Welcome to the Cookbook

Using the security component is generally done in the controller beforeFilter(). You would specify the security restrictions you want and the Security Component will enforce them on its startup.

<?php
class WidgetController extends AppController {

	var $components = array('Security');

	function beforeFilter() {
		$this->Security->requirePost('delete');
	}
}
?>

1. <?php
2. class WidgetController extends AppController {
3. var $components = array('Security');
4. function beforeFilter() {
5. $this->Security->requirePost('delete');
6. }
7. }
8. ?>

In this example the delete action can only be successfully triggered if it receives a POST request.

<?php
class WidgetController extends AppController {

	var $components = array('Security');

	function beforeFilter() {
		if(isset($this->params[Configure::read('Routing.admin')])){
			$this->Security->requireSecure();
		}
	}
}
?>

1. <?php
2. class WidgetController extends AppController {
3. var $components = array('Security');
4. function beforeFilter() {
5. if(isset($this->params[Configure::read('Routing.admin')])){
6. $this->Security->requireSecure();
7. }
8. }
9. }
10. ?>

This example would force all actions that had admin routing to require secure SSL requests.

<?php
class WidgetController extends AppController {

	var $components = array('Security');

	function beforeFilter() {
		if(isset($this->params[Configure::read('Routing.admin')])){
            $this->Security->blackHoleCallback = 'forceSSL';
			$this->Security->requireSecure();
		}
	}

	function forceSSL() {
		$this->redirect('https://' . env('SERVER_NAME') . $this->here);
	}
}
?>

1. <?php
2. class WidgetController extends AppController {
3. var $components = array('Security');
4. function beforeFilter() {
5. if(isset($this->params[Configure::read('Routing.admin')])){
6. $this->Security->blackHoleCallback = 'forceSSL';
7. $this->Security->requireSecure();
8. }
9. }
10. function forceSSL() {
11. $this->redirect('https://' . env('SERVER_NAME') . $this->here);
12. }
13. }
14. ?>

This example would force all actions that had admin routing to require secure SSL requests. When the request is black holed, it will call the nominated forceSSL() callback which will redirect non-secure requests to secure requests automatically.