Class SecurityComponent
The Security Component creates an easy way to integrate tighter security in your application. It provides methods for various tasks like:
- Restricting which HTTP methods your application accepts.
- Form tampering protection
- Requiring that SSL be used.
- Limiting cross controller communication.
- Cake\Controller\Component implements Cake\Event\EventListenerInterface uses Cake\Core\InstanceConfigTrait, Cake\Log\LogTrait
Cake\Controller\Component\SecurityComponent
Namespace: Cake\Controller\Component
Link: http://book.cakephp.org/3.0/en/controllers/components/security.html
Located at Controller/Component/SecurityComponent.php
Link: http://book.cakephp.org/3.0/en/controllers/components/security.html
Located at Controller/Component/SecurityComponent.php
Method Detail
_authRequiredsource protected
_authRequired( Cake\Controller\Controller $controller )Check if authentication is required
Parameters
Cake\Controller\Controller$controller- Instantiating controller
Returns
booleantrue if authentication required
_callbacksource protected
_callback( Cake\Controller\Controller $controller , string $method , array $params [] )Calls a controller callback method
Parameters
Cake\Controller\Controller$controller- Controller to run callback on
-
string
$method - Method to execute
-
array
$paramsoptional [] - Parameters to send to method
Returns
mixedController callback method's response
Throws
Cake\Network\Exception\BadRequestExceptionWhen a the blackholeCallback is not callable.
_requireMethodsource protected
_requireMethod( string $method , array $actions [] )Sets the actions that require a $method HTTP request, or empty for all actions
Parameters
-
string
$method - The HTTP method to assign controller actions to
-
array
$actionsoptional [] - Controller actions to set the required HTTP method to.
_secureRequiredsource protected
_secureRequired( Cake\Controller\Controller $controller )Check if access requires secure connection
Parameters
Cake\Controller\Controller$controller- Instantiating controller
Returns
booleantrue if secure connection required
_validatePostsource protected
_validatePost( Cake\Controller\Controller $controller )Validate submitted form
Parameters
Cake\Controller\Controller$controller- Instantiating controller
Returns
booleantrue if submitted form is valid
blackHolesource public
blackHole( Cake\Controller\Controller $controller , string $error '' )Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
Parameters
Cake\Controller\Controller$controller- Instantiating controller
-
string
$erroroptional '' - Error method
Returns
mixedIf specified, controller blackHoleCallback's response, or no return otherwise
Throws
Cake\Network\Exception\BadRequestException\Cake\Network\Exception\BadRequestException
See
SecurityComponent::$blackHoleCallbackLink
http://book.cakephp.org/3.0/en/controllers/components/security.html#handling-blackhole-callbacksgenerateTokensource public
generateToken( Cake\Network\Request $request )Manually add form tampering prevention token information into the provided request object.
Parameters
Cake\Network\Request$request- The request object to add into.
Returns
booleanbool
implementedEventssource public
implementedEvents( )Events supported by this component.
Returns
arrayarray
Overrides
Cake\Controller\Component::implementedEvents()
requireAuthsource public
requireAuth( string|array $actions )Sets the actions that require whitelisted form submissions.
Adding actions with this method will enforce the restrictions set in SecurityComponent::$allowedControllers and SecurityComponent::$allowedActions.
Parameters
-
string|array
$actions - Actions list
requireSecuresource public
requireSecure( string|array $actions null )Sets the actions that require a request that is SSL-secured, or empty for all actions
Parameters
-
string|array
$actionsoptional null - Actions list
startupsource public
startup( Cake\Event\Event $event )Component startup. All security checking happens here.
Parameters
Cake\Event\Event$event- An Event instance
Returns
mixedmixed
Methods inherited from Cake\Controller\Component
__constructsource public
__construct( Cake\Controller\ComponentRegistry $registry , array $config [] )Constructor
Parameters
Cake\Controller\ComponentRegistry$registry- A ComponentRegistry this component can use to lazy load its components
-
array
$configoptional [] - Array of configuration settings.
__debugInfosource public
__debugInfo( )Returns an array that can be used to describe the internal state of this object.
Returns
arrayarray
__getsource public
__get( string $name )Magic method for lazy loading $components.
Parameters
-
string
$name - Name of component to get.
Returns
mixedA Component object or null.
initializesource public
initialize( array $config )Constructor hook method.
Implement this method to avoid having to overwrite the constructor and call parent.
Parameters
-
array
$config - The configuration settings provided to this component.
Methods used from Cake\Core\InstanceConfigTrait
_configDeletesource protected
_configDelete( string $key )Delete a single config key
Parameters
-
string
$key - Key to delete.
Throws
Cake\Core\Exception\Exceptionif attempting to clobber existing config
_configReadsource protected
_configRead( string|null $key )Read a config variable
Parameters
-
string|null
$key - Key to read.
Returns
mixedmixed
_configWritesource protected
_configWrite( string|array $key , mixed $value , boolean|string $merge false )Write a config variable
Parameters
-
string|array
$key - Key to write to.
-
mixed
$value - Value to write.
-
boolean|string
$mergeoptional false - True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.
Throws
Cake\Core\Exception\Exceptionif attempting to clobber existing config
configsource public
config( string|array|null $key null , mixed|null $value null , boolean $merge true )Usage
Reading the whole config:
$this->config();
Reading a specific value:
$this->config('key');
Reading a nested value:
$this->config('some.nested.key');
Setting a specific value:
$this->config('key', $value);
Setting a nested value:
$this->config('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->config(['one' => 'value', 'another' => 'value']);
Parameters
-
string|array|null
$keyoptional null - The key to get/set, or a complete array of configs.
-
mixed|null
$valueoptional null - The value to set.
-
boolean
$mergeoptional true - Whether to recursively merge or overwrite existing config, defaults to true.
Returns
mixedConfig value being read, or the object itself on write operations.
Throws
Cake\Core\Exception\ExceptionWhen trying to set a key that is invalid.
configShallowsource public
configShallow( string|array $key , mixed|null $value null )Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.
Setting a specific value:
$this->config('key', $value);
Setting a nested value:
$this->config('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->config(['one' => 'value', 'another' => 'value']);
Parameters
-
string|array
$key - The key to set, or a complete array of configs.
-
mixed|null
$valueoptional null - The value to set.
Returns
mixed$this The object itself.
Methods used from Cake\Log\LogTrait
logsource public
log( mixed $msg , integer|string $level LogLevel::ERROR , string|array $context [] )Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
Parameters
-
mixed
$msg - Log message.
-
integer|string
$leveloptional LogLevel::ERROR - Error level.
-
string|array
$contextoptional [] - Additional log data relevant to this message.
Returns
booleanSuccess of log write.
Properties summary
$_defaultConfigsource
protected array
Default config
blackHoleCallback- The controller method that will be called if this request is black-hole'd.requireSecure- List of actions that require an SSL-secured connection.requireAuth- List of actions that require a valid authentication key.allowedControllers- Controllers from which actions of the current controller are allowed to receive requests.allowedActions- Actions from which actions of the current controller are allowed to receive requests.unlockedFields- Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.unlockedActions- Actions to exclude from POST validation checks. Other checks like requireAuth(), requireSecure() etc. will still be applied.validatePost- Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.
[
'blackHoleCallback' => null,
'requireSecure' => [],
'requireAuth' => [],
'allowedControllers' => [],
'allowedActions' => [],
'unlockedFields' => [],
'unlockedActions' => [],
'validatePost' => true
]Properties inherited from Cake\Controller\Component
$_componentMapsource
protected array
A component lookup table used to lazy load component objects.
[]$_registrysource
protected Cake\Controller\ComponentRegistry
Component registry class used to lazy load components.
Properties used from Cake\Core\InstanceConfigTrait
$_configInitializedsource
protected boolean
Whether the config property has already been configured with defaults
false© 2005–2016 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
http://api.cakephp.org/3.1/class-Cake.Controller.Component.SecurityComponent.html