Class SecurityComponent

The Security Component creates an easy way to integrate tighter security in your application. It provides methods for various tasks like:

  • Restricting which HTTP methods your application accepts.
  • Form tampering protection
  • Requiring that SSL be used.
  • Limiting cross controller communication.
Cake\Controller\Component implements Cake\Event\EventListenerInterface uses Cake\Core\InstanceConfigTrait, Cake\Log\LogTrait
Extended by Cake\Controller\Component\SecurityComponent

Method Detail

_authRequiredsource protected

_authRequired( Cake\Controller\Controller $controller )

Check if authentication is required

Parameters

Cake\Controller\Controller $controller
Instantiating controller

Returns

boolean
true if authentication required

_callbacksource protected

_callback( Cake\Controller\Controller $controller , string $method , array $params [] )

Calls a controller callback method

Parameters

Cake\Controller\Controller $controller
Controller to run callback on
string $method
Method to execute
array $params optional []
Parameters to send to method

Returns

mixed
Controller callback method's response

Throws

Cake\Network\Exception\BadRequestException
When a the blackholeCallback is not callable.

_requireMethodsource protected

_requireMethod( string $method , array $actions [] )

Sets the actions that require a $method HTTP request, or empty for all actions

Parameters

string $method
The HTTP method to assign controller actions to
array $actions optional []
Controller actions to set the required HTTP method to.

_secureRequiredsource protected

_secureRequired( Cake\Controller\Controller $controller )

Check if access requires secure connection

Parameters

Cake\Controller\Controller $controller
Instantiating controller

Returns

boolean
true if secure connection required

_validatePostsource protected

_validatePost( Cake\Controller\Controller $controller )

Validate submitted form

Parameters

Cake\Controller\Controller $controller
Instantiating controller

Returns

boolean
true if submitted form is valid

blackHolesource public

blackHole( Cake\Controller\Controller $controller , string $error '' )

Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error

Parameters

Cake\Controller\Controller $controller
Instantiating controller
string $error optional ''
Error method

Returns

mixed
If specified, controller blackHoleCallback's response, or no return otherwise

Throws

Cake\Network\Exception\BadRequestException
\Cake\Network\Exception\BadRequestException

See

SecurityComponent::$blackHoleCallback

Link

http://book.cakephp.org/3.0/en/controllers/components/security.html#handling-blackhole-callbacks

generateTokensource public

generateToken( Cake\Network\Request $request )

Manually add form tampering prevention token information into the provided request object.

Parameters

Cake\Network\Request $request
The request object to add into.

Returns

boolean
bool

implementedEventssource public

implementedEvents( )

Events supported by this component.

Returns

array
array

Overrides

Cake\Controller\Component::implementedEvents()

requireAuthsource public

requireAuth( string|array $actions )

Sets the actions that require whitelisted form submissions.

Adding actions with this method will enforce the restrictions set in SecurityComponent::$allowedControllers and SecurityComponent::$allowedActions.

Parameters

string|array $actions
Actions list

requireSecuresource public

requireSecure( string|array $actions null )

Sets the actions that require a request that is SSL-secured, or empty for all actions

Parameters

string|array $actions optional null
Actions list

startupsource public

startup( Cake\Event\Event $event )

Component startup. All security checking happens here.

Parameters

Cake\Event\Event $event
An Event instance

Returns

mixed
mixed

Methods inherited from Cake\Controller\Component

__constructsource public

__construct( Cake\Controller\ComponentRegistry $registry , array $config [] )

Constructor

Parameters

Cake\Controller\ComponentRegistry $registry
A ComponentRegistry this component can use to lazy load its components
array $config optional []
Array of configuration settings.

__debugInfosource public

__debugInfo( )

Returns an array that can be used to describe the internal state of this object.

Returns

array
array

__getsource public

__get( string $name )

Magic method for lazy loading $components.

Parameters

string $name
Name of component to get.

Returns

mixed
A Component object or null.

initializesource public

initialize( array $config )

Constructor hook method.

Implement this method to avoid having to overwrite the constructor and call parent.

Parameters

array $config
The configuration settings provided to this component.

Methods used from Cake\Core\InstanceConfigTrait

_configDeletesource protected

_configDelete( string $key )

Delete a single config key

Parameters

string $key
Key to delete.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

_configReadsource protected

_configRead( string|null $key )

Read a config variable

Parameters

string|null $key
Key to read.

Returns

mixed
mixed

_configWritesource protected

_configWrite( string|array $key , mixed $value , boolean|string $merge false )

Write a config variable

Parameters

string|array $key
Key to write to.
mixed $value
Value to write.
boolean|string $merge optional false
True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

configsource public

config( string|array|null $key null , mixed|null $value null , boolean $merge true )

Usage

Reading the whole config:

$this->config();

Reading a specific value:

$this->config('key');

Reading a nested value:

$this->config('some.nested.key');

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);

Parameters

string|array|null $key optional null
The key to get/set, or a complete array of configs.
mixed|null $value optional null
The value to set.
boolean $merge optional true
Whether to recursively merge or overwrite existing config, defaults to true.

Returns

mixed
Config value being read, or the object itself on write operations.

Throws

Cake\Core\Exception\Exception
When trying to set a key that is invalid.

configShallowsource public

configShallow( string|array $key , mixed|null $value null )

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key
The key to set, or a complete array of configs.
mixed|null $value optional null
The value to set.

Returns

mixed
$this The object itself.

Methods used from Cake\Log\LogTrait

logsource public

log( mixed $msg , integer|string $level LogLevel::ERROR , string|array $context [] )

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters

mixed $msg
Log message.
integer|string $level optional LogLevel::ERROR
Error level.
string|array $context optional []
Additional log data relevant to this message.

Returns

boolean
Success of log write.

Properties summary

$_actionsource

protected string

Holds the current action of the controller

null

$_defaultConfigsource

protected array

Default config

  • blackHoleCallback - The controller method that will be called if this request is black-hole'd.
  • requireSecure - List of actions that require an SSL-secured connection.
  • requireAuth - List of actions that require a valid authentication key.
  • allowedControllers - Controllers from which actions of the current controller are allowed to receive requests.
  • allowedActions - Actions from which actions of the current controller are allowed to receive requests.
  • unlockedFields - Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.
  • unlockedActions - Actions to exclude from POST validation checks. Other checks like requireAuth(), requireSecure() etc. will still be applied.
  • validatePost - Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.
[
    'blackHoleCallback' => null,
    'requireSecure' => [],
    'requireAuth' => [],
    'allowedControllers' => [],
    'allowedActions' => [],
    'unlockedFields' => [],
    'unlockedActions' => [],
    'validatePost' => true
]

$requestsource

public Cake\Network\Request

Request object

$sessionsource

public Cake\Network\Session

The Session object

Properties inherited from Cake\Controller\Component

$_componentMapsource

protected array

A component lookup table used to lazy load component objects.

[]

$_registrysource

protected Cake\Controller\ComponentRegistry

Component registry class used to lazy load components.

$componentssource

public array

Other Components this component uses.

[]

$responsesource

public Cake\Network\Response

Response object

Properties used from Cake\Core\InstanceConfigTrait

$_configsource

protected array

Runtime config

[]

$_configInitializedsource

protected boolean

Whether the config property has already been configured with defaults

false

© 2005–2016 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
http://api.cakephp.org/3.1/class-Cake.Controller.Component.SecurityComponent.html