The ColdBox cbsecurity module will enhance your ColdBox applications by providing out of the box security in the form of:
A security rule engine for validating incoming requests
Annotation driven security for validating incoming events to handlers and actions
JWT (Json Web Tokens) generator, decoder and authentication services
A security service to provide you with functional approaches to security context authorization
3. Inspiration
Applying security concerns to our
web applications is paramount. Every
application will need it. Many forms
of application security and many
levels.
5. What is cbSecurity
✴ A collection of modules to help secure your applications
✴ Major Areas of Concern:
✴ Security Authentication/Authorization Firewall (cbsecurity)
✴ Incoming event/url
✴ Handler annotations
✴ Security Service for explicit authorizations (cbsecurity)
✴ JWT generator, decoder and authentication services (jwtcfml)
✴ CSRF Protection (cbsrf)
✴ Authentication Manager (cbauth)
7. What is needed for security?
✴ Authentication System
✴ Validates user credentials
✴ Logs them in and out
✴ Tracks their session
✴ Authorization System
✴ Validate permissions/roles/etc
9. What is cbAuth
✴ Authentication system
✴ Authenticates users
✴ Logs them in and out
✴ Tracks their session (many storages)
✴ Has NO knowledge of your Database/Users
✴ You must provide a UserService and a User object
✴ This is how it knows how to authenticate users
✴ What’s another generic authentication system?
✴ cflogin, cfloginuser
14. Is cbauth Mandatory?
✴ No!
✴ Use cflogin/cfloginuser
✴ Build your own
✴ Use third-party providers (Okta, google, facebook, github, etc)
✴ How will cbsecurity know how to use it?
✴ 1 Object that adheres to IAuthService
✴ Tell cbSecurity settings about that object
17. What is authorization?
✴ If an AUTHENTICATED user has access to a resource
✴ How do we grant access => Authorization Indicators
✴ Roles
✴ Permissions
✴ Custom
✴ Where do we store these indicators?
✴ Determined by authentication service
✴ cflogin/cfloginuser provides roles
✴ cbsecurity encourages permissions against the User.hasPermission()
✴ Okta/Windows/AD/ETC
18. CBSecurity Validators
✴ How does we validate authorization indicators : VALIDATORS
✴ CFValidator :Verifies using isUserInAnyRole()
✴ CBAuthValidator :Verifies against the User object’s
hasPermission( permission )
✴ JWTService :Validates tokens, token scopes and then validates
permissions against the User object’s
hasPermission( permission )
✴ Custom : Validates against whatever you want!
20. How do we secure?
1. Security Rules
2. Handler Annotations
3. cbSecurity explicit methods
21. Security Rules (Firewall)
✴ Rules are evaluated from top to bottom (Order is important)
✴ Rules secure incoming events/urls (preProcess)
✴ Global rules and Module Rules
✴ Rules can come from:
✴ Config
✴ Database
✴ XML, JSON
✴ Object
✴ Rules are tied to an interceptor instance
✴ You can have MANY security interceptors with many different rules
35. JWT
✴ JWTService
✴ Acts as a validator
✴ Can also be a helper in your handlers/interceptors: jwt()
✴ Can also be used in your models via injection:
JWTService@cbSecurity
✴ Rest and rest-cmvc templates give a full working example
36. JWT Storage
✴ VeryVery Important
✴ Invalidate keys
✴ Black list keys
✴ Rotate keys
✴ Storage Drivers
✴ Cachebox : Use any provider
✴ DB : Database
✴ Custom
37. JWT - How do we work with it?
✴ Authentication Service √
✴ Authorization by Permission √
✴ User Object √
✴ UserService Object √
✴ Configure JWT
✴ Update User Object
Coding Time!