CBSecurity / CBAuth question -- we've got an app where if the user types in the wrong password, CBAuth is throwing an "InvalidCredentials" exception. However the cbSecurity module settings in ColdBox.cfc is looking for a setting called "invalidAuthenticationEvent"....which kind of implies the exception it's looking for is actually "InvalidAuthentication", not "InvalidCredentials". And since the exception types aren't the same, our "invalidAuthenticationEvent" ColdBox event never fires. This works:

try
		{
			var userObj = AuthService.authenticate(username=rc.email, password=EncryptionService.hashPassword(rc.password));
		}
		catch( ex )
		{
			if( ex.type eq "InvalidCredentials" )
			{
				relocate( event="auth/onInvalidLogin", persistStruct={ errMsg: "something bad happened!" } );
			}
			
		}

...but that seems like the long way around the problem. Trying to figure out why our "invalidAuthenticationEvent' isn't firing off. Suggestions welcome. Thanks.

Hmm good question. Can you dump whatever the

ex

is outputting in your catch OR remove your If logic in your catch to see if it passes through and triggers the invalidAuthenticationEvent by default.

Hi Nolan, I think there is a not so obvious reason for that. cbsecurity has two security mechanisms, the handler/method annotations ( secured or secured-“somePermission” ) or permissions rules. In both cases your method or handler has to be protected so the invalidAuthentication or invalidAuthorization actions can be executed, which eventually lead to a relocate or override. I guess your

dologin

action has no cbsecurity protection (otherwise you can not even access it), and on executing your authenticate call the cbauth authenticationservice will call getUserService().isValidCredentials and if this is false it will throw the InvalidCredentials exception.

Why would a doLogin() method ever have cbsecurity protection? It's code that runs before someone is logged in? What am I missing here?

Tehnically the cbauth module knows nothing about the cbsecurity settings so your authentication server cannot even send it to our inValidAuthentication event. It shouldn’t be to difficult though to write your own authentication service which reads this cbsecurity settings and redirects/overwrites based on your preferences. But I guess it is a lot easier to just write one try / catch 🙂

I think we're talking about different things. I'm trying go log someone in. Not worried about secured pages yet....literally just trying to get the user to log in successfully, or throw the correct exception when they type in the wrong password. According to the cbSecurity docs, I should use the "invalidAuthenticationEvent" setting in ColdBox.cfc to specify my event. Currently I have that set to "auth.onInvalidLogin". ....but this event never runs. I've tried setting invalidAuthenticationEvent" to various things, none of them fire. It seems like that setting in cbSecurity doesn't actually do anything.

So what happens if your user is NOT logged in yet and you are trying to access a secured page? In that case you will get your invalidAuthenticationEvent

But I want the invalidCredentials thing to fire. The setting name is "invalidAuthenticationEvent"....which sounds like it should be running long before any "Authorization" things happen. I understand this is happening in cbAuth's AuthenticationService, not cbSecurity (though the setting "invalidAuthenticationEvent" is part of cbSecurity's stuff in ColdBox.cfc). Let me back up for a sec...when should the "invalidAuthenticationEvent" actually fire? To me, I think it should run when a user types in the wrong username/password on the "login" page....I'll have code there that calls authService.authenticate( username, password )....and according to the docs, if those credentials are wrong, it should throw an exception and run whatever ColdBox action I have defined in "invalidAuthenticationEvent". Is that correct?

Well, I don’t know what the docs say exactly, let me read it for a few seconds. But it certainly doesn’t fire the invalidAuthenticationEvent on invalid credentials. If the docs says so, they are wrong.

// The global invalid authentication event or URI or URL to go if an invalid authentication occurs

is what

invalidAuthenticationEvent

is commented. To me that means if you do NOT try to catch anything then it fires that event.

but that’s only true if your page is secured. that’s the whole point

Wouldnt the page not being secured fall under "invalidAuthorizationEvent" not "invalidAuthenticationEvent"

No! this whole page knows nothing about cbsecurity.\

but it's not actually sending anything to the "invalidAuthentication" event. That's my whole problem. 🙂 this setting appears to be ignored.

Nolan- I think you are all good, you can disregard that module setting "default" and utilize as you have in that working example.

I don't have a working example. 🙂

You just showed code and titled it "This works"

"invalidAuthenticationEvent" never fires....no matter what ColdBox event I set it to.

The invalidAuthentication event only gets ignored on the login page. If you try to access any secured event it will definitely fire. Just try to go to a secured page and see where you are going.

Why would "invalidAuthentication" fire on any secured event? That's an authorization issue, not an authentication issue.

Nope, both. It is really buried in the code, but on processing the rules it is first checking if the user is logged in. If not it will do the InvalidAuthentication. If you continue but have invalid permissions it will fire the InvalidAuthorization.

Okay so if I'm understanding you correctly, any machinery I want to write for handling "someone tried to use the wrong credentials" is up to me? And cbAuth doesn't actually provide code to help with that. Is that correct?

What datea are you looking for in the “someone tried to use the wrong credentials”?

I was under the impression that cbAuth's AuthService.authenticate() would have settings so that "invalid login" also flows thru the cbAuth path the same way a "valid login" does. But it sounds like that's not the case.

It has this stupid exception. If you don’t want that, just change the code. One extra line and it works probably the way you want.

I've been using cbautho.authenticationservice this whole time. :) I agree, they should work together differently. It's weird that "invalid credentials" isn't handled the same way as other situations.

I have worked with Wil and asked lots of advice as he prob knows heh. But I would suggest giving a look at the ContentBox authentication setup and cut out a lot of the extras and should make sense. But your example code should do the trick.

Yeah my original code works...it just seemed like we're going about it the long way. I was expecting cbAuth to handle "invalid login" internally, without needing me to write try/catch blocks and handle it myself.

there’s a authenticate method which says:

if ( !getUserService().isValidCredentials( arguments.username, arguments.password ) ) {
            variables.interceptorService.processState(
                "onInvalidCredentials",
                {
                    "username" : arguments.username,
                    "password" : arguments.password
                }
            );
            throw( type = "InvalidCredentials", message = "Incorrect Credentials Entered" );
        }

if you would prepend this with this line, I think you would have your desired workflow:

if ( !getUserService().isValidCredentials( arguments.username, arguments.password ) ) return;

the only thing is that you don’t return a valid authenticated user here. But that makes sense if your credentials are in code

Yea I also utilize the interception points, quite helpful.

I think I spent more time writing blog posts on cbsecurity, explaining people about cbsecurity, fixing bugs in cbsecurity than in writing my own security system instead (which I did long ago before cbsecurity was there). I even hacked cbsecurity to work together with JWT before there was a JWTService

Thanks for the help, gents!

Just FYI: cbauth used to work together with cbguard where cbguard was for annotation based permissions and cbauth for authentication. cbsecurity used to work with rules and your own authentication mechanisms Some versions later a lot of functionality was added to cbsecurity including any authentication service based on the cbauth interface and a jwt service for tokens. Although it it more flexible now it certainly is not easier now…