Docs4dev
Docs
cakephp / 4.4 / class-cake.controller.component.securitycomponent.html

Class
SecurityComponent

The Security Component creates an easy way to integrate tighter security in your application. It provides methods for these tasks:

  • Form tampering protection.
  • Requiring that SSL be used.
Namespace: Cake\Controller\Component
Deprecated: 4.0.0 Use {@link FormProtectionComponent} instead, for form tampering protection or {@link HttpsEnforcerMiddleware} to enforce use of HTTPS (SSL) for requests.
Link: https://book.cakephp.org/4/en/controllers/components/security.html

Constants

  • string
    DEFAULT_EXCEPTION_MESSAGE 
    'The request has been black-holed'

    Default message used for exceptions thrown

Property Summary

  • $_action protected
    string

    Holds the current action of the controller

  • $_componentMap protected
    array<string, array>

    A component lookup table used to lazy load component objects.

  • $_config protected
    array<string, mixed>

    Runtime config

  • $_configInitialized protected
    bool

    Whether the config property has already been configured with defaults

  • $_defaultConfig protected
    array<string, mixed>

    Default config

  • $_registry protected
    Cake\Controller\ComponentRegistry

    Component registry class used to lazy load components.

  • $components protected
    array

    Other Components this component uses.

Method Summary

  • __construct() public

    Constructor

  • __debugInfo() public

    Returns an array that can be used to describe the internal state of this object.

  • __get() public

    Magic method for lazy loading $components.

  • _callback() protected

    Calls a controller callback method

  • _configDelete() protected

    Deletes a single config key.

  • _configRead() protected

    Reads a config key.

  • _configWrite() protected

    Writes a config key.

  • _debugCheckFields() protected

    Iterates data array to check against expected

  • _debugExpectedFields() protected

    Generate debug message for the expected fields

  • _debugPostTokenNotMatching() protected

    Create a message for humans to understand why Security token is not matching

  • _fieldsList() protected

    Return the fields list for the hash calculation

  • _hashParts() protected

    Return hash parts for the Token generation

  • _matchExistingFields() protected

    Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset

  • _secureRequired() protected

    Check if access requires secure connection

  • _sortedUnlocked() protected

    Get the sorted unlocked string

  • _throwException() protected

    Check debug status and throw an Exception based on the existing one

  • _unlocked() protected

    Get the unlocked string

  • _validToken() protected

    Check if token is valid

  • _validatePost() protected

    Validate submitted form

  • blackHole() public

    Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error

  • configShallow() public

    Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

  • generateToken() public

    Manually add form tampering prevention token information into the provided request object.

  • getConfig() public

    Returns the config.

  • getConfigOrFail() public

    Returns the config for this specific key.

  • getController() public

    Get the controller this component is bound to.

  • implementedEvents() public

    Events supported by this component.

  • initialize() public

    Constructor hook method.

  • log() public

    Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

  • requireSecure() public

    Sets the actions that require a request that is SSL-secured, or empty for all actions

  • setConfig() public

    Sets the config.

  • startup() public

    Component startup. All security checking happens here.

Method Detail

__construct() public

__construct(Cake\Controller\ComponentRegistry $registry, array<string, mixed> $config = [])

Constructor

Parameters

Cake\Controller\ComponentRegistry $registry

A component registry this component can use to lazy load its components.

array<string, mixed> $config optional

Array of configuration settings.

__debugInfo() public

__debugInfo(): array<string, mixed>

Returns an array that can be used to describe the internal state of this object.

Returns

array<string, mixed>

__get() public

__get(string $name): Cake\Controller\Component|null

Magic method for lazy loading $components.

Parameters

string $name

Name of component to get.

Returns

Cake\Controller\Component|null

_callback() protected

_callback(Cake\Controller\Controller $controller, string $method, array $params = []): mixed

Calls a controller callback method

Parameters

Cake\Controller\Controller $controller

Instantiating controller

string $method

Method to execute

array $params optional

Parameters to send to method

Returns

mixed

Throws

Cake\Http\Exception\BadRequestException
When a the blackholeCallback is not callable.

_configDelete() protected

_configDelete(string $key): void

Deletes a single config key.

Parameters

string $key

Key to delete.

Returns

void

Throws

Cake\Core\Exception\CakeException
if attempting to clobber existing config

_configRead() protected

_configRead(string|null $key): mixed

Reads a config key.

Parameters

string|null $key

Key to read.

Returns

mixed

_configWrite() protected

_configWrite(array<string, mixed>|string $key, mixed $value, string|bool $merge = false): void

Writes a config key.

Parameters

array<string, mixed>|string $key

Key to write to.

mixed $value

Value to write.

string|bool $merge optional

True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Returns

void

Throws

Cake\Core\Exception\CakeException
if attempting to clobber existing config

_debugCheckFields() protected

_debugCheckFields(array $dataFields, array $expectedFields = [], string $intKeyMessage = '', string $stringKeyMessage = '', string $missingMessage = ''): array<string>

Iterates data array to check against expected

Parameters

array $dataFields

Fields array, containing the POST data fields

array $expectedFields optional

Fields array, containing the expected fields we should have in POST

string $intKeyMessage optional

Message string if unexpected found in data fields indexed by int (not protected)

string $stringKeyMessage optional

Message string if tampered found in data fields indexed by string (protected).

string $missingMessage optional

Message string if missing field

Returns

array<string>

_debugExpectedFields() protected

_debugExpectedFields(array $expectedFields = [], string $missingMessage = ''): string|null

Generate debug message for the expected fields

Parameters

array $expectedFields optional

Expected fields

string $missingMessage optional

Message template

Returns

string|null

_debugPostTokenNotMatching() protected

_debugPostTokenNotMatching(Cake\Controller\Controller $controller, array<string> $hashParts): string

Create a message for humans to understand why Security token is not matching

Parameters

Cake\Controller\Controller $controller

Instantiating controller

array<string> $hashParts

Elements used to generate the Token hash

Returns

string

_fieldsList() protected

_fieldsList(array $check): array

Return the fields list for the hash calculation

Parameters

array $check

Data array

Returns

array

_hashParts() protected

_hashParts(Cake\Controller\Controller $controller): array<string>

Return hash parts for the Token generation

Parameters

Cake\Controller\Controller $controller

Instantiating controller

Returns

array<string>

_matchExistingFields() protected

_matchExistingFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage): array<string>

Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset

Parameters

array $dataFields

Fields array, containing the POST data fields

array $expectedFields

Fields array, containing the expected fields we should have in POST

string $intKeyMessage

Message string if unexpected found in data fields indexed by int (not protected)

string $stringKeyMessage

Message string if tampered found in data fields indexed by string (protected)

Returns

array<string>

_secureRequired() protected

_secureRequired(Cake\Controller\Controller $controller): void

Check if access requires secure connection

Parameters

Cake\Controller\Controller $controller

Instantiating controller

Returns

void

Throws

Cake\Controller\Exception\SecurityException

_sortedUnlocked() protected

_sortedUnlocked(array $data): string

Get the sorted unlocked string

Parameters

array $data

Data array

Returns

string

_throwException() protected

_throwException(Cake\Controller\Exception\SecurityException|null $exception = null): void

Check debug status and throw an Exception based on the existing one

Parameters

Cake\Controller\Exception\SecurityException|null $exception optional

Additional debug info describing the cause

Returns

void

Throws

Cake\Http\Exception\BadRequestException

_unlocked() protected

_unlocked(array $data): string

Get the unlocked string

Parameters

array $data

Data array

Returns

string

_validToken() protected

_validToken(Cake\Controller\Controller $controller): string

Check if token is valid

Parameters

Cake\Controller\Controller $controller

Instantiating controller

Returns

string

Throws

Cake\Controller\Exception\SecurityException

_validatePost() protected

_validatePost(Cake\Controller\Controller $controller): void

Validate submitted form

Parameters

Cake\Controller\Controller $controller

Instantiating controller

Returns

void

Throws

Cake\Controller\Exception\AuthSecurityException

blackHole() public

blackHole(Cake\Controller\Controller $controller, string $error = '', Cake\Controller\Exception\SecurityException|null $exception = null): mixed

Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error

Parameters

Cake\Controller\Controller $controller

Instantiating controller

string $error optional

Error method

Cake\Controller\Exception\SecurityException|null $exception optional

Additional debug info describing the cause

Returns

mixed

Throws

Cake\Http\Exception\BadRequestException

See Also

\Cake\Controller\Component\SecurityComponent::$blackHoleCallback

Links

https://book.cakephp.org/4/en/controllers/components/security.html#handling-blackhole-callbacks

configShallow() public

configShallow(array<string, mixed>|string $key, mixed|null $value = null): $this

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);

Parameters

array<string, mixed>|string $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

Returns

$this

generateToken() public

generateToken(Cake\Http\ServerRequest $request): Cake\Http\ServerRequest

Manually add form tampering prevention token information into the provided request object.

Parameters

Cake\Http\ServerRequest $request

The request object to add into.

Returns

Cake\Http\ServerRequest

getConfig() public

getConfig(string|null $key = null, mixed $default = null): mixed

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');

Parameters

string|null $key optional

The key to get or null for the whole config.

mixed $default optional

The return value when the key does not exist.

Returns

mixed

getConfigOrFail() public

getConfigOrFail(string $key): mixed

Returns the config for this specific key.

The config value for this key must exist, it can never be null.

Parameters

string $key

The key to get.

Returns

mixed

Throws

InvalidArgumentException

getController() public

getController(): Cake\Controller\Controller

Get the controller this component is bound to.

Returns

Cake\Controller\Controller

implementedEvents() public

implementedEvents(): array<string, mixed>

Events supported by this component.

Uses Conventions to map controller events to standard component callback method names. By defining one of the callback methods a component is assumed to be interested in the related event.

Override this method if you need to add non-conventional event listeners. Or if you want components to listen to non-standard events.

Returns

array<string, mixed>

initialize() public

initialize(array<string, mixed> $config): void

Constructor hook method.

Implement this method to avoid having to overwrite the constructor and call parent.

Parameters

array<string, mixed> $config

The configuration settings provided to this component.

Returns

void

log() public

log(string $message, string|int $level = LogLevel::ERROR, array|string $context = []): bool

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters

string $message

Log message.

string|int $level optional

Error level.

array|string $context optional

Additional log data relevant to this message.

Returns

bool

requireSecure() public

requireSecure(array<string>|string|null $actions = null): void

Sets the actions that require a request that is SSL-secured, or empty for all actions

Parameters

array<string>|string|null $actions optional

Actions list

Returns

void

setConfig() public

setConfig(array<string, mixed>|string $key, mixed|null $value = null, bool $merge = true): $this

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);

Parameters

array<string, mixed>|string $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

bool $merge optional

Whether to recursively merge or overwrite existing config, defaults to true.

Returns

$this

Throws

Cake\Core\Exception\CakeException
When trying to set a key that is invalid.

startup() public

startup(Cake\Event\EventInterface $event): Cake\Http\Response|null

Component startup. All security checking happens here.

Parameters

Cake\Event\EventInterface $event

An Event instance

Returns

Cake\Http\Response|null

Property Detail

$_action protected

Holds the current action of the controller

Type

string

$_componentMap protected

A component lookup table used to lazy load component objects.

Type

array<string, array>

$_config protected

Runtime config

Type

array<string, mixed>

$_configInitialized protected

Whether the config property has already been configured with defaults

Type

bool

$_defaultConfig protected

Default config

  • blackHoleCallback - The controller method that will be called if this request is black-hole'd.
  • requireSecure - List of actions that require an SSL-secured connection.
  • unlockedFields - Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.
  • unlockedActions - Actions to exclude from POST validation checks. Other checks like requireSecure() etc. will still be applied.
  • validatePost - Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.

Type

array<string, mixed>

$_registry protected

Component registry class used to lazy load components.

Type

Cake\Controller\ComponentRegistry

$components protected

Other Components this component uses.

Type

array

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.4/class-Cake.Controller.Component.SecurityComponent.html