Felton_Darby_Implementing Access Control With Zend Framework

8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework

1/51

Darby Felton

PHP Develop er, Zend Tec hno log ies

Imp lementing Ac c ess Controlwith Zend Framework


2/51

10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 2

Top ics Overview

Introduc tion to Zend Framework

Authentic a ting with Zend_Auth

Ac c ess Control Lists w ith Zend _Ac l

Putting it Togethe r w ith MVC

Example Applic a tion

Q & A


3/51

Introduc tion to Zend FrameworkZend Framework fac ilitates development of PHPapplications that require authentication andac c ess c ontrol by p roviding flexible a nd

extensible c omponents built using the objec t-oriented features of PHP 5


4/51



Designed to fac ilita te build ing web applic a tionsand web servic es w ith ob jec t-oriented PHP 5

Op en Sourc e

New BSD license is business-friend ly

Free for develop ment a nd d istribution

CLA p roc ess assures tha t the c ode is free of lega l issues


5/51



Extreme simplic ity

Use-a t-will arc hitec ture

Designed for extensib ility

Extensive doc umenta tion a nd testing

Continuous c om munity involvement


6/51



Class Lib ra ry over 150,000 lines of c ode

Doc umentation over 500 pages

Qua lity & Testing over 4,200 unit tests

Over 2,000,000 downloads

Sup ports PHP 5.1.4 and later


7/51



Spec ia l tha nks to :

Simon Mund y for the first p roduc tion version ofZend_Ac l and more

Bryce Lohr for Zend_Auth_Ad ap ter_Http andother c ontributions

Ralph Sc hind ler for his work on both Zend _Authand Zend_Ac l, inc lud ingZend_Auth_Ad ap ter_DbTab le

The Zend Framework community for the irinvaluab le feedbac k from applied use c ases


8/51

Authentic a ting with Zend_AuthAuthentic ation determining whether an entity isac tually what it purports to be, ba sed on som eset of c red entials


9/51



Designed to authentic a te the requester's identityaga inst som e authentic a tion mec hanism (e.g.,HTTP Basic / Digest, da ta base ta b le, LDAP)

Supports user-defined authentic a tion adap ters Ava ilab le automatic identity persistenc e

Configurab le identity storage implementa tion

Provides a simple authentic a tion interfac e


10/51



Zend _Auth adap ters implementZend_Auth_Adapter_Interface:

class MyAuthAdapter implements Zend_Auth_Adapter_Interface

{/**

* Performs an authentication attempt

* @throws Zend_Auth_Adapter_Exception

* @return Zend_Auth_Result

*/

public function authenticate()

{}

}


11/51



When does authenticate() throw an exc ep tion?

If and only if the a uthentic a tion q uery cannot beanswered

Authentic a tion service (e.g ., DB, LDAP) is una va ilab le

Ca nnot op en password file

Not under normal authentic a tion fa ilurecircumstances

Userna me does not exist in the system

Password is incorrec t


12/51



Authentic a tion results a re returned as aZend_Auth_Result ob jec t, whic h p rovides:

boolean isValid()

integer getCode()mixed getIdentity()

array getMessages()


13/51



Two ways to a uthentic a te a ga inst a Zend_Authadapter: Ind irec tly, through Zend_Auth::authenticate()

Direc tly, through the a dap ter sauthenticate()

method

By ind irec t usage the authentic a ted identity isautomatic a lly saved to persistent storage (e.g.,the PHP session)

Direc t usage o f Zend_Auth adap ters a llow s theuser to dec ide w hat to d o up on authentic a tion


14/51



Zend_Auth implem ents the Sing leton pa ttern;exac tly one instanc e of the Zend_Auth c lass isavailab le a t any time:

Exac tly one request per PHP exec ution lifetime

Operatorsnew and clone are unavailab le

assert(Zend_Auth::getInstance() instanceof Zend_Auth);


15/51



Zend _Auth automatica lly persists a suc c essfullyauthentic a ted identity to the PHP session

Override this behavior by passing an ob jec t tha t

implementsZend_Auth_Storage_Interface toZend_Auth::setStorage()

If automa tic identity storage is und esirable,develop ers may direc tly authentic a te a ga inst aZend_Auth ad ap ter


16/51



Using a Zend_Auth adap ter ind irec tly:

Authentic a ted identity is saved autom atic a lly

$authAdapter = new MyAuthAdapter($username, $password);

$auth = Zend_Auth::getInstance();

$result = $auth->authenticate($authAdapter);

if (!$result->isValid()) {

foreach ($result->getMessages() as $message) {

echo "$message\n";

}

}


17/51



Using a Zend _Auth adap ter d irec tly:

No automatic storage of authentic a ted identity

$authAdapter = new MyAuthAdapter($username, $password);

$result = $authAdapter->authenticate();

if (!$result->isValid()) {foreach ($result->getMessages() as $message) {

echo "$message\n";

}

}


18/51



Other useful Zend_Auth methods:

boolean hasIdentity()

mixed getIdentity()

void clearIdentity()


19/51

Ac c ess Control Lists with Zend _Ac lZend_Ac l provides role-based access controllists func tiona lity and p rivileg es manag ement


20/51


Ac c ess Control Lists with Zend _Ac l

Object-oriented design supports controllingac c ess to c ertain protec ted ob jec ts by otherreq uesting ob jec ts

Complete PHP implem enta tion Persistenc e d oes not require a ny bac kend

technology; instances are serializable


21/51



Definitions A Resource is an ob jec t to which a c c ess is c ont rolled

A Role is an ob jec t tha t ma y req uest a c cess to aResource

Roles request ac cess to Resources e.g ., Person requests ac cess to Ca r

Roles and Resourc es must be added to the ACLbefore a pp lying any rules upon them or queryingaga inst them

Spec ify rules w ith allow() and deny() Query the ACL with isAllowed()


22/51



Resourc e ob jec ts must implem entZend_Acl_Resource_Interface:

Zend _Ac l inc ludes Zend_Acl_Resource

class MyResource implements Zend_Acl_Resource_Interface

{/**

* @return string

*/

public function getResourceId()

{}

}


23/51



Resourc es may be organized into a hierarc hy:

Rules a re inherited from parent resourc es

New York

Zend_AclResources

San Franc isc o

Chrysler Transameric aBank of

AmericaEmpire Sta te


24/51



Example inheritanc e between resourc es:


25/51



Role ob jec ts must implem entZend_Acl_Role_Interface:

Zend _Ac l inc ludes Zend_Acl_Role

class MyRole implements Zend_Acl_Role_Interface

{ /**

* @return string

*/

public function getRoleId()

{}

}


26/51



Roles may be organized into a d irec ted ac yclicgraph (DAG):

Ac c ess c ontrol rules a re inherited from parent

roles Multip le inheritanc e a mbiguity resolution

member

sa les support

guest

visitorad min dev

joe


27/51



Example role inheritanc e ambiguity resolution:

$acl = new Zend_Acl();

$acl->addRole(new Zend_Acl_Role('guest'))

->addRole(new Zend_Acl_Role('member'))

->addRole(new Zend_Acl_Role('admin'));

$parents = array('guest', 'member', 'admin');

$acl->addRole(new Zend_Acl_Role('someUser'), $parents);

$acl->add(new Zend_Acl_Resource('someResource'));

$acl->deny('guest', 'someResource');$acl->allow('member', 'someResource');

echo $acl->isAllowed('someUser', 'someResource') ?

'allowed' : 'denied';


28/51



Sup ports "p rivileges" up on resourc es (e.g., "view "privilege upon an "a rtic le" resourc e)

Usage is c omplete ly op tiona l

Privileg es a re string identifiers, no t ob jec ts Privileges a re spec ified w ith a llow/ deny rules

$acl->allow($someRole, $someResource, 'view');

$acl->deny($someRole, $someResource, array('edit', 'delete'));

if ($acl->isAllowed($someRole, $someResource, 'view')) {

...


29/51



Rules may be removed from the ACL usingremoveAllow() and removeDeny()

Spec ify the role(s), resource(s), and p rivilege(s)

to whic h the rem oved rule must no long er apply$acl = new Zend_Acl();

$acl->allow(null, null, array('privilege 1', 'privilege 2'));

assert(!$acl->isAllowed());

assert($acl->isAllowed(null, null, 'privilege 1'));

assert($acl->isAllowed(null, null, 'privilege 2'));

$acl->removeAllow(null, null, 'privilege 1');

assert(!$acl->isAllowed(null, null, 'privilege 1'));assert($acl->isAllowed(null, null, 'privilege 2'));


30/51



Assertions p rovide support for c ond itiona l rules

Examples:

Allow betw een 8:00am and 5:00pm

Deny from spec ific IPs or networks Allow only the author to ed it a n a rtic le

Pass an instanc e of Zend_Acl_Assert_Interfaceto allow()/deny()

The rule a pp lies if and only if assert() returns

true


31/51



An example assertion c lass for sc reeningrequests from abusive IP addresses:

class My_Acl_Assert_DirtyIP implements Zend_Acl_Assert_Interface

{

public function assert(Zend_Acl $acl,

Zend_Acl_Role_Interface $role = null,

Zend_Acl_Resource_Interface $resource = null,

$privilege = null)

{

return $this->_isDirtyIP($_SERVER['REMOTE_ADDR']);

}

protected function _isDirtyIP($address)

{}

}


32/51



Using a "DirtyIP" assertion ob jec t to deny a c c essto known abusive IP addresses:

If the requesting IP is b lac klisted (or not on awhitelist), then assert() returnstrue, and the

deny rule a pplies, resulting in a c c ess denied

$acl = new Zend_Acl();

$acl->deny(null, null, null, new My_Acl_Assert_DirtyIP());


33/51

Putting it Together with MVCThe Model View Controller pa ttern sep arates anapp lic ation d esign into three d istinc t roles,fac ilitating development and ma intenanc e


34/51


Putting it Together with MVC

Zend Framew ork p rovides implementa tions ofthe Front Controller and Model-View-Controller(MVC) pa tterns

Neither Zend_Auth nor Zend _Ac l requires use o fthese pa tte rns, but it is help ful to see how tointegra te a uthentic a tion a nd ac c ess c ontrolrules w ith the Zend Framework controller systems

TIMTOWTDI, so we present a n example


35/51


Putting it Together with MVC

Configure the Front Controller

Set a c tion c ontrollers d irec tory

Reg ister p lug-ins (e.g., authentica tion a ndauthorization)

Set o the r op tions (e.g., throwing excep tions, returningthe response)

Set up the ACL for ac tion c ontrollers

Set up any custom routes

Dispa tc h the Front Controller


36/51

Example Ap p lic a tion Examp le isn't another way to teac h, it is the onlyway to teac h - Albert Einstein


37/51


38/51

10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 38

Example Ap p lic a tion

Crea te the da tabase and user ac c ount storagetable:

CREATE DATABASE `myapp`;

CREATE TABLE `myapp`.ùser` (ìd` int(10) unsigned NOT NULL auto_increment,

ùsername` char(32) NOT NULL,

`password` char(32) NOT NULL,

`fullname` char(32) NOT NULL,

PRIMARY KEY (ìd`),

UNIQUE KEY ùsername` (ùsername`)

) COMMENT='user accounts';


39/51



Ad d an administra tive user and a regular user tothe new tab le:

INSERT INTO user (username, password, fullname)

VALUES ('admin', MD5('admin'), 'Administrator'),('someuser', MD5('someuser'), 'Some User');


40/51



The app lic a tion will route a ll requests tha t do notc orrespond to a n existing file o r d irec tory to thePHP app lic a tion

Using Apac he a nd mod _rewrite, the following.htaccess file would work as desired :

RewriteEngine on

RewriteCond %{SCRIPT_FILENAME} !-f

RewriteCond %{SCRIPT_FILENAME} !-d

RewriteRule ^(.*)$ index.php/$1


41/51



The index.php file c onta ins simply the following :

The app lic a tion c lass will take c are of setting up

the Front Controller and d ispa tching the request


42/51



The interesting parts ofMy_App::getInstance()->run():

Continue to set up the ACL...

$frontController = Zend_Controller_Front::getInstance();

$frontController->throwExceptions(true)

->registerPlugin(new My_Controller_Plugin_Auth())

->returnResponse(true);


43/51



Ad d resourc es and roles, and c rea te the rulesneed ed to enforc e the applic a tion req uirements

$acl = $this->getAcl();

$acl->add(new Zend_Acl_Resource('index'))->add(new Zend_Acl_Resource('login'))

->add(new Zend_Acl_Resource('logout'))

->add(new Zend_Acl_Resource('profile'))

->addRole(new Zend_Acl_Role('anonymous'))

->addRole(new Zend_Acl_Role('member'), 'anonymous')

->addRole(new Zend_Acl_Role('admin'), 'member')

->allow()

->deny(null, 'profile')

->allow('member', 'profile');


44/51



Now , d ispa tch the req uest and c a tch anyresulting exc ep tion:

For this example, the exc eption is simply printed ,but prod uc tion a pp lic a tions should log theoc c urrenc e of a n exc ep tion (see Zend _Log )

try {

$response = $frontController->dispatch();

$response->sendResponse();} catch (Exception $e) {

echo $e->getMessage();

}


45/51



The Front Controller ha s an Auth p lugin:

class My_Controller_Plugin_Auth extends Zend_Controller_Plugin_Abstract

{

public function preDispatch(Zend_Controller_Request_Abstract $request)

{


if ($auth->hasIdentity()) {

switch ($auth->getIdentity()->username) {

case 'admin':

$role = 'admin';

break;

default:

$role = 'member';break;

}

} else {

$role = 'anonymous';

} // continued on next slide...


46/51


47/51



The a pp lic a tion controllers extend the following c lass:

class My_Controller_Action extends Zend_Controller_Action {

public function preDispatch()

{

$view =

Zend_Controller_Action_HelperBroker::getStaticHelper('viewRenderer')->view;


if ($view->authenticated = $auth->hasIdentity()) {

$view->user = new My_Model_User($auth->getIdentity());

} else {

$view->user = new My_Model_User();

}

$view->baseUrl = Zend_Controller_Front::getInstance()->getBaseUrl();}

public function __call($name, $args)

{ throw new Exception('Sorry, the requested action does not exist'); }

}


48/51



Hom e page (index/ index)

Persona lized greeting

Layout view sc rip t p rints da te and time

Shows "Ed it Profile" link only to authentic ated users


49/51

10 Oc to be r 2007

Impleme nting Ac ce ss Control with Zend Framework PAGE 49


Log in func tion (log in/ index)

Req uires username o f be tween 3 and 32 a lphabet iccharacters

Req uires password of a t least 5 cha rac ters

Rec a lls the most rec ent reasons for log in fa ilure

POSTs to log in/ p roc ess, whic h red irec ts

Authentic a ted users do not see log in form

Log out fea ture (log out/ index)


50/51

10 Oc to be r 2007

Impleme nting Ac ce ss Control with Zend Framework PAGE 50


Ed it Profile (p rofile/ ed it)

Only authentic ated memb ers a re a uthorized due toACL rule

Full name must be b etw een 3 and 32 c harac ters

Password must b e a t least 5 c ha rac ters

Password must matc h verific a tion field

Rec a lls the most rec ent reasons for fa ilure to saveprofile d a ta

POSTs to p rofile/ ed it/ p roc ess, which red irec ts to

profile/edit


51/51

Tha nk you!More ab out Zend Fram ework:

http:/ / fram ework.zend.com
http://framework.zend.com/http://framework.zend.com/

Felton_Darby_Implementing Access Control With Zend Framework

Documents

Transcript of Felton_Darby_Implementing Access Control With Zend Framework