Felton_Darby_Implementing Access Control With Zend Framework
-
Upload
ramesh-manne -
Category
Documents
-
view
216 -
download
0
Transcript of Felton_Darby_Implementing Access Control With Zend Framework
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
1/51
Darby Felton
PHP Develop er, Zend Tec hno log ies
Imp lementing Ac c ess Controlwith Zend Framework
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
2/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 2
Top ics Overview
Introduc tion to Zend Framework
Authentic a ting with Zend_Auth
Ac c ess Control Lists w ith Zend _Ac l
Putting it Togethe r w ith MVC
Example Applic a tion
Q & A
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
3/51
Introduc tion to Zend FrameworkZend Framework fac ilitates development of PHPapplications that require authentication andac c ess c ontrol by p roviding flexible a nd
extensible c omponents built using the objec t-oriented features of PHP 5
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
4/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 4
Introduc tion to Zend Framework
Designed to fac ilita te build ing web applic a tionsand web servic es w ith ob jec t-oriented PHP 5
Op en Sourc e
New BSD license is business-friend ly
Free for develop ment a nd d istribution
CLA p roc ess assures tha t the c ode is free of lega l issues
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
5/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 5
Introduc tion to Zend Framework
Extreme simplic ity
Use-a t-will arc hitec ture
Designed for extensib ility
Extensive doc umenta tion a nd testing
Continuous c om munity involvement
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
6/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 6
Introduc tion to Zend Framework
Class Lib ra ry over 150,000 lines of c ode
Doc umentation over 500 pages
Qua lity & Testing over 4,200 unit tests
Over 2,000,000 downloads
Sup ports PHP 5.1.4 and later
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
7/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 7
Introduc tion to Zend Framework
Spec ia l tha nks to :
Simon Mund y for the first p roduc tion version ofZend_Ac l and more
Bryce Lohr for Zend_Auth_Ad ap ter_Http andother c ontributions
Ralph Sc hind ler for his work on both Zend _Authand Zend_Ac l, inc lud ingZend_Auth_Ad ap ter_DbTab le
The Zend Framework community for the irinvaluab le feedbac k from applied use c ases
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
8/51
Authentic a ting with Zend_AuthAuthentic ation determining whether an entity isac tually what it purports to be, ba sed on som eset of c red entials
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
9/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 9
Authentic a ting with Zend_Auth
Designed to authentic a te the requester's identityaga inst som e authentic a tion mec hanism (e.g.,HTTP Basic / Digest, da ta base ta b le, LDAP)
Supports user-defined authentic a tion adap ters Ava ilab le automatic identity persistenc e
Configurab le identity storage implementa tion
Provides a simple authentic a tion interfac e
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
10/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 10
Authentic a ting with Zend_Auth
Zend _Auth adap ters implementZend_Auth_Adapter_Interface:
class MyAuthAdapter implements Zend_Auth_Adapter_Interface
{/**
* Performs an authentication attempt
* @throws Zend_Auth_Adapter_Exception
* @return Zend_Auth_Result
*/
public function authenticate()
{}
}
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
11/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 11
Authentic a ting with Zend_Auth
When does authenticate() throw an exc ep tion?
If and only if the a uthentic a tion q uery cannot beanswered
Authentic a tion service (e.g ., DB, LDAP) is una va ilab le
Ca nnot op en password file
Not under normal authentic a tion fa ilurecircumstances
Userna me does not exist in the system
Password is incorrec t
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
12/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 12
Authentic a ting with Zend_Auth
Authentic a tion results a re returned as aZend_Auth_Result ob jec t, whic h p rovides:
boolean isValid()
integer getCode()mixed getIdentity()
array getMessages()
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
13/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 13
Authentic a ting with Zend_Auth
Two ways to a uthentic a te a ga inst a Zend_Authadapter: Ind irec tly, through Zend_Auth::authenticate()
Direc tly, through the a dap ter sauthenticate()
method
By ind irec t usage the authentic a ted identity isautomatic a lly saved to persistent storage (e.g.,the PHP session)
Direc t usage o f Zend_Auth adap ters a llow s theuser to dec ide w hat to d o up on authentic a tion
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
14/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 14
Authentic a ting with Zend_Auth
Zend_Auth implem ents the Sing leton pa ttern;exac tly one instanc e of the Zend_Auth c lass isavailab le a t any time:
Exac tly one request per PHP exec ution lifetime
Operatorsnew and clone are unavailab le
assert(Zend_Auth::getInstance() instanceof Zend_Auth);
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
15/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 15
Authentic a ting with Zend_Auth
Zend _Auth automatica lly persists a suc c essfullyauthentic a ted identity to the PHP session
Override this behavior by passing an ob jec t tha t
implementsZend_Auth_Storage_Interface toZend_Auth::setStorage()
If automa tic identity storage is und esirable,develop ers may direc tly authentic a te a ga inst aZend_Auth ad ap ter
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
16/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 16
Authentic a ting with Zend_Auth
Using a Zend_Auth adap ter ind irec tly:
Authentic a ted identity is saved autom atic a lly
$authAdapter = new MyAuthAdapter($username, $password);
$auth = Zend_Auth::getInstance();
$result = $auth->authenticate($authAdapter);
if (!$result->isValid()) {
foreach ($result->getMessages() as $message) {
echo "$message\n";
}
}
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
17/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 17
Authentic a ting with Zend_Auth
Using a Zend _Auth adap ter d irec tly:
No automatic storage of authentic a ted identity
$authAdapter = new MyAuthAdapter($username, $password);
$result = $authAdapter->authenticate();
if (!$result->isValid()) {foreach ($result->getMessages() as $message) {
echo "$message\n";
}
}
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
18/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 18
Authentic a ting with Zend_Auth
Other useful Zend_Auth methods:
boolean hasIdentity()
mixed getIdentity()
void clearIdentity()
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
19/51
Ac c ess Control Lists with Zend _Ac lZend_Ac l provides role-based access controllists func tiona lity and p rivileg es manag ement
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
20/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 20
Ac c ess Control Lists with Zend _Ac l
Object-oriented design supports controllingac c ess to c ertain protec ted ob jec ts by otherreq uesting ob jec ts
Complete PHP implem enta tion Persistenc e d oes not require a ny bac kend
technology; instances are serializable
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
21/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 21
Ac c ess Control Lists with Zend _Ac l
Definitions A Resource is an ob jec t to which a c c ess is c ont rolled
A Role is an ob jec t tha t ma y req uest a c cess to aResource
Roles request ac cess to Resources e.g ., Person requests ac cess to Ca r
Roles and Resourc es must be added to the ACLbefore a pp lying any rules upon them or queryingaga inst them
Spec ify rules w ith allow() and deny() Query the ACL with isAllowed()
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
22/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 22
Ac c ess Control Lists with Zend _Ac l
Resourc e ob jec ts must implem entZend_Acl_Resource_Interface:
Zend _Ac l inc ludes Zend_Acl_Resource
class MyResource implements Zend_Acl_Resource_Interface
{/**
* @return string
*/
public function getResourceId()
{}
}
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
23/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 23
Ac c ess Control Lists with Zend _Ac l
Resourc es may be organized into a hierarc hy:
Rules a re inherited from parent resourc es
New York
Zend_AclResources
San Franc isc o
Chrysler Transameric aBank of
AmericaEmpire Sta te
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
24/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 24
Ac c ess Control Lists with Zend _Ac l
Example inheritanc e between resourc es:
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
25/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 25
Ac c ess Control Lists with Zend _Ac l
Role ob jec ts must implem entZend_Acl_Role_Interface:
Zend _Ac l inc ludes Zend_Acl_Role
class MyRole implements Zend_Acl_Role_Interface
{ /**
* @return string
*/
public function getRoleId()
{}
}
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
26/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 26
Ac c ess Control Lists with Zend _Ac l
Roles may be organized into a d irec ted ac yclicgraph (DAG):
Ac c ess c ontrol rules a re inherited from parent
roles Multip le inheritanc e a mbiguity resolution
member
sa les support
guest
visitorad min dev
joe
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
27/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 27
Ac c ess Control Lists with Zend _Ac l
Example role inheritanc e ambiguity resolution:
$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('guest'))
->addRole(new Zend_Acl_Role('member'))
->addRole(new Zend_Acl_Role('admin'));
$parents = array('guest', 'member', 'admin');
$acl->addRole(new Zend_Acl_Role('someUser'), $parents);
$acl->add(new Zend_Acl_Resource('someResource'));
$acl->deny('guest', 'someResource');$acl->allow('member', 'someResource');
echo $acl->isAllowed('someUser', 'someResource') ?
'allowed' : 'denied';
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
28/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 28
Ac c ess Control Lists with Zend _Ac l
Sup ports "p rivileges" up on resourc es (e.g., "view "privilege upon an "a rtic le" resourc e)
Usage is c omplete ly op tiona l
Privileg es a re string identifiers, no t ob jec ts Privileges a re spec ified w ith a llow/ deny rules
$acl->allow($someRole, $someResource, 'view');
$acl->deny($someRole, $someResource, array('edit', 'delete'));
if ($acl->isAllowed($someRole, $someResource, 'view')) {
...
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
29/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 29
Ac c ess Control Lists with Zend _Ac l
Rules may be removed from the ACL usingremoveAllow() and removeDeny()
Spec ify the role(s), resource(s), and p rivilege(s)
to whic h the rem oved rule must no long er apply$acl = new Zend_Acl();
$acl->allow(null, null, array('privilege 1', 'privilege 2'));
assert(!$acl->isAllowed());
assert($acl->isAllowed(null, null, 'privilege 1'));
assert($acl->isAllowed(null, null, 'privilege 2'));
$acl->removeAllow(null, null, 'privilege 1');
assert(!$acl->isAllowed(null, null, 'privilege 1'));assert($acl->isAllowed(null, null, 'privilege 2'));
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
30/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 30
Ac c ess Control Lists with Zend _Ac l
Assertions p rovide support for c ond itiona l rules
Examples:
Allow betw een 8:00am and 5:00pm
Deny from spec ific IPs or networks Allow only the author to ed it a n a rtic le
Pass an instanc e of Zend_Acl_Assert_Interfaceto allow()/deny()
The rule a pp lies if and only if assert() returns
true
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
31/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 31
Ac c ess Control Lists with Zend _Ac l
An example assertion c lass for sc reeningrequests from abusive IP addresses:
class My_Acl_Assert_DirtyIP implements Zend_Acl_Assert_Interface
{
public function assert(Zend_Acl $acl,
Zend_Acl_Role_Interface $role = null,
Zend_Acl_Resource_Interface $resource = null,
$privilege = null)
{
return $this->_isDirtyIP($_SERVER['REMOTE_ADDR']);
}
protected function _isDirtyIP($address)
{}
}
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
32/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 32
Ac c ess Control Lists with Zend _Ac l
Using a "DirtyIP" assertion ob jec t to deny a c c essto known abusive IP addresses:
If the requesting IP is b lac klisted (or not on awhitelist), then assert() returnstrue, and the
deny rule a pplies, resulting in a c c ess denied
$acl = new Zend_Acl();
$acl->deny(null, null, null, new My_Acl_Assert_DirtyIP());
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
33/51
Putting it Together with MVCThe Model View Controller pa ttern sep arates anapp lic ation d esign into three d istinc t roles,fac ilitating development and ma intenanc e
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
34/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 34
Putting it Together with MVC
Zend Framew ork p rovides implementa tions ofthe Front Controller and Model-View-Controller(MVC) pa tterns
Neither Zend_Auth nor Zend _Ac l requires use o fthese pa tte rns, but it is help ful to see how tointegra te a uthentic a tion a nd ac c ess c ontrolrules w ith the Zend Framework controller systems
TIMTOWTDI, so we present a n example
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
35/51
10 Oc to be r 2007 Implementing Ac cess Control with Zend Framework PAGE 35
Putting it Together with MVC
Configure the Front Controller
Set a c tion c ontrollers d irec tory
Reg ister p lug-ins (e.g., authentica tion a ndauthorization)
Set o the r op tions (e.g., throwing excep tions, returningthe response)
Set up the ACL for ac tion c ontrollers
Set up any custom routes
Dispa tc h the Front Controller
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
36/51
Example Ap p lic a tion Examp le isn't another way to teac h, it is the onlyway to teac h - Albert Einstein
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
37/51
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
38/51
10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 38
Example Ap p lic a tion
Crea te the da tabase and user ac c ount storagetable:
CREATE DATABASE `myapp`;
CREATE TABLE `myapp`.`user` (`id` int(10) unsigned NOT NULL auto_increment,
`username` char(32) NOT NULL,
`password` char(32) NOT NULL,
`fullname` char(32) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`)
) COMMENT='user accounts';
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
39/51
10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 39
Example Ap p lic a tion
Ad d an administra tive user and a regular user tothe new tab le:
INSERT INTO user (username, password, fullname)
VALUES ('admin', MD5('admin'), 'Administrator'),('someuser', MD5('someuser'), 'Some User');
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
40/51
10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 40
Example Ap p lic a tion
The app lic a tion will route a ll requests tha t do notc orrespond to a n existing file o r d irec tory to thePHP app lic a tion
Using Apac he a nd mod _rewrite, the following.htaccess file would work as desired :
RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
41/51
10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 41
Example Ap p lic a tion
The index.php file c onta ins simply the following :
The app lic a tion c lass will take c are of setting up
the Front Controller and d ispa tching the request
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
42/51
10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 42
Example Ap p lic a tion
The interesting parts ofMy_App::getInstance()->run():
Continue to set up the ACL...
$frontController = Zend_Controller_Front::getInstance();
$frontController->throwExceptions(true)
->registerPlugin(new My_Controller_Plugin_Auth())
->returnResponse(true);
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
43/51
10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 43
Example Ap p lic a tion
Ad d resourc es and roles, and c rea te the rulesneed ed to enforc e the applic a tion req uirements
$acl = $this->getAcl();
$acl->add(new Zend_Acl_Resource('index'))->add(new Zend_Acl_Resource('login'))
->add(new Zend_Acl_Resource('logout'))
->add(new Zend_Acl_Resource('profile'))
->addRole(new Zend_Acl_Role('anonymous'))
->addRole(new Zend_Acl_Role('member'), 'anonymous')
->addRole(new Zend_Acl_Role('admin'), 'member')
->allow()
->deny(null, 'profile')
->allow('member', 'profile');
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
44/51
10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 44
Example Ap p lic a tion
Now , d ispa tch the req uest and c a tch anyresulting exc ep tion:
For this example, the exc eption is simply printed ,but prod uc tion a pp lic a tions should log theoc c urrenc e of a n exc ep tion (see Zend _Log )
try {
$response = $frontController->dispatch();
$response->sendResponse();} catch (Exception $e) {
echo $e->getMessage();
}
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
45/51
10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 45
Example Ap p lic a tion
The Front Controller ha s an Auth p lugin:
class My_Controller_Plugin_Auth extends Zend_Controller_Plugin_Abstract
{
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) {
switch ($auth->getIdentity()->username) {
case 'admin':
$role = 'admin';
break;
default:
$role = 'member';break;
}
} else {
$role = 'anonymous';
} // continued on next slide...
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
46/51
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
47/51
10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 47
Example Ap p lic a tion
The a pp lic a tion controllers extend the following c lass:
class My_Controller_Action extends Zend_Controller_Action {
public function preDispatch()
{
$view =
Zend_Controller_Action_HelperBroker::getStaticHelper('viewRenderer')->view;
$auth = Zend_Auth::getInstance();
if ($view->authenticated = $auth->hasIdentity()) {
$view->user = new My_Model_User($auth->getIdentity());
} else {
$view->user = new My_Model_User();
}
$view->baseUrl = Zend_Controller_Front::getInstance()->getBaseUrl();}
public function __call($name, $args)
{ throw new Exception('Sorry, the requested action does not exist'); }
}
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
48/51
10 Oc to be r 2007Impleme nting Ac ce ss Control with Zend Framework PAGE 48
Example Ap p lic a tion
Hom e page (index/ index)
Persona lized greeting
Layout view sc rip t p rints da te and time
Shows "Ed it Profile" link only to authentic ated users
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
49/51
10 Oc to be r 2007
Impleme nting Ac ce ss Control with Zend Framework PAGE 49
Example Ap p lic a tion
Log in func tion (log in/ index)
Req uires username o f be tween 3 and 32 a lphabet iccharacters
Req uires password of a t least 5 cha rac ters
Rec a lls the most rec ent reasons for log in fa ilure
POSTs to log in/ p roc ess, whic h red irec ts
Authentic a ted users do not see log in form
Log out fea ture (log out/ index)
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
50/51
10 Oc to be r 2007
Impleme nting Ac ce ss Control with Zend Framework PAGE 50
Example Ap p lic a tion
Ed it Profile (p rofile/ ed it)
Only authentic ated memb ers a re a uthorized due toACL rule
Full name must be b etw een 3 and 32 c harac ters
Password must b e a t least 5 c ha rac ters
Password must matc h verific a tion field
Rec a lls the most rec ent reasons for fa ilure to saveprofile d a ta
POSTs to p rofile/ ed it/ p roc ess, which red irec ts to
profile/edit
-
8/8/2019 Felton_Darby_Implementing Access Control With Zend Framework
51/51
Tha nk you!More ab out Zend Fram ework:
http:/ / fram ework.zend.com
http://framework.zend.com/http://framework.zend.com/