.loginstorage = “session” in order to work.