The Security Component creates an easy way to integrate tighter security in your application. It provides methods for these tasks:
string
'The request has been black-holed'
Default message used for exceptions thrown
string
Holds the current action of the controller
array<string, array>
A component lookup table used to lazy load component objects.
array<string, mixed>
Runtime config
bool
Whether the config property has already been configured with defaults
array<string, mixed>
Default config
Cake\Controller\ComponentRegistry
Component registry class used to lazy load components.
array
Other Components this component uses.
Constructor
Returns an array that can be used to describe the internal state of this object.
Magic method for lazy loading $components.
Calls a controller callback method
Deletes a single config key.
Reads a config key.
Writes a config key.
Iterates data array to check against expected
Generate debug message for the expected fields
Create a message for humans to understand why Security token is not matching
Return the fields list for the hash calculation
Return hash parts for the Token generation
Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset
Check if access requires secure connection
Get the sorted unlocked string
Check debug status and throw an Exception based on the existing one
Get the unlocked string
Check if token is valid
Validate submitted form
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
Merge provided config with existing config. Unlike config()
which does a recursive merge for nested keys, this method does a simple merge.
Manually add form tampering prevention token information into the provided request object.
Returns the config.
Returns the config for this specific key.
Get the controller this component is bound to.
Events supported by this component.
Constructor hook method.
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
Sets the actions that require a request that is SSL-secured, or empty for all actions
Sets the config.
Component startup. All security checking happens here.
__construct(Cake\Controller\ComponentRegistry $registry, array<string, mixed> $config = [])
Constructor
Cake\Controller\ComponentRegistry
$registry A component registry this component can use to lazy load its components.
array<string, mixed>
$config optional Array of configuration settings.
__debugInfo(): array<string, mixed>
Returns an array that can be used to describe the internal state of this object.
array<string, mixed>
__get(string $name): Cake\Controller\Component|null
Magic method for lazy loading $components.
string
$name Name of component to get.
Cake\Controller\Component|null
_callback(Cake\Controller\Controller $controller, string $method, array $params = []): mixed
Calls a controller callback method
Cake\Controller\Controller
$controller Instantiating controller
string
$method Method to execute
array
$params optional Parameters to send to method
mixed
Cake\Http\Exception\BadRequestException
_configDelete(string $key): void
Deletes a single config key.
string
$key Key to delete.
void
Cake\Core\Exception\CakeException
_configRead(string|null $key): mixed
Reads a config key.
string|null
$key Key to read.
mixed
_configWrite(array<string, mixed>|string $key, mixed $value, string|bool $merge = false): void
Writes a config key.
array<string, mixed>|string
$key Key to write to.
mixed
$value Value to write.
string|bool
$merge optional True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.
void
Cake\Core\Exception\CakeException
_debugCheckFields(array $dataFields, array $expectedFields = [], string $intKeyMessage = '', string $stringKeyMessage = '', string $missingMessage = ''): array<string>
Iterates data array to check against expected
array
$dataFields Fields array, containing the POST data fields
array
$expectedFields optional Fields array, containing the expected fields we should have in POST
string
$intKeyMessage optional Message string if unexpected found in data fields indexed by int (not protected)
string
$stringKeyMessage optional Message string if tampered found in data fields indexed by string (protected).
string
$missingMessage optional Message string if missing field
array<string>
_debugExpectedFields(array $expectedFields = [], string $missingMessage = ''): string|null
Generate debug message for the expected fields
array
$expectedFields optional Expected fields
string
$missingMessage optional Message template
string|null
_debugPostTokenNotMatching(Cake\Controller\Controller $controller, array<string> $hashParts): string
Create a message for humans to understand why Security token is not matching
Cake\Controller\Controller
$controller Instantiating controller
array<string>
$hashParts Elements used to generate the Token hash
string
_fieldsList(array $check): array
Return the fields list for the hash calculation
array
$check Data array
array
_hashParts(Cake\Controller\Controller $controller): array<string>
Return hash parts for the Token generation
Cake\Controller\Controller
$controller Instantiating controller
array<string>
_matchExistingFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage): array<string>
Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset
array
$dataFields Fields array, containing the POST data fields
array
$expectedFields Fields array, containing the expected fields we should have in POST
string
$intKeyMessage Message string if unexpected found in data fields indexed by int (not protected)
string
$stringKeyMessage Message string if tampered found in data fields indexed by string (protected)
array<string>
_secureRequired(Cake\Controller\Controller $controller): void
Check if access requires secure connection
Cake\Controller\Controller
$controller Instantiating controller
void
Cake\Controller\Exception\SecurityException
_sortedUnlocked(array $data): string
Get the sorted unlocked string
array
$data Data array
string
_throwException(Cake\Controller\Exception\SecurityException|null $exception = null): void
Check debug status and throw an Exception based on the existing one
Cake\Controller\Exception\SecurityException|null
$exception optional Additional debug info describing the cause
void
Cake\Http\Exception\BadRequestException
_unlocked(array $data): string
Get the unlocked string
array
$data Data array
string
_validToken(Cake\Controller\Controller $controller): string
Check if token is valid
Cake\Controller\Controller
$controller Instantiating controller
string
Cake\Controller\Exception\SecurityException
_validatePost(Cake\Controller\Controller $controller): void
Validate submitted form
Cake\Controller\Controller
$controller Instantiating controller
void
Cake\Controller\Exception\AuthSecurityException
blackHole(Cake\Controller\Controller $controller, string $error = '', Cake\Controller\Exception\SecurityException|null $exception = null): mixed
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
Cake\Controller\Controller
$controller Instantiating controller
string
$error optional Error method
Cake\Controller\Exception\SecurityException|null
$exception optional Additional debug info describing the cause
mixed
Cake\Http\Exception\BadRequestException
configShallow(array<string, mixed>|string $key, mixed|null $value = null): $this
Merge provided config with existing config. Unlike config()
which does a recursive merge for nested keys, this method does a simple merge.
Setting a specific value:
$this->configShallow('key', $value);
Setting a nested value:
$this->configShallow('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->configShallow(['one' => 'value', 'another' => 'value']);
array<string, mixed>|string
$key The key to set, or a complete array of configs.
mixed|null
$value optional The value to set.
$this
generateToken(Cake\Http\ServerRequest $request): Cake\Http\ServerRequest
Manually add form tampering prevention token information into the provided request object.
Cake\Http\ServerRequest
$request The request object to add into.
Cake\Http\ServerRequest
getConfig(string|null $key = null, mixed $default = null): mixed
Returns the config.
Reading the whole config:
$this->getConfig();
Reading a specific value:
$this->getConfig('key');
Reading a nested value:
$this->getConfig('some.nested.key');
Reading with default value:
$this->getConfig('some-key', 'default-value');
string|null
$key optional The key to get or null for the whole config.
mixed
$default optional The return value when the key does not exist.
mixed
getConfigOrFail(string $key): mixed
Returns the config for this specific key.
The config value for this key must exist, it can never be null.
string
$key The key to get.
mixed
InvalidArgumentException
getController(): Cake\Controller\Controller
Get the controller this component is bound to.
Cake\Controller\Controller
implementedEvents(): array<string, mixed>
Events supported by this component.
Uses Conventions to map controller events to standard component callback method names. By defining one of the callback methods a component is assumed to be interested in the related event.
Override this method if you need to add non-conventional event listeners. Or if you want components to listen to non-standard events.
array<string, mixed>
initialize(array<string, mixed> $config): void
Constructor hook method.
Implement this method to avoid having to overwrite the constructor and call parent.
array<string, mixed>
$config The configuration settings provided to this component.
void
log(string $message, string|int $level = LogLevel::ERROR, array|string $context = []): bool
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
string
$message Log message.
string|int
$level optional Error level.
array|string
$context optional Additional log data relevant to this message.
bool
requireSecure(array<string>|string|null $actions = null): void
Sets the actions that require a request that is SSL-secured, or empty for all actions
array<string>|string|null
$actions optional Actions list
void
setConfig(array<string, mixed>|string $key, mixed|null $value = null, bool $merge = true): $this
Sets the config.
Setting a specific value:
$this->setConfig('key', $value);
Setting a nested value:
$this->setConfig('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->setConfig(['one' => 'value', 'another' => 'value']);
array<string, mixed>|string
$key The key to set, or a complete array of configs.
mixed|null
$value optional The value to set.
bool
$merge optional Whether to recursively merge or overwrite existing config, defaults to true.
$this
Cake\Core\Exception\CakeException
startup(Cake\Event\EventInterface $event): Cake\Http\Response|null
Component startup. All security checking happens here.
Cake\Event\EventInterface
$event An Event instance
Cake\Http\Response|null
Holds the current action of the controller
string
A component lookup table used to lazy load component objects.
array<string, array>
Runtime config
array<string, mixed>
Whether the config property has already been configured with defaults
bool
Default config
blackHoleCallback
- The controller method that will be called if this request is black-hole'd.requireSecure
- List of actions that require an SSL-secured connection.unlockedFields
- Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.unlockedActions
- Actions to exclude from POST validation checks. Other checks like requireSecure() etc. will still be applied.validatePost
- Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.array<string, mixed>
Component registry class used to lazy load components.
Cake\Controller\ComponentRegistry
Other Components this component uses.
array
© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.4/class-Cake.Controller.Component.SecurityComponent.html