lid

FW1 security module

FW/1 - Framework One - is a lightweight, convention over configuration, MVC application framework for ColdFusion / CFML.This FW/1 directory is a complete web application and expects to live in its own webroot, if you plan to run the applications within it. To use FW/1 in a separate webroot you can either copy the framework directory to that webroot or add a mapping for /framework to the framework folder inside this FW/1 directory. Note that since your Application.cfc needs to extend framework.one, you have to add the mapping in your admin - you can't just use a per-application mapping.

- Ref : GitHub

ColdFusion Fw1 security module

Security is the most common thing for a web application. There might be several ways of doing security checks for web applications. Basic authentication, XSS, CSRF, SQL injection & API authentication are the some security contexts for the modern day web applications. But basic authentication based on the user roles is almost required for most of the applications.

In MitrahSoft, we use FW/1 as default CFML framework for most of our applications. In most cases, we may need to implement the role based security. Here we've created an security module, that does the trick for you in CFML. This sample & security.cfc code is mostly inspired by ColdBox security module. Please feel free to check & let us know your feedback on this.

ColdFusion Fw1 security module
component output="false" {
    variables.fw = '';
    variables.rules = [
        {whitelist = "^admin:main.login,^admin:main.loginAction,^admin:main.noaccess" , securelist = "^admin:*", roles = "admin", redirect = "admin:main.login", noaccess="admin:main.noaccess"},
        {whitelist = "^user:main.login,^user:main.loginAction,^user:main.noaccess" , securelist = "^user:*", roles = "admin,user", redirect = "user:main.login", noaccess="user:main.noaccess"},
        {whitelist = "^public:*" , securelist = "", roles = ""}
    ];
    
    public any function init( required any fw ) {
        variables.fw = arguments.fw;
        return this;
    }
    
    public any function checkUser(currentAction,sessionStruct,rolekey) {
        var loggedin = isstruct(arguments.sessionStruct) and structkeyexists(arguments.sessionStruct, arguments.rolekey);
        var rulesLen = arrayLen(rules);
        var securearea = true;
        
        for(x=1; x lte rulesLen; x=x+1) {
            if(rules[x].roles eq "" or isActionInPattern (arguments.currentAction, rules[x].whitelist))
                continue;
            if(isActionInPattern (arguments.currentAction, rules[x].securelist)) {
                if(!loggedin)
                    variables.fw.redirect(rules[x].redirect);
                if( loggedin and listFindNoCase(rules[x].roles,arguments.sessionStruct[arguments.rolekey]) eq 0)
                    variables.fw.redirect(rules[x].noaccess);
            }
        }
    }
    
    private boolean function isActionInPattern(currentAction, patternList) {
        for ( var unsecured in ListToArray( patternList ) ) {
            if ( ReFindNoCase( unsecured, currentAction ) != 0)
                return true;
        }
        return false;
    }
}

If you find any issues, please file bug in GitHub. if you want to contribute or enhance this sample application, feel free to fork & sent us back pull request.




lid