Cbsecurity problem

[Robert]

Im using cbSecurity with my own validator object and don't get the results i expect when adding a second rule.  The ADMIN rule works with no issue, but when i add the USER rule and login with an account which has the USER role, I'm not getting the access to the events i have defined in the USER rule.  So I must obviously be doing something wrong.  Here is what I'm trying to accomplish:

Admin - has access to all events within the handlers in the Admin folder

User - has limited access to certain events in the User handler within the admin folder.  These are:

• admin.user.userEditor
• admin.user.save
• admin.user.changepassword
• admin.user.savePassword.

Now I can easily go into each handler in admin and check the role and redirect the user from there if they don't have access, but that kind of defeats the purpose of using cbsecurity!  

Here are the rules i have as they are currently defined.  Any assistance is greatly appreciated!

<rules>

    <rule>

        <whitelist>security\..*,main\..*</whitelist>

        <securelist>dashboardUser\..*,dashboard\..*,User\..*,Role\..*,Content\..*,stateProvince\..*,menu\..*</securelist>

<match>event</match>

        <roles>admin</roles>

<permissions></permissions>

        <redirect>security.login</redirect>

<useSSL>false</useSSL>

    </rule>

        <rule>

        <whitelist>security\..*,main\..*</whitelist>

        <securelist>dashboardUser\..*,User\.index,User\.remove,Role\..*,Content\..*,stateProvince\..*,menu\..*</securelist>

<match>event</match>

        <roles>User</roles>

<permissions></permissions>

        <redirect>security.login</redirect>

<useSSL>false</useSSL>

    </rule>

</rules>

[Luis Majano]

The problem might be that you are matching the rules.  Therefore the first security match sends it to the validator and if not valid then redirects.

Turn on the logging level for cbsecurity so you can see more information.  YOu can do something like this in your coldbox.cfc in the logbox section:

debug = [ "cbsecurity" ]

That will turn on debugging for the module and can see all the information about the rule processing.

Luis F. Majano

CEO

Ortus Solutions, Corp

www.ortussolutions.com

ColdBox Platform: http://www.coldbox.org

Linked In: http://www.linkedin.com/pub/3/731/483

Blog: http://www.luismajano.com

IECFUG Manager: http://www.iecfug.com

Social: twitter.com/lmajano facebook.com/lmajano

--
--
You received this message because you are subscribed to the Google Groups "ColdBox Platform" group.
For News, visit http://blog.coldbox.org
For Documentation, visit http://wiki.coldbox.org
For Bug Reports, visit https://ortussolutions.atlassian.net/browse/COLDBOX
---
You received this message because you are subscribed to the Google Groups "ColdBox Platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coldbox+unsubscribe@googlegroups.com.
To post to this group, send email to col...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/coldbox/5bf35b4a-11d2-43b2-9622-d4cb17b7a3cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Robert]

I have the logbox working using this configuration:

//LogBox DSL

logBox = {

// Define Appenders

appenders = {

coldboxTracer = { class="coldbox.system.logging.appenders.ConsoleAppender" },

MyAsycFile = {

class="coldbox.system.logging.appenders.RollingFileAppender",

properties={

filePath=expandPath("/coldbox/system/log/tmp"),autoExpand=false,fileMaxArchives=1,fileMaxSize=3000

}

}

},

// Root Logger

root = { levelmax="INFO", appenders="*" },

// Implicit Level Categories

info = [ "coldbox.system" ],

debug = [ "cbsecurity" ]

};

[Robert]

it seems like its only validating against one security rule.  Here are the events in the log:

"DEBUG","MYASYCFILE","09/27/2016","06:27:25","cbsecurity.interceptors.Security","'security.doLogin' found in whitelist: security\..*,main\..*"

"DEBUG","MYASYCFILE","09/27/2016","06:27:25","cbsecurity.interceptors.Security","'security.doLogin' found in whitelist: security\..*,main\..*, user\.editor,user\.save,user\.changePassword,user\.savePassword,admin.dashboardUser.index"

"DEBUG","MYASYCFILE","09/27/2016","06:27:25","cbsecurity.interceptors.Security","User did not validate security for secured match target=admin.dashboardUser.index. Rule: {MATCH={event}, PERMISSIONS={}, SECURITYRULEID={1}, WHITELIST={security\..*,main\..*

}, SECURELIST={dashboardUser\..*,dashboard\..*,User\..*,Role\..*,Content\..*,stateProvince\..*,menu\..*

}, USESSL={0}, ROLES={Admin}, REDIRECT={security.login}}"

"DEBUG","MYASYCFILE","09/27/2016","06:27:25","cbsecurity.interceptors.Security","'security.login' found in whitelist: security\..*,main\..*"

"DEBUG","MYASYCFILE","09/27/2016","06:27:25","cbsecurity.interceptors.Security","'security.login' found in whitelist: security\..*,main\..*, user\.editor,user\.save,user\.changePassword,user\.savePassword,admin.dashboardUser.index"

Note that i only see an entry in the log for security rule id 1 which is the ADMIN rule, I don't see an entry for rule id 2 which is the USER rule.  Any help is appreciated!

[Luis Majano]

I think the issue is that Your event is matching on rule 1 thus doing what it is supposed to do. 

The condition for matching is the event not the role or permissions

Luis Majano

CEO
Ortus Solutions, Corp
www.ortussolutions.com

P/F: 1-888-557-8057

--
--
You received this message because you are subscribed to the Google Groups "ColdBox Platform" group.
For News, visit http://blog.coldbox.org
For Documentation, visit http://wiki.coldbox.org
For Bug Reports, visit https://ortussolutions.atlassian.net/browse/COLDBOX
---
You received this message because you are subscribed to the Google Groups "ColdBox Platform" group.

To unsubscribe from this group and stop receiving emails from it, send an email to coldbox+u...@googlegroups.com.

To post to this group, send email to col...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/coldbox/ee03223f-a9fb-4948-a331-35e840a8b5bc%40googlegroups.com.

[Robert]

I figured the same thing, so How should I construct the security rules to achieve the following:

[Luis Majano]

I would put the more specific rules first. But also add the two roles in there as well.

[Robert]

I did as you instructed, put the most restricted rules first, and added both the Admin Role and User Role to that rule, then modified the admin rule to allow access to all events within the handlers in the Admin folder and it works now!  Thanks so much!!!!