Solitary Security Module /

Communities ColdBox HMVC
1

I am trying to build out a security module and I am running into issues

My module needs the AutoWire interceptor and wirebox to function so I have the following settings in my ModuleConfig

interceptors = [
//Autowire
{class=“coldbox.system.interceptors.Autowire”,properties={}}
];

wirebox = {
enabled=true,
binder=“config.Wirebox”,
singletonReload=true
};

in my wirebox bender for solitary (/modules/solitary/config/Wirebox.cfc) I have the following mapping setup. In my main application there is a mapping for solitary so this should work

// Map Bindings below
map(“SecurityService”)
.to(“solitary.model.security.SecurityService”)
.asSingleton();

in my security handler (/modules/solitary/handlers/security)

component accessors=“true” {

property name=“securityService” inject;

public void function index(event){
var rc = event.getCollection();

writeDump(getSecurityService());
abort;

}
fur
and dumping out security service gets an undefined which tells me that its not getting wired into the handler. I thought maybe I might have to reload the framework so I did but now I am getting the following error and the only way I can clear that error is to restart the service. I am sure I am doing something wrong here, can anyone point me in the right direction.

2

Dan,

You don’t need to load wirebox in the settings, that should be already defined in the parent.

In the module you already receive the binder for you to use right there in the variables scope in the moduleConfig.

You can also use a wirebox = {}; configuration DSL for the module.

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

3

Perfect! I didn’t realize I had access to the binder in my module config. To anyone else reading, the binder is in your variables scope, so I just added this to my config.

binder.map(“SecurityService”)
.to(“solitary.model.security.SecurityService”)
.asSingleton();

4

yes, I just updated the modules documentation to reflect all this.
Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

5

So I just came across another issue with my new module. I was trying to set the security interceptor in the module

component {

// Module Properties
this.title = “Solitary”;
this.author = “Daniel Vega”;
this.webURL = “http://www.danvega.org”;
this.description = “A Security Module”;
this.version = “1.0”;
// If true, looks for views in the parent first, if not found, then in the module. Else vice-versa
this.viewParentLookup = true;
// If true, looks for layouts in the parent first, if not found, then in module. Else vice-versa
this.layoutParentLookup = true;
// Module Entry Point
this.entryPoint = “security”;

function configure(){

// parent settings
parentSettings = {

};

// module settings - stored in modules.name.settings
settings = {

};

// Layout Settings
layoutSettings = {
defaultLayout = “”
};

// datasources
datasources = {

};

// web services
webservices = {

};

// SES Routes
routes = [
{pattern="/", handler=“security”,action=“index”},
{pattern="/login", handler=“security”,action=“login”},
{pattern="/logout", handler=“security”,action=“logout”}
];

// Custom Declared Points
interceptorSettings = {
customInterceptionPoints = “”
};

// Custom Declared Interceptors
interceptors = [
//security
{class=“coldbox.system.interceptors.security”,
properties={
rulesSource=“xml”,
rulesFile="/solitary/config/securityRules.xml.cfm",
debugMode=“true”,
preEventSecurity=“true”,
validatorModel=“securityService”
}
}
];

// wirebox mappings
binder.map(“SecurityService”)
.to(“solitary.model.security.SecurityService”)
.asSingleton();

binder.map(“UserService”)
.to(“solitary.model.users.UserService”)
.asSingleton();

}

/**

  • Fired when the module is registered and activated.
    */
    public void function onLoad(){

// if debug mode make sure we have an admin user

}

/**

  • Fired when the module is unregistered and unloaded
    */
    public void function onUnload(){

}

}

this was not working, it would find the rules source but the rules never got loaded properly. I did a dump of the rules in the security interceptors pre process function and they were empty. I added the following code to {project_root}/config/Coldbox.cfc and everything worked fine.

//Register interceptors as an array, we need order
interceptors = [
//Autowire
{class=“coldbox.system.interceptors.Autowire”,
properties={}
},
//SES
{class=“coldbox.system.interceptors.SES”,
properties={}
},
//security
{class=“coldbox.system.interceptors.security”,
properties={
rulesSource=“xml”,
rulesFile="/solitary/config/securityRules.xml.cfm",
debugMode=“true”,
preEventSecurity=“true”,
validatorModel=“securityService”
}
}
];

I will do some more debugging on my end but before I do I just wanted to throw this out there. Am I doing something wrong?

6

question, what does /solitary map to? The rules file location is the include location for the files I would use the module lcoation so it becomes more portable:

rulesFile="#**modulePath#/**config/securityRules.xml.cfm"

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

7

More info here: http://wiki.coldbox.org/wiki/Modules.cfm#The_Decorated_Variables
Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

8

that would work as well but I dumped out the full path from the security interceptor and it was reading the right file.

this.mappings[’/solitary’] = COLDBOX_APP_ROOT_PATH & “/modules/solitary”;

9

Dan and group,

I just added the suggestion we where talking about. Basically it boils down to this.

If you have an this.entryPoint in your module, the SES interceptor will use that to automatically do a addModuleRoutes(pattern=this.entryPoint,module=module) for you.

This means that you don’t have to specifically add the addModuleRoutes() to the parent SES config anymore. The module now attaches itself using the entrypoint.

Thanks!

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

10

Nice, did you update the docs in the last 12 hours or so. I was reading the modules docs and when talking about the entryPoint it kinded of actually said it works that way.

So if you did then that explains why I was confused when reading it.

Regards,

Andrew Scott

http://www.andyscott.id.au/

11

that is pretty awesome, thanks for the update!

12

So I pulled the latest version of coldbox and now instead of having to add the route in the Coldbox config it is pulling my entry point as the route. Great stuff!

Now I am having an issue with the security rules. The name of the plugin is solitary so my event might look like this solitary:security.login but the url route may look like this /hellocoldbox/index.cfm/hellocoldbox/security/login.

It seems my rules are locking everything down and redirecting the user to the login page, great so far. The problem is I have tried everything I can think of to put the security stuff in the whitelist. I tried to perform a security.doLogin and that is getting redirected to the login page. Here is my current rules

^solitary,^security \..* admin read,write security/login false

I have tried many approaches for the whitelist (security…,solitary…,solitary:security:doLogin) and nothing seems to work…

What am I doing wrong here?

13

Turn debuggin on for the interceptor to see the log for it:

debug = [“coldbox.system.interceptors.Security”] in your logbox configuration DSL in the coldbox.cfc. This gives a wealth of info for debugging.

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

14

perfect, that gave me some great info…

so even though the entry point is security and the users sees /security/login it seems like when i build a link I need to point to the actual event

#event.buildLink(‘solitary.security.doLogin’)#

this seems to work