Class SecurityComponent
The Security Component creates an easy way to integrate tighter security in your application. It provides methods for these tasks:
- Form tampering protection.
- Requiring that SSL be used.
Constants summary
-
string
DEFAULT_EXCEPTION_MESSAGE'The request has been black-holed'
Properties summary
- $_action protected
string
Holds the current action of the controller
- $_componentMap protected
array
A component lookup table used to lazy load component objects.
- $_config protected
array
Runtime config
- $_configInitialized protected
bool
Whether the config property has already been configured with defaults
- $_defaultConfig protected
array
Default config
- $_registry protected
\Cake\Controller\ComponentRegistry
Component registry class used to lazy load components.
- $components public
array
Other Components this component uses.
Method Summary
- __debugInfo() public
Returns an array that can be used to describe the internal state of this object.
- _debugPostTokenNotMatching() protected
Create a message for humans to understand why Security token is not matching
- _matchExistingFields() protected
Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset
- blackHole() public
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
- configShallow() public
Merge provided config with existing config. Unlike
config()
which does a recursive merge for nested keys, this method does a simple merge. - generateToken() public
Manually add form tampering prevention token information into the provided request object.
- log() public
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
- requireSecure() public
Sets the actions that require a request that is SSL-secured, or empty for all actions
Method Detail
__construct() public
__construct(\Cake\Controller\ComponentRegistry $registry, array $config)
Constructor
Parameters
-
\Cake\Controller\ComponentRegistry
$registry A component registry this component can use to lazy load its components.
-
array
$config optional Array of configuration settings.
__debugInfo() public
__debugInfo()
Returns an array that can be used to describe the internal state of this object.
Returns
array
__get() public
__get(string $name)
Magic method for lazy loading $components.
Parameters
-
string
$name Name of component to get.
Returns
\Cake\Controller\Component|null
A Component object or null.
_callback() protected
_callback(\Cake\Controller\Controller $controller, string $method, array $params)
Calls a controller callback method
Parameters
-
\Cake\Controller\Controller
$controller Instantiating controller
-
string
$method Method to execute
-
array
$params optional Parameters to send to method
Returns
mixed
Controller callback method's response
Throws
Cake\Http\Exception\BadRequestException
When a the blackholeCallback is not callable.
_configDelete() protected
_configDelete(string $key)
Deletes a single config key.
Parameters
-
string
$key Key to delete.
Throws
Cake\Core\Exception\Exception
if attempting to clobber existing config
_configRead() protected
_configRead(?string $key)
Reads a config key.
Parameters
-
string|null
$key Key to read.
Returns
mixed
_configWrite() protected
_configWrite(mixed $key, mixed $value, mixed $merge)
Writes a config key.
Parameters
-
string|array
$key Key to write to.
-
mixed
$value Value to write.
-
bool|string
$merge optional True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.
Throws
Cake\Core\Exception\Exception
if attempting to clobber existing config
_debugCheckFields() protected
_debugCheckFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage, string $missingMessage)
Iterates data array to check against expected
Parameters
-
array
$dataFields Fields array, containing the POST data fields
-
array
$expectedFields optional Fields array, containing the expected fields we should have in POST
-
string
$intKeyMessage optional Message string if unexpected found in data fields indexed by int (not protected)
-
string
$stringKeyMessage optional Message string if tampered found in data fields indexed by string (protected).
-
string
$missingMessage optional Message string if missing field
Returns
string[]
Messages
_debugExpectedFields() protected
_debugExpectedFields(array $expectedFields, string $missingMessage)
Generate debug message for the expected fields
Parameters
-
array
$expectedFields optional Expected fields
-
string
$missingMessage optional Message template
Returns
string|null
Error message about expected fields
_debugPostTokenNotMatching() protected
_debugPostTokenNotMatching(\Cake\Controller\Controller $controller, array $hashParts)
Create a message for humans to understand why Security token is not matching
Parameters
-
\Cake\Controller\Controller
$controller Instantiating controller
-
array
$hashParts Elements used to generate the Token hash
Returns
string
Message explaining why the tokens are not matching
_fieldsList() protected
_fieldsList(array $check)
Return the fields list for the hash calculation
Parameters
-
array
$check Data array
Returns
array
_hashParts() protected
_hashParts(\Cake\Controller\Controller $controller)
Return hash parts for the Token generation
Parameters
-
\Cake\Controller\Controller
$controller Instantiating controller
Returns
string[]
_matchExistingFields() protected
_matchExistingFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage)
Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset
Parameters
-
array
$dataFields Fields array, containing the POST data fields
-
array
$expectedFields Fields array, containing the expected fields we should have in POST
-
string
$intKeyMessage Message string if unexpected found in data fields indexed by int (not protected)
-
string
$stringKeyMessage Message string if tampered found in data fields indexed by string (protected)
Returns
string[]
Error messages
_secureRequired() protected
_secureRequired(\Cake\Controller\Controller $controller)
Check if access requires secure connection
Parameters
-
\Cake\Controller\Controller
$controller Instantiating controller
Throws
Cake\Controller\Exception\SecurityException
_sortedUnlocked() protected
_sortedUnlocked(array $data)
Get the sorted unlocked string
Parameters
-
array
$data Data array
Returns
string
_throwException() protected
_throwException(?\Cake\Controller\Exception\SecurityException $exception)
Check debug status and throw an Exception based on the existing one
Parameters
-
\Cake\Controller\Exception\SecurityException|null
$exception optional Additional debug info describing the cause
Throws
Cake\Http\Exception\BadRequestException
_unlocked() protected
_unlocked(array $data)
Get the unlocked string
Parameters
-
array
$data Data array
Returns
string
_validToken() protected
_validToken(\Cake\Controller\Controller $controller)
Check if token is valid
Parameters
-
\Cake\Controller\Controller
$controller Instantiating controller
Returns
string
fields token
Throws
Cake\Controller\Exception\SecurityException
_validatePost() protected
_validatePost(\Cake\Controller\Controller $controller)
Validate submitted form
Parameters
-
\Cake\Controller\Controller
$controller Instantiating controller
Throws
Cake\Controller\Exception\AuthSecurityException
blackHole() public
blackHole(\Cake\Controller\Controller $controller, string $error, ?\Cake\Controller\Exception\SecurityException $exception)
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
Parameters
-
\Cake\Controller\Controller
$controller Instantiating controller
-
string
$error optional Error method
-
\Cake\Controller\Exception\SecurityException|null
$exception optional Additional debug info describing the cause
Returns
mixed
If specified, controller blackHoleCallback's response, or no return otherwise
Throws
Cake\Http\Exception\BadRequestException
See Also
Links
configShallow() public
configShallow(mixed $key, mixed $value)
Merge provided config with existing config. Unlike config()
which does a recursive merge for nested keys, this method does a simple merge.
Setting a specific value:
$this->configShallow('key', $value);
Setting a nested value:
$this->configShallow('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->configShallow(['one' => 'value', 'another' => 'value']);
Parameters
-
string|array
$key The key to set, or a complete array of configs.
-
mixed|null
$value optional The value to set.
Returns
$this
generateToken() public
generateToken(\Cake\Http\ServerRequest $request)
Manually add form tampering prevention token information into the provided request object.
Parameters
-
\Cake\Http\ServerRequest
$request The request object to add into.
Returns
\Cake\Http\ServerRequest
The modified request.
getConfig() public
getConfig(?string $key, mixed $default)
Returns the config.
Usage
Reading the whole config:
$this->getConfig();
Reading a specific value:
$this->getConfig('key');
Reading a nested value:
$this->getConfig('some.nested.key');
Reading with default value:
$this->getConfig('some-key', 'default-value');
Parameters
-
string|null
$key optional The key to get or null for the whole config.
-
mixed
$default optional The return value when the key does not exist.
Returns
mixed
Configuration data at the named key or null if the key does not exist.
getConfigOrFail() public
getConfigOrFail(string $key)
Returns the config for this specific key.
The config value for this key must exist, it can never be null.
Parameters
-
string
$key The key to get.
Returns
mixed
Configuration data at the named key
Throws
InvalidArgumentException
getController() public
getController()
Get the controller this component is bound to.
Returns
\Cake\Controller\Controller
The bound controller.
implementedEvents() public
implementedEvents()
Events supported by this component.
Returns
array
initialize() public
initialize(array $config)
Constructor hook method.
Implement this method to avoid having to overwrite the constructor and call parent.
Parameters
-
array
$config The configuration settings provided to this component.
log() public
log(string $message, mixed $level, mixed $context)
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
Parameters
-
string
$message Log message.
-
int|string
$level optional Error level.
-
string|array
$context optional Additional log data relevant to this message.
Returns
bool
Success of log write.
requireSecure() public
requireSecure(mixed $actions)
Sets the actions that require a request that is SSL-secured, or empty for all actions
Parameters
-
string|string[]|null
$actions optional Actions list
setConfig() public
setConfig(mixed $key, mixed $value, mixed $merge)
Sets the config.
Usage
Setting a specific value:
$this->setConfig('key', $value);
Setting a nested value:
$this->setConfig('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->setConfig(['one' => 'value', 'another' => 'value']);
Parameters
-
string|array
$key The key to set, or a complete array of configs.
-
mixed|null
$value optional The value to set.
-
bool
$merge optional Whether to recursively merge or overwrite existing config, defaults to true.
Returns
$this
Throws
Cake\Core\Exception\Exception
When trying to set a key that is invalid.
startup() public
startup(\Cake\Event\EventInterface $event)
Component startup. All security checking happens here.
Parameters
-
\Cake\Event\EventInterface
$event An Event instance
Returns
\Cake\Http\Response|null
Property Detail
$_action protected
Holds the current action of the controller
Type
string
$_componentMap protected
A component lookup table used to lazy load component objects.
Type
array
$_config protected
Runtime config
Type
array
$_configInitialized protected
Whether the config property has already been configured with defaults
Type
bool
$_defaultConfig protected
Default config
-
blackHoleCallback
- The controller method that will be called if this request is black-hole'd. -
requireSecure
- List of actions that require an SSL-secured connection. -
unlockedFields
- Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked. -
unlockedActions
- Actions to exclude from POST validation checks. Other checks like requireSecure() etc. will still be applied. -
validatePost
- Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.
Type
array
$_registry protected
Component registry class used to lazy load components.
Type
\Cake\Controller\ComponentRegistry
$components public
Other Components this component uses.
Type
array
© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.1/class-Cake.Controller.Component.SecurityComponent.html