Class SecurityComponent

The Security Component creates an easy way to integrate tighter security in your application. It provides methods for these tasks:

  • Form tampering protection.
  • Requiring that SSL be used.
Namespace: Cake\Controller\Component

Constants summary

  • string
    DEFAULT_EXCEPTION_MESSAGE
    'The request has been black-holed'

Properties summary

  • $_action protected
    string

    Holds the current action of the controller

  • $_componentMap protected
    array

    A component lookup table used to lazy load component objects.

  • $_config protected
    array

    Runtime config

  • $_configInitialized protected
    bool

    Whether the config property has already been configured with defaults

  • $_defaultConfig protected
    array

    Default config

  • $_registry protected
    \Cake\Controller\ComponentRegistry

    Component registry class used to lazy load components.

  • $components public
    array

    Other Components this component uses.

Method Summary

  • __construct() public

    Constructor

  • __debugInfo() public

    Returns an array that can be used to describe the internal state of this object.

  • __get() public

    Magic method for lazy loading $components.

  • _callback() protected

    Calls a controller callback method

  • _configDelete() protected

    Deletes a single config key.

  • _configRead() protected

    Reads a config key.

  • _configWrite() protected

    Writes a config key.

  • _debugCheckFields() protected

    Iterates data array to check against expected

  • _debugExpectedFields() protected

    Generate debug message for the expected fields

  • _debugPostTokenNotMatching() protected

    Create a message for humans to understand why Security token is not matching

  • _fieldsList() protected

    Return the fields list for the hash calculation

  • _hashParts() protected

    Return hash parts for the Token generation

  • _matchExistingFields() protected

    Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset

  • _secureRequired() protected

    Check if access requires secure connection

  • _sortedUnlocked() protected

    Get the sorted unlocked string

  • _throwException() protected

    Check debug status and throw an Exception based on the existing one

  • _unlocked() protected

    Get the unlocked string

  • _validToken() protected

    Check if token is valid

  • _validatePost() protected

    Validate submitted form

  • blackHole() public

    Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error

  • configShallow() public

    Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

  • generateToken() public

    Manually add form tampering prevention token information into the provided request object.

  • getConfig() public

    Returns the config.

  • getConfigOrFail() public

    Returns the config for this specific key.

  • getController() public

    Get the controller this component is bound to.

  • implementedEvents() public

    Events supported by this component.

  • initialize() public

    Constructor hook method.

  • log() public

    Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

  • requireSecure() public

    Sets the actions that require a request that is SSL-secured, or empty for all actions

  • setConfig() public

    Sets the config.

  • startup() public

    Component startup. All security checking happens here.

Method Detail

__construct() public 

__construct(\Cake\Controller\ComponentRegistry $registry, array $config)

Constructor

Parameters

\Cake\Controller\ComponentRegistry $registry

A component registry this component can use to lazy load its components.

array $config optional

Array of configuration settings.

__debugInfo() public 

__debugInfo()

Returns an array that can be used to describe the internal state of this object.

Returns

array

__get() public 

__get(string $name)

Magic method for lazy loading $components.

Parameters

string $name

Name of component to get.

Returns

\Cake\Controller\Component|null

A Component object or null.

_callback() protected 

_callback(\Cake\Controller\Controller $controller, string $method, array $params)

Calls a controller callback method

Parameters

\Cake\Controller\Controller $controller

Instantiating controller

string $method

Method to execute

array $params optional

Parameters to send to method

Returns

mixed

Controller callback method's response

Throws

Cake\Http\Exception\BadRequestException
When a the blackholeCallback is not callable.

_configDelete() protected 

_configDelete(string $key)

Deletes a single config key.

Parameters

string $key

Key to delete.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

_configRead() protected 

_configRead(?string $key)

Reads a config key.

Parameters

string|null $key

Key to read.

Returns

mixed

_configWrite() protected 

_configWrite(mixed $key, mixed $value, mixed $merge)

Writes a config key.

Parameters

string|array $key

Key to write to.

mixed $value

Value to write.

bool|string $merge optional

True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

_debugCheckFields() protected 

_debugCheckFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage, string $missingMessage)

Iterates data array to check against expected

Parameters

array $dataFields

Fields array, containing the POST data fields

array $expectedFields optional

Fields array, containing the expected fields we should have in POST

string $intKeyMessage optional

Message string if unexpected found in data fields indexed by int (not protected)

string $stringKeyMessage optional

Message string if tampered found in data fields indexed by string (protected).

string $missingMessage optional

Message string if missing field

Returns

string[]

Messages

_debugExpectedFields() protected 

_debugExpectedFields(array $expectedFields, string $missingMessage)

Generate debug message for the expected fields

Parameters

array $expectedFields optional

Expected fields

string $missingMessage optional

Message template

Returns

string|null

Error message about expected fields

_debugPostTokenNotMatching() protected 

_debugPostTokenNotMatching(\Cake\Controller\Controller $controller, array $hashParts)

Create a message for humans to understand why Security token is not matching

Parameters

\Cake\Controller\Controller $controller

Instantiating controller

array $hashParts

Elements used to generate the Token hash

Returns

string

Message explaining why the tokens are not matching

_fieldsList() protected 

_fieldsList(array $check)

Return the fields list for the hash calculation

Parameters

array $check

Data array

Returns

array

_hashParts() protected 

_hashParts(\Cake\Controller\Controller $controller)

Return hash parts for the Token generation

Parameters

\Cake\Controller\Controller $controller

Instantiating controller

Returns

string[]

_matchExistingFields() protected 

_matchExistingFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage)

Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset

Parameters

array $dataFields

Fields array, containing the POST data fields

array $expectedFields

Fields array, containing the expected fields we should have in POST

string $intKeyMessage

Message string if unexpected found in data fields indexed by int (not protected)

string $stringKeyMessage

Message string if tampered found in data fields indexed by string (protected)

Returns

string[]

Error messages

_secureRequired() protected 

_secureRequired(\Cake\Controller\Controller $controller)

Check if access requires secure connection

Parameters

\Cake\Controller\Controller $controller

Instantiating controller

Throws

Cake\Controller\Exception\SecurityException

_sortedUnlocked() protected 

_sortedUnlocked(array $data)

Get the sorted unlocked string

Parameters

array $data

Data array

Returns

string

_throwException() protected 

_throwException(?\Cake\Controller\Exception\SecurityException $exception)

Check debug status and throw an Exception based on the existing one

Parameters

\Cake\Controller\Exception\SecurityException|null $exception optional

Additional debug info describing the cause

Throws

Cake\Http\Exception\BadRequestException

_unlocked() protected 

_unlocked(array $data)

Get the unlocked string

Parameters

array $data

Data array

Returns

string

_validToken() protected 

_validToken(\Cake\Controller\Controller $controller)

Check if token is valid

Parameters

\Cake\Controller\Controller $controller

Instantiating controller

Returns

string

fields token

Throws

Cake\Controller\Exception\SecurityException

_validatePost() protected 

_validatePost(\Cake\Controller\Controller $controller)

Validate submitted form

Parameters

\Cake\Controller\Controller $controller

Instantiating controller

Throws

Cake\Controller\Exception\AuthSecurityException

blackHole() public 

blackHole(\Cake\Controller\Controller $controller, string $error, ?\Cake\Controller\Exception\SecurityException $exception)

Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error

Parameters

\Cake\Controller\Controller $controller

Instantiating controller

string $error optional

Error method

\Cake\Controller\Exception\SecurityException|null $exception optional

Additional debug info describing the cause

Returns

mixed

If specified, controller blackHoleCallback's response, or no return otherwise

Throws

Cake\Http\Exception\BadRequestException

See Also

\Cake\Controller\Component\SecurityComponent::$blackHoleCallback

Links

https://book.cakephp.org/4/en/controllers/components/security.html#handling-blackhole-callbacks

configShallow() public 

configShallow(mixed $key, mixed $value)

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

Returns

$this

generateToken() public 

generateToken(\Cake\Http\ServerRequest $request)

Manually add form tampering prevention token information into the provided request object.

Parameters

\Cake\Http\ServerRequest $request

The request object to add into.

Returns

\Cake\Http\ServerRequest

The modified request.

getConfig() public 

getConfig(?string $key, mixed $default)

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');

Parameters

string|null $key optional

The key to get or null for the whole config.

mixed $default optional

The return value when the key does not exist.

Returns

mixed

Configuration data at the named key or null if the key does not exist.

getConfigOrFail() public 

getConfigOrFail(string $key)

Returns the config for this specific key.

The config value for this key must exist, it can never be null.

Parameters

string $key

The key to get.

Returns

mixed

Configuration data at the named key

Throws

InvalidArgumentException

getController() public 

getController()

Get the controller this component is bound to.

Returns

\Cake\Controller\Controller

The bound controller.

implementedEvents() public 

implementedEvents()

Events supported by this component.

Returns

array

initialize() public 

initialize(array $config)

Constructor hook method.

Implement this method to avoid having to overwrite the constructor and call parent.

Parameters

array $config

The configuration settings provided to this component.

log() public 

log(string $message, mixed $level, mixed $context)

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters

string $message

Log message.

int|string $level optional

Error level.

string|array $context optional

Additional log data relevant to this message.

Returns

bool

Success of log write.

requireSecure() public 

requireSecure(mixed $actions)

Sets the actions that require a request that is SSL-secured, or empty for all actions

Parameters

string|string[]|null $actions optional

Actions list

setConfig() public 

setConfig(mixed $key, mixed $value, mixed $merge)

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

bool $merge optional

Whether to recursively merge or overwrite existing config, defaults to true.

Returns

$this

Throws

Cake\Core\Exception\Exception
When trying to set a key that is invalid.

startup() public 

startup(\Cake\Event\EventInterface $event)

Component startup. All security checking happens here.

Parameters

\Cake\Event\EventInterface $event

An Event instance

Returns

\Cake\Http\Response|null

Property Detail

$_action protected

Holds the current action of the controller

Type

string

$_componentMap protected

A component lookup table used to lazy load component objects.

Type

array

$_config protected

Runtime config

Type

array

$_configInitialized protected

Whether the config property has already been configured with defaults

Type

bool

$_defaultConfig protected

Default config

  • blackHoleCallback - The controller method that will be called if this request is black-hole'd.
  • requireSecure - List of actions that require an SSL-secured connection.
  • unlockedFields - Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.
  • unlockedActions - Actions to exclude from POST validation checks. Other checks like requireSecure() etc. will still be applied.
  • validatePost - Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.

Type

array

$_registry protected

Component registry class used to lazy load components.

Type

\Cake\Controller\ComponentRegistry

$components public

Other Components this component uses.

Type

array

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.0/class-Cake.Controller.Component.SecurityComponent.html