Security Access Model

Posted by spiraldev, Posted on November 30, 2008

Here is a diagram of the security of an application I am building using ColdBox.

Now one of the many great things about ColdBox is that you can write Interceptor's that can run before ColdBox runs the event.

Here is an example of my security interceptor

<cffunction name="preProcess" access="public" returntype="void" hint="Executes before any event execution occurs" output="false" >
      <!--- ************************************************************* --->
      <cfargument name="event" required="true" type="coldbox.system.beans.requestContext" hint="The event object.">
      <cfargument name="interceptData" required="true" type="struct" hint="interceptData of intercepted info.">
      <!--- ************************************************************* --->
      <cfscript>
         var rc = Event.getCollection();         
         var local = structNew();
      
         if(chkBlockedIPs(arguments.event)){
            arguments.Event.overrideEvent("main.blockedip");
         }
      
         if(not listfindnocase('security',ListFirst(arguments.event.getCurrentHandler(),'.'))){   
            if((NOT (structKeyExists(session,'isAuthenticated') AND session.IsAuthenticated))){
               arguments.Event.overrideEvent("security.login");
            }else{
               local.myEvents = arrayToList(session.mypermissions.events,'|');
               local.myRoles = arrayToList(session.mypermissions.roles,'|');
               if(NOT listFindNoCase(local.myRoles,'system admin','|')){
                  if(NOT listFindNoCase(local.myEvents,rc.event,'|')){
                     arguments.Event.overrideEvent("main.noaccess");
                  }
               }
            }
         }
      </cfscript>
   </cffunction> and here is the chkblosckedIPs function <!--- Date: 11/7/2008 Usage: Check for Blocked IP Addresses --->
<cffunction name="chkBlockedIPs" output="false" access="private" returntype="boolean" hint="Check for Blocked IP Addresses ">
      <cfargument name="event" required="true" type="coldbox.system.beans.requestContext" hint="The event object.">
   <cfscript>
         var local = {};
         local.map = {};
         structinsert(local.map,'ipaddress',cgi.remote_addr);
         local.q = getPlugin("ioc").getBean("samBlockedIPsManager").listByPropertyMap(local.map);
         if(local.q.recordcount gt 0){
            return true;
         }
         return false;      
      </cfscript>
</cffunction>

2 comments - Posted by spiraldev at 12:00 PM - Categories: Coldfusion | Coldbox | security

  1. Comments

  2. Medical Alarm wrote on 11/15/09 10:14 PM

    Nice post I Like your site very well and continue to do so. I have bookmarked your site.
    1. Comments

    2. report writing wrote on 06/08/10 4:19 AM

      I must admit that you hit the bull's eye! Very clever of you. Often I think about it and I agree with you on that. That's a good post.

      3. Write your comment



      (it will not be displayed)