The Security Component creates an easy way to integrate tighter security in your application. It provides methods for these tasks:
string 'The request has been black-holed'
Default message used for exceptions thrown
stringHolds the current action of the controller
array<string, array>A component lookup table used to lazy load component objects.
array<string, mixed>Runtime config
boolWhether the config property has already been configured with defaults
array<string, mixed>Default config
Cake\Controller\ComponentRegistryComponent registry class used to lazy load components.
arrayOther Components this component uses.
Constructor
Returns an array that can be used to describe the internal state of this object.
Magic method for lazy loading $components.
Calls a controller callback method
Deletes a single config key.
Reads a config key.
Writes a config key.
Iterates data array to check against expected
Generate debug message for the expected fields
Create a message for humans to understand why Security token is not matching
Return the fields list for the hash calculation
Return hash parts for the Token generation
Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset
Check if access requires secure connection
Get the sorted unlocked string
Check debug status and throw an Exception based on the existing one
Get the unlocked string
Check if token is valid
Validate submitted form
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.
Manually add form tampering prevention token information into the provided request object.
Returns the config.
Returns the config for this specific key.
Get the controller this component is bound to.
Events supported by this component.
Constructor hook method.
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
Sets the actions that require a request that is SSL-secured, or empty for all actions
Sets the config.
Component startup. All security checking happens here.
__construct(Cake\Controller\ComponentRegistry $registry, array<string, mixed> $config = [])
Constructor
Cake\Controller\ComponentRegistry $registry A component registry this component can use to lazy load its components.
array<string, mixed> $config optional Array of configuration settings.
__debugInfo(): array<string, mixed>
Returns an array that can be used to describe the internal state of this object.
array<string, mixed>__get(string $name): Cake\Controller\Component|null
Magic method for lazy loading $components.
string $name Name of component to get.
Cake\Controller\Component|null_callback(Cake\Controller\Controller $controller, string $method, array $params = []): mixed
Calls a controller callback method
Cake\Controller\Controller $controller Instantiating controller
string $method Method to execute
array $params optional Parameters to send to method
mixedCake\Http\Exception\BadRequestException_configDelete(string $key): void
Deletes a single config key.
string $key Key to delete.
voidCake\Core\Exception\CakeException_configRead(string|null $key): mixed
Reads a config key.
string|null $key Key to read.
mixed_configWrite(array<string, mixed>|string $key, mixed $value, string|bool $merge = false): void
Writes a config key.
array<string, mixed>|string $key Key to write to.
mixed $value Value to write.
string|bool $merge optional True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.
voidCake\Core\Exception\CakeException_debugCheckFields(array $dataFields, array $expectedFields = [], string $intKeyMessage = '', string $stringKeyMessage = '', string $missingMessage = ''): array<string>
Iterates data array to check against expected
array $dataFields Fields array, containing the POST data fields
array $expectedFields optional Fields array, containing the expected fields we should have in POST
string $intKeyMessage optional Message string if unexpected found in data fields indexed by int (not protected)
string $stringKeyMessage optional Message string if tampered found in data fields indexed by string (protected).
string $missingMessage optional Message string if missing field
array<string>_debugExpectedFields(array $expectedFields = [], string $missingMessage = ''): string|null
Generate debug message for the expected fields
array $expectedFields optional Expected fields
string $missingMessage optional Message template
string|null_debugPostTokenNotMatching(Cake\Controller\Controller $controller, array<string> $hashParts): string
Create a message for humans to understand why Security token is not matching
Cake\Controller\Controller $controller Instantiating controller
array<string> $hashParts Elements used to generate the Token hash
string_fieldsList(array $check): array
Return the fields list for the hash calculation
array $check Data array
array_hashParts(Cake\Controller\Controller $controller): array<string>
Return hash parts for the Token generation
Cake\Controller\Controller $controller Instantiating controller
array<string>_matchExistingFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage): array<string>
Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset
array $dataFields Fields array, containing the POST data fields
array $expectedFields Fields array, containing the expected fields we should have in POST
string $intKeyMessage Message string if unexpected found in data fields indexed by int (not protected)
string $stringKeyMessage Message string if tampered found in data fields indexed by string (protected)
array<string>_secureRequired(Cake\Controller\Controller $controller): void
Check if access requires secure connection
Cake\Controller\Controller $controller Instantiating controller
voidCake\Controller\Exception\SecurityException_sortedUnlocked(array $data): string
Get the sorted unlocked string
array $data Data array
string_throwException(Cake\Controller\Exception\SecurityException|null $exception = null): void
Check debug status and throw an Exception based on the existing one
Cake\Controller\Exception\SecurityException|null $exception optional Additional debug info describing the cause
voidCake\Http\Exception\BadRequestException_unlocked(array $data): string
Get the unlocked string
array $data Data array
string_validToken(Cake\Controller\Controller $controller): string
Check if token is valid
Cake\Controller\Controller $controller Instantiating controller
stringCake\Controller\Exception\SecurityException_validatePost(Cake\Controller\Controller $controller): void
Validate submitted form
Cake\Controller\Controller $controller Instantiating controller
voidCake\Controller\Exception\AuthSecurityExceptionblackHole(Cake\Controller\Controller $controller, string $error = '', Cake\Controller\Exception\SecurityException|null $exception = null): mixed
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
Cake\Controller\Controller $controller Instantiating controller
string $error optional Error method
Cake\Controller\Exception\SecurityException|null $exception optional Additional debug info describing the cause
mixedCake\Http\Exception\BadRequestExceptionconfigShallow(array<string, mixed>|string $key, mixed|null $value = null): $this
Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.
Setting a specific value:
$this->configShallow('key', $value); Setting a nested value:
$this->configShallow('some.nested.key', $value); Updating multiple config settings at the same time:
$this->configShallow(['one' => 'value', 'another' => 'value']);
array<string, mixed>|string $key The key to set, or a complete array of configs.
mixed|null $value optional The value to set.
$thisgenerateToken(Cake\Http\ServerRequest $request): Cake\Http\ServerRequest
Manually add form tampering prevention token information into the provided request object.
Cake\Http\ServerRequest $request The request object to add into.
Cake\Http\ServerRequestgetConfig(string|null $key = null, mixed $default = null): mixed
Returns the config.
Reading the whole config:
$this->getConfig();
Reading a specific value:
$this->getConfig('key'); Reading a nested value:
$this->getConfig('some.nested.key'); Reading with default value:
$this->getConfig('some-key', 'default-value'); string|null $key optional The key to get or null for the whole config.
mixed $default optional The return value when the key does not exist.
mixedgetConfigOrFail(string $key): mixed
Returns the config for this specific key.
The config value for this key must exist, it can never be null.
string $key The key to get.
mixedInvalidArgumentExceptiongetController(): Cake\Controller\Controller
Get the controller this component is bound to.
Cake\Controller\ControllerimplementedEvents(): array<string, mixed>
Events supported by this component.
Uses Conventions to map controller events to standard component callback method names. By defining one of the callback methods a component is assumed to be interested in the related event.
Override this method if you need to add non-conventional event listeners. Or if you want components to listen to non-standard events.
array<string, mixed>initialize(array<string, mixed> $config): void
Constructor hook method.
Implement this method to avoid having to overwrite the constructor and call parent.
array<string, mixed> $config The configuration settings provided to this component.
voidlog(string $message, string|int $level = LogLevel::ERROR, array|string $context = []): bool
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
string $message Log message.
string|int $level optional Error level.
array|string $context optional Additional log data relevant to this message.
boolrequireSecure(array<string>|string|null $actions = null): void
Sets the actions that require a request that is SSL-secured, or empty for all actions
array<string>|string|null $actions optional Actions list
voidsetConfig(array<string, mixed>|string $key, mixed|null $value = null, bool $merge = true): $this
Sets the config.
Setting a specific value:
$this->setConfig('key', $value); Setting a nested value:
$this->setConfig('some.nested.key', $value); Updating multiple config settings at the same time:
$this->setConfig(['one' => 'value', 'another' => 'value']);
array<string, mixed>|string $key The key to set, or a complete array of configs.
mixed|null $value optional The value to set.
bool $merge optional Whether to recursively merge or overwrite existing config, defaults to true.
$thisCake\Core\Exception\CakeExceptionstartup(Cake\Event\EventInterface $event): Cake\Http\Response|null
Component startup. All security checking happens here.
Cake\Event\EventInterface $event An Event instance
Cake\Http\Response|nullHolds the current action of the controller
stringA component lookup table used to lazy load component objects.
array<string, array>Runtime config
array<string, mixed>Whether the config property has already been configured with defaults
boolDefault config
blackHoleCallback - The controller method that will be called if this request is black-hole'd.requireSecure - List of actions that require an SSL-secured connection.unlockedFields - Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.unlockedActions - Actions to exclude from POST validation checks. Other checks like requireSecure() etc. will still be applied.validatePost - Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.array<string, mixed>Component registry class used to lazy load components.
Cake\Controller\ComponentRegistryOther Components this component uses.
array
© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.4/class-Cake.Controller.Component.SecurityComponent.html