The Security Component creates an easy way to integrate tighter security in your application. It provides methods for various tasks like:
$_action
protected string
$allowedActions
public array
Actions from which actions of the current controller are allowed to receive requests.
$allowedControllers
public array
Controllers from which actions of the current controller are allowed to receive requests.
$blackHoleCallback
public string
$components
public array
$csrfCheck
public boolean
$csrfExpires
public string
The duration from when a CSRF token is created that it will expire on. Each form/page request will generate a new token that can only be submitted once unless it expires. Can be any value compatible with strtotime()
$csrfLimit
public integer
Control the number of tokens a user can keep open. This is most useful with one-time use tokens. Since new tokens are created on each request, having a hard limit on the number of open tokens can be useful in controlling the size of the session file.
$csrfUseOnce
public boolean
Controls whether or not CSRF tokens are use and burn. Set to false to not generate new tokens on each request. One token will be reused until it expires. This reduces the chances of users getting invalid requests because of token consumption. It has the side effect of making CSRF less secure, as tokens are reusable.
$disabledFields
public array
$request
public $requireAuth
public array
$requireDelete
public array
$requireGet
public array
$requirePost
public array
$requirePut
public array
$requireSecure
public array
$unlockedActions
public array
Actions to exclude from CSRF and POST validation checks. Other checks like requireAuth(), requireSecure(), requirePost(), requireGet() etc. will still be applied.
$unlockedFields
public array
Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.
$validatePost
public boolean
Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.
Expire CSRF nonces and remove them from the valid tokens. Uses a simple timeout to expire the tokens.
Validate that the controller has a CSRF token in the POST data and that the token is legit/not expired. If the token is valid it will be removed from the list of valid tokens.
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
_authRequired( Controller $controller )
Check if authentication is required
Controller
$controller
_callback( Controller $controller , string $method , array $params array() )
Calls a controller callback method
Controller
$controller
$method
$params
optional array() BadRequestException
_expireTokens( array $tokens )
Expire CSRF nonces and remove them from the valid tokens. Uses a simple timeout to expire the tokens.
$tokens
_methodsRequired( Controller $controller )
Check if HTTP methods are required
Controller
$controller
_requireMethod( string $method , array $actions array() )
Sets the actions that require a $method HTTP request, or empty for all actions
$method
$actions
optional array() _secureRequired( Controller $controller )
Check if access requires secure connection
Controller
$controller
_validateCsrf( Controller $controller )
Validate that the controller has a CSRF token in the POST data and that the token is legit/not expired. If the token is valid it will be removed from the list of valid tokens.
Controller
$controller
_validatePost( Controller $controller )
Validate submitted form
Controller
$controller
blackHole( Controller $controller , string $error '' )
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
Controller
$controller
$error
optional '' BadRequestException
generateToken( CakeRequest $request )
Manually add CSRF token information into the provided request object.
CakeRequest
$request
requireAuth( )
Sets the actions that require whitelisted form submissions.
Adding actions with this method will enforce the restrictions set in SecurityComponent::$allowedControllers and SecurityComponent::$allowedActions.
requireDelete( )
Sets the actions that require a DELETE request, or empty for all actions
requireGet( )
Sets the actions that require a GET request, or empty for all actions
requirePost( )
Sets the actions that require a POST request, or empty for all actions
requirePut( )
Sets the actions that require a PUT request, or empty for all actions
requireSecure( )
Sets the actions that require a request that is SSL-secured, or empty for all actions
startup( Controller $controller )
Component startup. All security checking happens here.
Controller
$controller
Component::startup()
__construct( ComponentCollection $collection , array $settings array() )
Constructor
ComponentCollection
$collection
$settings
optional array() CakeObject::__construct()
__get( string $name )
Magic method for lazy loading $components.
$name
beforeRedirect( Controller $controller , string|array $url , integer $status null , boolean $exit true )
Called before Controller::redirect(). Allows you to replace the URL that will be redirected to with a new URL. The return of this method can either be an array or a string.
If the return is an array and contains a 'url' key. You may also supply the following:
status
The status code for the redirectexit
Whether or not the redirect should exit.If your response is a string or an array that does not contain a 'url' key it will be used as the new URL to redirect to.
Controller
$controller
$url
$status
optional null $exit
optional true beforeRender( Controller $controller )
Called before the Controller::beforeRender(), and before the view class is loaded, and before Controller::render()
Controller
$controller
initialize( Controller $controller )
Called before the Controller::beforeFilter().
Controller
$controller
shutdown( Controller $controller )
Called after Controller::render() and before the output is printed to the browser.
Controller
$controller
_mergeVars( array $properties , string $class , boolean $normalize true )
Merges this objects $property with the property in $class' definition. This classes value for the property will be merged on top of $class'
This provides some of the DRY magic CakePHP provides. If you want to shut it off, redefine this method as an empty function.
$properties
$class
$normalize
optional true _set( array $properties array() )
Allows setting of multiple properties of the object in a single line of code. Will only set properties that are part of a class declaration.
$properties
optional array() _stop( integer|string $status 0 )
Stop execution of the current script. Wraps exit() making testing easier.
$status
optional 0 dispatchMethod( string $method , array $params array() )
Calls a method on this object with the given parameters. Provides an OO wrapper for call_user_func_array
$method
$params
optional array() log( string $msg , integer $type LOG_ERR , null|string|array $scope null )
Convenience method to write a message to CakeLog. See CakeLog::write() for more information on writing to logs.
$msg
$type
optional LOG_ERR $scope
optional null The scope(s) a log message is being created in. See CakeLog::config() for more information on logging scopes.
requestAction( string|array $url , array $extra array() )
Calls a controller's method from any location. Can be used to connect controllers together or tie plugins into a main application. requestAction can be used to return rendered views or fetch the return value from controller actions.
Under the hood this method uses Router::reverse() to convert the $url parameter into a string URL. You should use URL formats that are compatible with Router::reverse()
POST and GET data can be simulated in requestAction. Use $extra['url']
for GET data. The $extra['data']
parameter allows POST data simulation.
$url
String or array-based URL. Unlike other URL arrays in CakePHP, this URL will not automatically handle passed and named arguments in the $url parameter.
$extra
optional array() if array includes the key "return" it sets the AutoRender to true. Can also be used to submit GET/POST data, and named/passed arguments.
Boolean true or false on success/failure, or contents of rendered action if 'return' is set in $extra.
toString( )
CakeObject-to-string conversion. Each class can override this method as necessary.
public array
Actions from which actions of the current controller are allowed to receive requests.
array()
public array
Controllers from which actions of the current controller are allowed to receive requests.
array()
public string
The controller method that will be called if this request is black-hole'd
null
public boolean
Whether to use CSRF protected forms. Set to false to disable CSRF protection on forms.
true
public string
The duration from when a CSRF token is created that it will expire on. Each form/page request will generate a new token that can only be submitted once unless it expires. Can be any value compatible with strtotime()
'+30 minutes'
public integer
Control the number of tokens a user can keep open. This is most useful with one-time use tokens. Since new tokens are created on each request, having a hard limit on the number of open tokens can be useful in controlling the size of the session file.
When tokens are evicted, the oldest ones will be removed, as they are the most likely to be dead/expired.
100
public boolean
Controls whether or not CSRF tokens are use and burn. Set to false to not generate new tokens on each request. One token will be reused until it expires. This reduces the chances of users getting invalid requests because of token consumption. It has the side effect of making CSRF less secure, as tokens are reusable.
true
public array
Deprecated property, superseded by unlockedFields.
array()
public array
List of actions that require a valid authentication key
array()
public array
List of controller actions for which a DELETE request is required
array()
public array
List of controller actions for which a GET request is required
array()
public array
List of controller actions for which a POST request is required
array()
public array
List of controller actions for which a PUT request is required
array()
public array
List of actions that require an SSL-secured connection
array()
public array
Actions to exclude from CSRF and POST validation checks. Other checks like requireAuth(), requireSecure(), requirePost(), requireGet() etc. will still be applied.
array()
public array
Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.
array()
public boolean
Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.
true
© 2005–2016 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/2.9/class-SecurityComponent.html