GitBook: [#7] No subject

SUMMARY.md

@@ -13,14 +13,20 @@
 
 * [Installation](getting-started/installation.md)
 * [Overview](getting-started/overview.md)
-* [Configuration](getting-started/first-chapter/README.md)
-  * [Rule Sources](getting-started/first-chapter/rule-sources/README.md)
-    * [DB Rules](getting-started/first-chapter/rule-sources/untitled.md)
-    * [Inline Rules](getting-started/first-chapter/rule-sources/inline-rules.md)
-    * [JSON Rules](getting-started/first-chapter/rule-sources/json-properties.md)
-    * [Model Rules](getting-started/first-chapter/rule-sources/model-rules.md)
-    * [Module Rules](getting-started/first-chapter/rule-sources/module-rules.md)
-    * [XML Rules](getting-started/first-chapter/rule-sources/xml-properties.md)
+* [Configuration](getting-started/configuration/README.md)
+  * [Authentication](getting-started/configuration/authentication.md)
+  * [Basic Auth](getting-started/configuration/basic-auth.md)
+  * [CSRF](getting-started/configuration/csrf.md)
+  * [Firewall](getting-started/configuration/firewall/README.md)
+    * [Rule Sources](getting-started/configuration/firewall/rule-sources/README.md)
+      * [DB Rules](getting-started/configuration/firewall/rule-sources/untitled.md)
+      * [Inline Rules](getting-started/configuration/firewall/rule-sources/inline-rules.md)
+      * [JSON Rules](getting-started/configuration/firewall/rule-sources/json-properties.md)
+      * [Model Rules](getting-started/configuration/firewall/rule-sources/model-rules.md)
+      * [Module Rules](getting-started/configuration/firewall/rule-sources/module-rules.md)
+      * [XML Rules](getting-started/configuration/firewall/rule-sources/xml-properties.md)
+  * [Security Headers](getting-started/configuration/security-headers.md)
+  * [Visualizer](getting-started/configuration/visualizer.md)
 
 ## Usage
 

getting-started/configuration/authentication.md

@@ -0,0 +1,14 @@
+# Authentication
+
+## Authentication Services
+
+cbsecurity ships with the [cbauth](https://github.com/elpete/cbauth) module that can provide you with a nice interface for authentication services. If you use the default `authenticationService` authenticationService@cbauth, you have to define the UserServiceClass in the cbauth module.\
+However, you can plug in any WireBox ID and select your own authentication services.
+
+{% hint style="warning" %}
+If you are using cbauth as your `authenticationService` (the default), you also need to [configure cbauth.](https://cbauth.ortusbooks.com/installation-and-usage)
+{% endhint %}
+
+## User Services
+
+cbsecurity will also require a user service if you will be dealing with any JWT security tokens. Just add your WireBox ID to the user service of your choice. If you are using cbauth, you have to define the UserServiceClass in the cbauth module.

getting-started/configuration/basic-auth.md

@@ -0,0 +1,2 @@
+# Basic Auth
+

getting-started/configuration/csrf.md

@@ -0,0 +1,2 @@
+# CSRF
+

getting-started/configuration/firewall/README.md

@@ -0,0 +1,29 @@
+# Firewall
+
+
+
+## InvalidAuthentication-/ InvalidAuthorization events and default actions
+
+The `invalidAuthenticationEvent` and `invalidAuthorizationEvent` keys can be used to provide default events when Authentication or Authorization failed. The defaultAuthenticationAction and defaultAuthorizationAction determine whether there will be a redirection or override. The default action is `redirect`, but especially for API's an `override` will be more appropriate. When using rule-based security you can override these keys for any individual rule.
+
+## Validator
+
+You can place a global validator in the configuration settings, but you can also override the validator on a module by module basis as well. The default validator is using the [CBAuth Validator.](../../../security-validators/cbauth-validator.md)
+
+
+
+## Automatic Firewall
+
+Please note that by default, the security firewall will be auto-registered for you. If you do NOT want the firewall to be automatically registered for you, then use the `autoLoadFirewall` setting and make it false. Then you can use the **Custom Firewall** approach below to register the firewall manually in the order of the interceptors that you would like.
+
+```javascript
+autoLoadFirewall : false
+```
+
+## Annotation Security
+
+By default, annotation security is enabled. This will inspect ALL incoming event executions for the security annotations. If you do not want to use annotation security we recommend you turn it off to avoid the inspection of events.
+
+```javascript
+handlerAnnotationSecurity : false
+```

getting-started/configuration/security-headers.md

@@ -0,0 +1,2 @@
+# Security Headers
+

getting-started/configuration/visualizer.md

@@ -0,0 +1,19 @@
+# Visualizer
+
+
+
+## Security Visualizer
+
+ColdBox security comes with a nice graphical visualizer for all the registered security rules and settings in your global firewall. You can enable it by using the enableSecurityVisualizer setting.
+
+```javascript
+enableSecurityVisualizer :  true
+```
+
+You can then visit the `/cbsecurity` URL and you will be presented with this magical tool:
+
+![](https://raw.githubusercontent.com/coldbox-modules/cbsecurity/development/test-harness/visualizer.png)
+
+{% hint style="danger" %}
+**Important** The visualizer is **disabled** by default and if it detects an environment of production, it will disable itself.
+{% endhint %}

getting-started/installation.md

@@ -22,7 +22,7 @@ install cbsecurity@be
 
 ## Configuration Settings
 
-By default `cbsecurity` is configured to work with `cbauth` as the authentication service.  You would only need to provide a user service class that knows how to connect to your database to retrieve and validate credentials.  You can also use the in-built basic authentication services as well.  Here is just a snippet of the configuration, please see the [Configuration](first-chapter/) section for an in-depth review of all the module's settings.
+By default `cbsecurity` is configured to work with `cbauth` as the authentication service.  You would only need to provide a user service class that knows how to connect to your database to retrieve and validate credentials.  You can also use the in-built basic authentication services as well.  Here is just a snippet of the configuration, please see the [Configuration](configuration/) section for an in-depth review of all the module's settings.
 
 {% code title="config/Coldbox.cfc" lineNumbers="true" %}
 ```javascript

intro/release-history/whats-new-with-2.0.0.md

@@ -8,7 +8,7 @@ description: October 2022
 
 * Dropped Adobe ColdFusion 2016
 * New **`JwtAuthValidator`** instead of mixing concerns with the `JwtService`. You will have to update your configuration to use this `validator` instead of the `JwtService`
-* All settings have changed. They are not single level anymore. They are now grouped by functionality. Please see the [Configuration](../../getting-started/first-chapter/) area for the new approach.
+* All settings have changed. They are not single level anymore. They are now grouped by functionality. Please see the [Configuration](../../getting-started/configuration/) area for the new approach.
 
 ### Added
 

usage/security-annotations.md

@@ -1,6 +1,6 @@
 # Security Annotations
 
-The security module also allows you to secure your events via annotations instead of using security rules.  The setting that controls this security feature is the `handlerAnnotationSecurity` which can see in the [configuration section.](../getting-started/first-chapter/#annotation-security)
+The security module also allows you to secure your events via annotations instead of using security rules.  The setting that controls this security feature is the `handlerAnnotationSecurity` which can see in the [configuration section.](../getting-started/configuration/#annotation-security)
 
 The security module has a tiered approach to annotation security as it will check the handler component first and then the requested action method second.  You can apply different security contexts to each level as you see fit.
 

usage/untitled-1.md

@@ -24,7 +24,7 @@ Each rule is modeled by a struct with keys in it:
 The only required key is the `secureList` which is what you are trying to secure. The rest are optional and described below. Please note that you can add as many keys as you like to your security rules, which can contain much more context and information for the validators to use for validation.
 
 {% hint style="warning" %}
-Please remember that by default the secure and white lists are evaluated as regular expressions. You can turn that off in your [configuration settings.](../getting-started/first-chapter/)
+Please remember that by default the secure and white lists are evaluated as regular expressions. You can turn that off in your [configuration settings.](../getting-started/configuration/)
 {% endhint %}
 
 ## Rules processing