I'd like to use CakePHP's SecurityComponent to enforce app requests to be made over SSL using requireSecure().
My issue is that by default this is a blacklist methodology - allow insecure access by default, unless explicitly prohibited in that Controller. I'd like to switch to a whitelist methodology - deny insecure access by default, unless I explicitly allow it in that Controller.
Is this functionality built into the SecurityComponent? If not, how can I set this up manually?
It doesn't appear that this is built in by default. You could simulate this by creating a $requireSecure property of your Controllers, and then conditionally calling requireSecure() in AppController::beforeFilter(). Here's how you would implement it:
AppController.php:
public $requireSecure = true;
public function beforeFilter() {
if ($this->requireSecure) {
$blacklist = is_array($this->requireSecure) ? $this->requireSecure : array('*');
$this->Security->requireSecure($blacklist);
}
}
Whitelisted controller:
public $requireSecure = false;
Controller, varies by method (note that $requireSecure is a blacklist):
public $requireSecure = array('login');
This achieves the objective of requiring SSL by default, but being able to explicitly override this requirement in the Controller if desired.