Mark Drew (Redux)- cf_etc...

a compendium of railo, cfml, cfeclipse and technology topics

Mark Drew (Redux)- cf_etc...

Introducing EventGuard: Secure your events in Model-Glue

November 22, 2007 ·

EventGuard is an Action Pack for the Model-Glue framework that allows you to secure your events based whether a user is logged in or using a user's assigned roles. On a simple level, it allows you to define which event-handler you will use to carry out the login, and then put a list of event-handler names that you want to protect. EventGuard also allows to define which event-handlers you want to exclude in your security check so that you can perform a blanket wide inclusion using "*".There are two things to "setup", include the EventGuard.xml in your ModelGlue.xml file with: < include template="/EventGuard/config/EventGuard.xml"/> Where "/EventGuard/" is CF a mapping (recommended since you should keep the ColdSpring.xml file that is included in EventGuard out of your web-root so that people can't see what you are protecting). The second part is configuring the EventGuard is to setup the EventGuard Bean in ColdSpring, you can do this by importing it into your own ColdSpring file using the relative path as follows: <import resource="../../EventGuard/config/ColdSpring.xml" /> The configuration of the EventGuard bean is pretty simple, yet powerful, it is setup by setting the loginevent,include and exclude arguments. The loginevent argument is the event-handler to redirect requests to if they are not allowed to access the requested event-handler. The include argument can take the following:
  • "*": to define ALL event-handlers as secure, you will be redirected to the login event-handler (remember to add any events-hanlders to your exclude argument so you can login!) e.g.: <bean id="EventGuard" class="EventGuard.services.EventGuard">
                   <constructor-arg name="loginEvent"><value>login</value></constructor-arg>
                   <constructor-arg name="exclude"><value>logout,register,login.action</value></constructor-arg>
                   <constructor-arg name="include"><value>*</value></constructor-arg>
             </bean>
  • a list of event-handler names: if any of these are requested and the user is not logged in you will be redirected to the loginevent e.g.: <bean id="EventGuard" class="EventGuard.services.EventGuard">
                   <constructor-arg name="loginEvent"><value>login</value></constructor-arg>
                   <constructor-arg name="include"><value>admin,profile,userlist</value></constructor-arg>
             </bean>
  • an array with structures with event and roles: if you want to use roles based permissions you can pass in this array and set a list of permissions for each event-handler e.g. <bean id="EventGuard" class="EventGuard.services.EventGuard">
                   <constructor-arg name="loginEvent"><value>login</value></constructor-arg>
                   <constructor-arg name="exclude"><value>logout,register,login.action</value></constructor-arg>
                   <constructor-arg name="include">
                      <list>
                         <map>
                            <entry key="event"><value>myprofile</value></entry>
                            <entry key="roles"><value>user,admin</value></entry>
                         </map>
                         <map>
                            <entry key="event"><value>addressbook</value></entry>
                            <entry key="roles"><value>user,admin</value></entry>
                         </map>
                         <map>
                            <entry key="event"><value>admin.usermanager</value></entry>
                            <entry key="roles"><value>admin</value></entry>
                         </map>
                      </list>
                   </constructor-arg>
                </bean>
And that is it. Your event-handlers should be guarded! If it isn't too obvious, EventGuard uses getAuthUser() and isUserInRole() to check the permissions. I might change this in the future so you can pass in the roles and whether the user is logged in but for now it seems to work ok. Let me know what you think! I shall be releasing more action packs in the coming weeks, I am building a "top secret" web app, but a lot of the elements will be released as action packs to the community (well that is the plan, we shall see how we go!)
del.icio.us Digg Facebook reddit Google Bookmarks

Tags: coldfusion · coldspring · frameworks

10 responses

  • 1 Sean Corfield // Sep 22, 2008 at 4:13 PM

    Looks nice.

    Do you need the exclude arg if you are specifying include as a list? (since include only protects named events)

    Also, can you specify event as * for the permission based include?

    ColdSpring's import supports mapped paths so you could use /EventGuard there instead of a relative path I believe.

  • 2 Mark Drew // Sep 22, 2008 at 4:13 PM

    you dont need to specify an exclude if you are not using * (obviously) as only named items will be checked for.

    And yes, you can include * as a permission based one. (just did that bit of code :))

    I tried it with Coldspring but it didn't seem to like it for some reason (hence I went back to using the relative path)

  • 3 Chris Scott // Sep 22, 2008 at 4:13 PM

    Very cool Mark! I nice the simplicity you have going here. Where / when are you releasing these action packs?

  • 4 Mark Drew // Sep 22, 2008 at 4:13 PM

    @Chris: Thanks! I am just waiting for my project to be accepted to RiaForge and it will be released there, there is a download for this one (hard to spot but its an enclosure with this blog post) here.

    As to when? well, as I build them for a project I am working on :)


    @Sean: I edited the named events constructor so to show that you dont need to add excludes

  • 5 Cutter // Sep 22, 2008 at 4:13 PM

    Nice work Bro! The Model-Glue community needs more action-pack public releases like this. Really helps the uninitiated to review the code to see how things can be done. This will be a very useful tool. Thanks Mark.

  • 6 Mark Drew // Sep 22, 2008 at 4:13 PM

    @Cutter: glad you liked it! Working on the second release (much bigger) in my action pack bonanza :)

  • 7 Henry // Sep 22, 2008 at 4:13 PM

    Nice! Eager to try it out when released.
    Thank you!

  • 8 Mark Drew // Sep 22, 2008 at 4:13 PM

    @Henry: Its released in this post (click download at the bottom of the post) but I have also released it at riaforge: http://eventguard.riaforge.org

  • 9 Jeremie // Oct 27, 2008 at 3:45 AM

    Hi Mark,
    Great job. I work with a lot of stuff you created and I love it!!
    I have a question: Is there a way to specify all event of that kind "admin.index", "admin.view", "admin,list" as "admin.*" in the include tag?

  • 10 Felipe Serrano // Aug 30, 2009 at 11:12 AM

    Hi there,

    Can any one help me to apply t using a cfquery, (the log in process)

    Thanks guys