0

Certain pages of my website crash when I try to call the 'Security' component in any of the apps. For example in the AppController file, if I change the components definition from

var $components = array('Auth','Session','Email');

to

var $components = array('Auth','Session','Email','Security');

pages on my site that rely on POST data from other pages crash. All I get is a blank screen. In the \cake\libs\controller\components directory there 'security.php' is defined and stored.

Any ideas on what's causing this or how to approach this?

AMIC MING
  • 6,306
  • 6
  • 46
  • 62
Irfan Ali
  • 11
  • 5

1 Answers1

0

That is what the SecurityComponent is supposed to do.

It secures your application by adding 'tokens' to all of your forms to check if the form is 'valid' and has not been tampered with (e.g. Somebody added an additional field or value to the form with javascript).

It also checks if the posted form originates from a controller and/or action that is allowed to do so (allowedControllers)

If the requirements are not met, a 'blackHoleAction' is called that stops further actions.

Based on your usage of 'var $components', not 'public $components', it think you're running Cakephp 1.3 see the documentation for the SecurityComponent here: http://book.cakephp.org/1.3/en/The-Manual/Core-Components/Security-Component.html

Read the part on allowedControllers and allowedActions

It's also possible that you have an error somewhere in your script that is not visible because debugging is disabled. To enable debugging, change the debug level to 1 or 2 in your core.php config file;

app/Config/core.php set debug level to 2, with this line:

Configure::write('debug', 2);
thaJeztah
  • 27,738
  • 9
  • 73
  • 92
  • Thanks! I'm trying to route a page from http to https for SSL connection. The page(action) is defined in the order controller. So following http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html I've added 'Security' in $components and this in the beforeFilter() fxn if (isset($this->params['order'])) { $this->Security->blackHoleCallback = 'forceSSL'; $this->Security->requireSecure(); } and this function function forceSSL() { $this->redirect('https://' . env('SERVER_NAME') . $this->here); } btw version is 2.9 – Irfan Ali Feb 04 '13 at 23:33
  • Doing this still crashes the pages/actions defined in the 'order' controller and aren't being redirected to https:// either. Am I missing anything? – Irfan Ali Feb 04 '13 at 23:57
  • I'm not sure you should use `$this->params`, it might need to be `$this->request->params` (may be an error in the documentation). In all cases, if you enable debugging, does it give any errors? Also, have you tried putting a simple 'die("helloworld");' inside the forceSSL() method to check if it gets there? Debugging the request `debug($this->request);` at the start of your beforeFilter() may also give some clues – thaJeztah Feb 05 '13 at 08:07
  • On a final note, please edit your original question and include the source for your 'beforeFilter()' and 'forceSSL()' actions, and also the configuration of your Security Component from the AppController – thaJeztah Feb 05 '13 at 08:08
  • Thanks again. I was mistaken about the cakephp version. It is 1.3. Here's what is working currently function beforeFilter() { parent::beforeFilter(); $this->Auth->allowedActions = array('..list of my actions..'); $this->Security->validatePost=false; $this->Security->blackHoleCallback = 'forceSSL'; $this->Security->requireSecure('myAction needing Securing'); }// end of function beforeFilter() I took out the if isset condition since the beforeFilter fxn first defines allowedActions and also set the validatePost to false (which turns off CSRF). Altho not optimal but seems to work – Irfan Ali Feb 05 '13 at 18:47
  • Glad it worked! I added your code to your original question so that others may use It for reference – thaJeztah Feb 05 '13 at 19:42