The Security Component creates an easy way to integrate tighter security in your application. It provides methods for these tasks:
string
'The request has been black-holed'
string
Holds the current action of the controller
array
A component lookup table used to lazy load component objects.
array
Runtime config
bool
Whether the config property has already been configured with defaults
array
Default config
\Cake\Controller\ComponentRegistry
Component registry class used to lazy load components.
array
Other Components this component uses.
Returns an array that can be used to describe the internal state of this object.
Create a message for humans to understand why Security token is not matching
Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
Merge provided config with existing config. Unlike config()
which does a recursive merge for nested keys, this method does a simple merge.
Manually add form tampering prevention token information into the provided request object.
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
Sets the actions that require a request that is SSL-secured, or empty for all actions
__construct(\Cake\Controller\ComponentRegistry $registry, array $config)
Constructor
\Cake\Controller\ComponentRegistry
$registry A component registry this component can use to lazy load its components.
array
$config optional Array of configuration settings.
__debugInfo()
Returns an array that can be used to describe the internal state of this object.
array
__get(string $name)
Magic method for lazy loading $components.
string
$name Name of component to get.
\Cake\Controller\Component|null
A Component object or null.
_callback(\Cake\Controller\Controller $controller, string $method, array $params)
Calls a controller callback method
\Cake\Controller\Controller
$controller Instantiating controller
string
$method Method to execute
array
$params optional Parameters to send to method
mixed
Controller callback method's response
Cake\Http\Exception\BadRequestException
_configDelete(string $key)
Deletes a single config key.
string
$key Key to delete.
Cake\Core\Exception\Exception
_configRead(?string $key)
Reads a config key.
string|null
$key Key to read.
mixed
_configWrite(mixed $key, mixed $value, mixed $merge)
Writes a config key.
string|array
$key Key to write to.
mixed
$value Value to write.
bool|string
$merge optional True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.
Cake\Core\Exception\Exception
_debugCheckFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage, string $missingMessage)
Iterates data array to check against expected
array
$dataFields Fields array, containing the POST data fields
array
$expectedFields optional Fields array, containing the expected fields we should have in POST
string
$intKeyMessage optional Message string if unexpected found in data fields indexed by int (not protected)
string
$stringKeyMessage optional Message string if tampered found in data fields indexed by string (protected).
string
$missingMessage optional Message string if missing field
string[]
Messages
_debugExpectedFields(array $expectedFields, string $missingMessage)
Generate debug message for the expected fields
array
$expectedFields optional Expected fields
string
$missingMessage optional Message template
string|null
Error message about expected fields
_debugPostTokenNotMatching(\Cake\Controller\Controller $controller, array $hashParts)
Create a message for humans to understand why Security token is not matching
\Cake\Controller\Controller
$controller Instantiating controller
array
$hashParts Elements used to generate the Token hash
string
Message explaining why the tokens are not matching
_fieldsList(array $check)
Return the fields list for the hash calculation
array
$check Data array
array
_hashParts(\Cake\Controller\Controller $controller)
Return hash parts for the Token generation
\Cake\Controller\Controller
$controller Instantiating controller
string[]
_matchExistingFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage)
Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset
array
$dataFields Fields array, containing the POST data fields
array
$expectedFields Fields array, containing the expected fields we should have in POST
string
$intKeyMessage Message string if unexpected found in data fields indexed by int (not protected)
string
$stringKeyMessage Message string if tampered found in data fields indexed by string (protected)
string[]
Error messages
_secureRequired(\Cake\Controller\Controller $controller)
Check if access requires secure connection
\Cake\Controller\Controller
$controller Instantiating controller
Cake\Controller\Exception\SecurityException
_sortedUnlocked(array $data)
Get the sorted unlocked string
array
$data Data array
string
_throwException(?\Cake\Controller\Exception\SecurityException $exception)
Check debug status and throw an Exception based on the existing one
\Cake\Controller\Exception\SecurityException|null
$exception optional Additional debug info describing the cause
Cake\Http\Exception\BadRequestException
_unlocked(array $data)
Get the unlocked string
array
$data Data array
string
_validToken(\Cake\Controller\Controller $controller)
Check if token is valid
\Cake\Controller\Controller
$controller Instantiating controller
string
fields token
Cake\Controller\Exception\SecurityException
_validatePost(\Cake\Controller\Controller $controller)
Validate submitted form
\Cake\Controller\Controller
$controller Instantiating controller
Cake\Controller\Exception\AuthSecurityException
blackHole(\Cake\Controller\Controller $controller, string $error, ?\Cake\Controller\Exception\SecurityException $exception)
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
\Cake\Controller\Controller
$controller Instantiating controller
string
$error optional Error method
\Cake\Controller\Exception\SecurityException|null
$exception optional Additional debug info describing the cause
mixed
If specified, controller blackHoleCallback's response, or no return otherwise
Cake\Http\Exception\BadRequestException
configShallow(mixed $key, mixed $value)
Merge provided config with existing config. Unlike config()
which does a recursive merge for nested keys, this method does a simple merge.
Setting a specific value:
$this->configShallow('key', $value);
Setting a nested value:
$this->configShallow('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->configShallow(['one' => 'value', 'another' => 'value']);
string|array
$key The key to set, or a complete array of configs.
mixed|null
$value optional The value to set.
$this
generateToken(\Cake\Http\ServerRequest $request)
Manually add form tampering prevention token information into the provided request object.
\Cake\Http\ServerRequest
$request The request object to add into.
\Cake\Http\ServerRequest
The modified request.
getConfig(?string $key, mixed $default)
Returns the config.
Reading the whole config:
$this->getConfig();
Reading a specific value:
$this->getConfig('key');
Reading a nested value:
$this->getConfig('some.nested.key');
Reading with default value:
$this->getConfig('some-key', 'default-value');
string|null
$key optional The key to get or null for the whole config.
mixed
$default optional The return value when the key does not exist.
mixed
Configuration data at the named key or null if the key does not exist.
getConfigOrFail(string $key)
Returns the config for this specific key.
The config value for this key must exist, it can never be null.
string
$key The key to get.
mixed
Configuration data at the named key
InvalidArgumentException
getController()
Get the controller this component is bound to.
\Cake\Controller\Controller
The bound controller.
implementedEvents()
Events supported by this component.
array
initialize(array $config)
Constructor hook method.
Implement this method to avoid having to overwrite the constructor and call parent.
array
$config The configuration settings provided to this component.
log(string $message, mixed $level, mixed $context)
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
string
$message Log message.
int|string
$level optional Error level.
string|array
$context optional Additional log data relevant to this message.
bool
Success of log write.
requireSecure(mixed $actions)
Sets the actions that require a request that is SSL-secured, or empty for all actions
string|string[]|null
$actions optional Actions list
setConfig(mixed $key, mixed $value, mixed $merge)
Sets the config.
Setting a specific value:
$this->setConfig('key', $value);
Setting a nested value:
$this->setConfig('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->setConfig(['one' => 'value', 'another' => 'value']);
string|array
$key The key to set, or a complete array of configs.
mixed|null
$value optional The value to set.
bool
$merge optional Whether to recursively merge or overwrite existing config, defaults to true.
$this
Cake\Core\Exception\Exception
startup(\Cake\Event\EventInterface $event)
Component startup. All security checking happens here.
\Cake\Event\EventInterface
$event An Event instance
\Cake\Http\Response|null
Holds the current action of the controller
string
A component lookup table used to lazy load component objects.
array
Runtime config
array
Whether the config property has already been configured with defaults
bool
Default config
blackHoleCallback
- The controller method that will be called if this request is black-hole'd.requireSecure
- List of actions that require an SSL-secured connection.unlockedFields
- Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.unlockedActions
- Actions to exclude from POST validation checks. Other checks like requireSecure() etc. will still be applied.validatePost
- Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.array
Component registry class used to lazy load components.
\Cake\Controller\ComponentRegistry
Other Components this component uses.
array
© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.1/class-Cake.Controller.Component.SecurityComponent.html