coldbox-modules / cbguard Goto Github PK
View Code? Open in Web Editor NEWAnnotation driven guards for authentication and authorization in ColdBox apps
Annotation driven guards for authentication and authorization in ColdBox apps
The Coldbox invalidEventHandler
setting allows us to create friendly 404 pages in our apps. However, if you install cbguard in an app that uses invalidEventHandler
, it will break the functionality and users will see the following exception error: "The invalidEventHandler setting is also invalid: error.onInvalidEvent. Please check your settings"
For reference (and screenshots) I brought this issue up on Google Groups awhile back.
I've done my best to try and solve this problem on my own by closely following a request with an invalid event both with and without cbguard installed. Even though I was not able to figure out how to fix the issue, I did learn a few things that might help.
First of all, I took a look at Coldbox's own handler service in coldbox\system\web\services\HandlerService.cfc
and noticed that this error gets triggered when a global request variable, request._lastInvalidEvent
matches the currently called event. This was set up to initially prevent infinite loops.
What I figured out is that when cbguard is installed, the invalidEvent() method gets executed twice causing request._lastInvalidEvent to be set two times which makes the function think the invalidEventHandler is invalid. I cannot figure out why cbguard triggers the HandlerService method twice.
Steps to Reproduce:
If you want to create a simple test setup to demonstrate the problem, create a blank coldbox app, and utilize the invalidEventHandler
in your config. Then, confirm that you can show a friendly 404 error when an invalid event gets called.
Next, install cbsecurity and reinit your app. You should see the problem occur.
guest
handlers and/or actions would only be available if there is no logged in user.
There would also need to be override events set for this.
Instead of just skipping the handler that doesn't exist, this errors.
This could be an issue with implicit handlers.
This function will fail is the handlerBean.getHandler() is empty.
var handler = handlerService.getHandler(
handlerBean,
event
);
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\core\util\Util.cfc
-- | --
LINE: | 288: <cfset md = getMetaData( component )>289: <cfelse>290: <cfset md = getComponentMetaData( component )>291: </cfif>292: </cfif>
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\ioc\config\Mapping.cfc
LINE: | 602: }603: else{604: var produceMetadataUDF = function() { return injector.getUtil().getInheritedMetaData(instance.path, binder.getStopRecursions()); };605: 606: // Are we caching metadata?
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\ioc\config\Mapping.cfc
LINE: | 612: );613: } else {614: md = produceMetadataUDF();615: }616: }
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\ioc\Injector.cfc
LINE: | 346: try {347: // process inspection of instance348: mapping.process( binder=variables.binder, injector=this );349: } catch( any e ) {350: // Remove bad mapping
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\web\services\HandlerService.cfc
LINE: | 110: 111: // retrieve, build and wire from wirebox112: return wirebox.getInstance( arguments.invocationPath );113: }114:
Template: | C:\www\revagency\revagency-ap6-lucee\coldbox\system\web\services\HandlerService.cfc
LINE: | 126: 127: // Create Runnable Object via WireBox128: var oEventHandler = newHandler( arguments.ehBean.getRunnable() );129: 130: /* ::::::::::::::::::::::::::::::::::::::::: EVENT METHOD TESTING :::::::::::::::::::::::::::::::::::::::::::: */
Template: | C:\www\revagency\revagency-ap6-lucee\modules\cbguard\interceptors\SecuredEventInterceptor.cfc
LINE: | 30: handlerBean,31: event32: );33: 34: var handlerMetadata = getMetadata( handler );
```
If a module implements cbguard
, the module should have the ability to customize the responses for authorization failures, when within the modules routing namespace.
Allow for nested cbguard
settings within each module's settings.
Example:
settings = {
"cbguard" : {
"authenticationService" = "SecurityService@myModule",
"authenticationOverrideEvent" = "myModule:Main.onAuthenticationFailure",
"authenticationAjaxOverrideEvent" = "myModule:api.v1.BaseAPIHandler.onAuthenticationFailure",
"authorizationOverrideEvent" = "myModule:Main.onAuthorizationFailure",
"authorizationAjaxOverrideEvent" = "myModule:api.v1.BaseAPIHandler.onAuthorizationFailure"
}
}
If a customized module setting is not detected, then the top-level module settings would apply.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.