The team behind Coldbox recently held a contest for creating Modules. I submitted an entry to the contest called Solitary. This is a security module that will make it easy to add a roles based authentication service on your ColdBox application. I created 3 videos tutorials so you can get a better idea of what this module is and what it does. Please download the project / watch the videos and give me any feedback you have.
Solitary ColdBox Module: Part 1 from Dan Vega on Vimeo.
Solitary Coldbox Module: Part 2 from Dan Vega on Vimeo.
Solitary Module Layouts from Dan Vega on Vimeo.
#1 by Chris Pfeffer on 4/12/11 - 9:07 AM
#2 by Dan Vega on 4/12/11 - 12:05 PM
#3 by Robert Rawlins on 4/13/11 - 8:15 AM
I'm going to have a look at this in more depth later today.
I've been working on a module on/off for the past couple of weeks which is a security implementation a bit like this, but geared around a SaaS product model.
So users have a parent account, which is assigned to a tarriff with a monthly billing system, and configurable limits.
Looks like you've done a substantial amount of work on bits I'm looking to do myself, which is just a little convenient :-D.
Robert
#4 by Kevin Marino on 4/13/11 - 8:24 AM
#5 by Dan Vega on 4/13/11 - 8:26 AM
#6 by Robert Rawlins on 4/13/11 - 8:29 AM
I've always struggled to know where the 'rules' should be defined for event based security as having a separate XML file always feels too detached, as does storing it in the DB.
There is always a risk of code coverage, are there events which currently aren't secured etc etc.
I wonder if annotations is a better way of doing rules. I've written custom AOP based model security in ColdSpring which used annotations to define security on methods:
<cffunction name="someMethod" roles="admin,moderator">
Makes spotting unsecured events that little bit easier. However, you end up with lots of extra code in the app.
Robert
#7 by Kevin Marino on 4/13/11 - 9:48 AM
Ok so 2 things working against me (I don't use scripted components or ORM , yet) so a little confused on a couple of poins. in User.cfc you have a call to getRoles() this is not defined anywhere is this an ORM thing? Two I see that the roles are inserted into the database but not the whitelists/securelists (maybe missing something). If this is the case then does that mean those have to be maintained via the XML file?
I ask the last thing because when I implemented security I had a team of about 8 developers so the XML file was not a good way to go (lots of changes/refactors). So I ended up writing some plugins to manage the role/event relationships which started simple and ultimately became complex.
Thanks for putting up with the questions. I def. need to learn ORM.
@Robert
Since we had ever changing event names and other stuff (large project with 5 sub applications developed in phases with requirements often affecting previous work). I wrote a plugin to act as an interceptor and log all events and track usage and time. Then also built a plugin which was injected at the view allowing people to assign roles to to the parent event. From that point it generally was easy via a grid component to fill the gaps and spot unsecured events super easy even when in production and fix.
Nothing like moving requirements.
#8 by JT Davis on 2/13/12 - 12:10 PM
Timely and well built module. I'd been climbing the learning curve on securing a project but having it be re-usable and stumbled across your work.
Tried plugging it in but I get "An association from the table users_roles refers to an unmapped class: " so I'll have to actually do some work and try to understand how the User class works on users_roles... BTW, I'm on CF 9.0.1 and talking to an Oracle 10 database, but I think the issue is in the model for User or Role though at first glance they sure look right to me...
#9 by Dan Vega on 2/13/12 - 12:13 PM