v2.9.0

[2.9.0] => 2020-DEC-11

Fixed

• Fixes a typo in the cbSecurity_onInvalidAuthorization interception point declaration. Previously, the typo would prevent ColdBox from allowing the correctly-typed interception point from ever triggering an interception listener.
• The userValidator() method has been changed to roleValidator(), but the error message was forgotten! So the developer is told they need a userValidator() method... because the userValidator method is no longer supported. :/

Added

• The isLoggedIn() method now makes sure that a jwt is in place and valid, before determining if you are logged in or not.
• Migrated all automated tests to focal and mysql8 in preparation for latest updates
• Add support for JSON/XML/model rules source when loading rules from modules. Each module can now load rules not only inline but from the documented external sources.
• Ensure non-configured rules default to empty array

v2.7.0

[2.7.0] => 2020-SEP-14

Added

• Contributed module rules are now pre-pended instead of appended. (@wpdebruin)

Fixed

• Not loading rules by source file detection due to invalid setting check
• Don't trigger ColdBox's invalid event looping protection. It also auto-senses between ColdBox 6 and 5 (@homestar9)
• Fixed token scopes according to JWT spec, it is called scope and it is a space separated list. This doesn't change the User interface for it. (@wpdebruin)
• Update token storages so no token rejection anymore when storage is not enabled. (@wpdebruin)

v2.6.0

[2.6.0] => 2020-JUL-22

Added

• New build layout based on new module layout
• Auto github publishing release notes
• More formatting goodness and watcher

Fixed

• JWT Validator now passing permissions instead of roles
• Token Storage checking was being done even if disabled

v2.1.0

• Feature : cbauth upgraded to version 4

v2.0.0

2.0.0

New Features

• Adobe 2016,2018 Support
• Settings transferred to ColdBox 4/5 moduleSettings approach instead of root approach (See compat section)
• The rulesModelMethod now defaults to getSecurityRules()
• ColdFusion security validator has an identity now CFValidator@cbsecurity instead of always being inline.
• You can now add an overrideEvent element to a rule. If that is set, then we will override the incoming event via event.overrideEvent() instead of doing a relocation using the redirect rule element.
• You can now declare your rules inline in the configuration settings using the rules key. This will allow you to build the rules in your config instead of a rule source.
• We now can distinguish between invalid auth and invalid authorizations
• New interception block points cbSecurity_onInvalidAuthentication, cbSecurity_onInvalidAuhtorization
• You now have a defaultAuthorizationAction setting which defaults to redirect
• You now have a invalidAuthenticationEvent setting that can be used
• You now have a defaultAuthenticationAction setting which defaults to redirect
• You now have a invalidAuthorizationEvent setting that can be used
• If a rule is matched, we will store it in the prc as cbSecurity_matchedRule so you can see which security rule was used for processing invalid access actions.
• If a rule is matched we will store the validator results in prc as cbSecurity_validatorResults
• Ability for modules to register cbSecurity rules and setting overrides by registering a settings.cbSecurity key.
• Ability for modules to override the validator setting. So each module can have their own security validator schema.
• New security rule visualizer for graphically seeing you rules and configuration. Can be locked down via the enableSecurityVisualizer setting. Disabled by default.

// module settings - stored in modules.name.settings
settings = {
	// CB Security Rules to append to global rules
	cbsecurity = {
		// The module invalid authentication event or URI or URL to go if an invalid authentication occurs
		"invalidAuthenticationEvent"	: "",
		// Default Auhtentication Action: override or redirect when a user has not logged in
		"defaultAuthenticationAction"	: "redirect",
		// The module invalid authorization event or URI or URL to go if an invalid authorization occurs
		"invalidAuthorizationEvent"		: "",
		// Default Authorization Action: override or redirect when a user does not have enough permissions to access something
		"defaultAuthorizationAction"	: "redirect",
		// You can define your security rules here or externally via a source
		"rules"							: [
			{
				"secureList" 	: "mod1:home"
			},
			{
				"secureList" 	: "mod1/modOverride",
				"match"			: "url",
				"action"		: "override"
			}
		]
	}
};

• Annotation based security for handlers and actions using the secured annotation. Which can be boolean or a list of permissions, roles or whatever you like.
• You can disable annotation based security by using the handlerAnnotationSecurity boolean setting.

Improvements

• SSL Enforcement now cascades according to the following lookup: Global, rule, request
• Interfaces documented for easier extension interfaces.*
• Migration to script and code modernization
• New Module Layout
• Secured rules are now logged as warn() with the offending Ip address.
• New setting to turn on/off the loading of the security firewall: autoLoadFirewall. The interceptor will auto load and be registered as cbsecurity@global in WireBox.

Compat

• Adobe 11 Dropped
• Lucee 4.5 Dropped
• Migrate your root cbSecurity settings in your config/ColdBox.cfc to inside the moduleSettings
• IOC rules support dropped
• OCM rules support dropped
• validatorModel dropped in favor of just validator to be a WireBox Id
• Removed preEventSecurity it was too chatty and almost never used
• The function userValidator has been renamed to ruleValidator and also added the annotationValidator as well.
• rulesSource removed you can now use the rules setting
  • The rules can be: array, db, model, filepath
  • If the filepath has json or xml in it, we will use that as the source style
• rulesFile removed you can now use the rules setting.