I have been trying to figure out how to implement user validation
all day. I am just getting into CB but would really like to implement
my own security. There seems to be missing information on that page in
regards to how the xml file should look when using custom security. I
currently have
<Interceptor class="">
        <!-- Properties go here -->
            <Property name="rulesSource">xml</Property>
      <!-- Point to the xml file with the rules -->
            <Property name="rulesFile">/myApp/config/security.xml.cfm</

            <Property name="debugMode">true</Property>
            <Property name="preEventSecurity">true</Property>
      <!-- Validate against the rules -->
            <Property name="validator">myApp.model.userValidator</

I thought that you have to use the security interceptor to call your
custom validator, then compare the xml rules with that, but I think
I'm way off base here.
Can anyone help me? Ultimately I'd like to validate and set roles
based on groups from AD (which I have the CFC for), but need to get
the basis down first.

Thank you.

The basics are that the core security interceptor basically checks incoming requests. If those event requests match any of the rules you created (whether stored in db or xml or whatever), then it will call the User Validator object (what you create), with the rule that was intercepted.

You then decide what you need to check and do. The only response must be a true or false. This then tells the interceptor to redirect the user to a safe event or let the request through.


Mr. Majano,
Thank you very much for your reply. Makes sense.
So I do have the correct code to intercept and validate a user for an

Where would you suggest that I load up the session with the users
"roles"? I would like to look the user up in AD and assign roles based
on an extension field that we've added, but just getting in MVC in
general, I'm having a hard time getting my head around what needs to
happen where.

Again - thank you for your reply.

Hi Accelero,

I would recommend you create a service layer that will handle your model calls. Please read a little on this approach. It will be a huge difference if you rely on this rather than putting logic in controllers.

Take a look at how Codex Wiki is built, it might give you some insight.


A service layer?
I just need to secure roles within the application. I've got a CFC
that does almost everything and just need to get that information set
when you start the application.

I've looked at how the Codex Wiki is built, but for just getting
started, I can't comprehend how that will help me with a service model
or how to get the group membership from AD.

It is hard to imagine your code and approach. Therefore, my comments might not convey what I am thinking.

If your question is, what is the best place to load user roles into session, I would say, in a security service object. This object would be in charge of application security and encapsulating all the nasty security setup and provide a nice public API to handle security.

Exactly. Thank you very much.
In terms of MVC what does a service object mean as compared to, say, a
handler. Where would it live? How would I call that object before the
user is allowed to do anything else?
To be quite honest - I'm not sure of my code and approach, but it does
seem that you've made CB so that it doesn't matter! That rocks. I am
just having a hard time getting the process down since I'm new to MVC
in general. I have been looking around for a great tutorial for the
very beginner, and have been able to piece several tuts and your video
together to get an idea.

Thanks again!

No problems!! This is a thing of trying it out, so no worries here.

Take a look at this guide

It will help you identify the Model layer.