Introducing EventGuard: Secure your events in Model-Glue

Posted by Mark Drew on code on November 22, 2007

Tagged under frameworks,coldfusion,coldspring

EventGuard is an Action Pack for the Model-Glue framework that allows you to secure your events based whether a user is logged in or using a user’s assigned roles.

On a simple level, it allows you to define which event-handler you will use to carry out the login, and then put a list of event-handler names that you want to protect. EventGuard also allows to define which event-handlers you want to exclude in your security check so that you can perform a blanket wide inclusion using “*“.There are two things to “setup”, include the EventGuard.xml in your ModelGlue.xml file with:

< include template="/EventGuard/config/EventGuard.xml"/>

Where “/EventGuard/” is CF a mapping (recommended since you should keep the ColdSpring.xml file that is included in EventGuard out of your web-root so that people can’t see what you are protecting).

The second part is configuring the EventGuard is to setup the EventGuard Bean in ColdSpring, you can do this by importing it into your own ColdSpring file using the relative path as follows:

The configuration of the EventGuard bean is pretty simple, yet powerful, it is setup by setting the loginevent,include and exclude arguments. The loginevent argument is the event-handler to redirect requests to if they are not allowed to access the requested event-handler. The include argument can take the following:

  • "*": to define ALL event-handlers as secure, you will be redirected to the login event-handler (remember to add any events-hanlders to your exclude argument so you can login!) e.g.: login logout,register,login.action *
  • a list of event-handler names: if any of these are requested and the user is not logged in you will be redirected to the loginevent e.g.: login admin,profile,userlist
  • an array with structures with event and roles: if you want to use roles based permissions you can pass in this array and set a list of permissions for each event-handler e.g. login logout,register,login.action myprofile user,admin addressbook user,admin admin.usermanager admin

And that is it. Your event-handlers should be guarded! If it isn’t too obvious, EventGuard uses getAuthUser() and isUserInRole() to check the permissions. I might change this in the future so you can pass in the roles and whether the user is logged in but for now it seems to work ok.

Let me know what you think! I shall be releasing more action packs in the coming weeks, I am building a “top secret” web app, but a lot of the elements will be released as action packs to the community (well that is the plan, we shall see how we go!)

comments powered by Disqus