I just find one framework of AT&T to build ABAC.
This framework use XACML following XML format to create rules. But this framework just implement for Java.
However, I 'm working with PHP and I am using JSON to write rules.
Is my solution correct? May you suggest some frameworks or solutions supporting for PHP?
To complete David's answer regarding AuthzForce: it is open source, XACML 3.0 compliant and provides both a Java API (AuthzForce Core) and REST API for PAP and PDP. So you could use the REST API from your PHP program. The API supports XML and JSON format for both PAP and PDP interfaces. However, we are not using the JSON profile of XACML for PDP. Instead, for the whole API, we are using the mapped convention provided by Apache CXF. Such convention allows automatic translation from XML (more precisely the internal XML-derived model used in the implementation code) to JSON, and vice versa automatically.
EDIT (2018-02-26):
AuthzForce Core and Server now both support the standard JSON Profile of XACML for the PDP. AuthzForce also provides a minimal RESTful PDP based on the Core, either packaged as a Spring-boot app, or simply the JAX-RS implementation for reuse in any JAX-RS framework.
The AT&T framework was an R&D framework designed by AT&T a few years ago and then released to Apache. According to github, it is still active. I am not aware of any commercial use of the product (though I suspect AT&T use it themselves).
The three main frameworks used out there are:
WSO2 Balana. This is an open-source Java PDP. It is also bundled as part of WSO2 Identity Server. Most open source users use Balana.
SunXACML: this is the original XACML 3.0 implementation. It is pretty old but sturdy (it's been around for 10 years or so). It is also open-source and Java.
Axiomatics Policy Server. This is a commercial solution (disclaimer: I work for Axiomatics). It is the most prevalent commercial solution out there. It is also implemented in Java but supports integration for PHP too.
You can find this information on XACML's wikipedia page. There is another interesting engine called AuthZForce but I have little experience with it.
All these engines, AFAIK, use XACML's XML format to store policies. You claim you need JSON. There is no Policy profile of XACML in JSON. There was a question on the topic which you can read here.
Given The Axiomatics Policy Server is exposed as a JSON API, you can use it to integrate with PHP. Other engines probably have a similar approach. If you use Amazon AWS, you can request a copy of the Axiomatics Policy Server AMI.
ABAC is technology-neutral meaning it is not specific to Java, Ruby, .NET, PHP or any other language. What the PDP engine is written in is irrelevant to what your application is written in so long as you can integrate the two together.
I hope this helps,
David.
The TYPO3 Access Control component implements ABAC supporting a simple but expressive access control policy language based on Jiang, Hao & Bouabdallah, Ahmed (2017) and is written in PHP.
Checkout the JSON schema to get an quick impression about the access control policy language. The component is lean and flexible. It's neither opinionated about the format nor about the expression language of the policy language. For example you could use YAML and Symfony expression language. As such a policy could look like this:
description: 'Root policy set.'
algorithm: highestPriority
policies:
Admin:
target: 'hasAuthority("typo3:security:principal:admin")'
description: 'Administrator policy'
priority: 100
rules:
-
effect: permit
Default:
description: 'Deny everything per default.'
rules:
-
obligation:
deny:
Feedback: ['Access denied.']
Related
I am looking for a good resource which will show me the right way for building a restful API.
Interesting topics: Authentication in particular and security in general, performance, scalability, best practices and other useful things.
I am going to build it in PHP (Slim or Silex) and before I begin I would like to think about the whole design so I can go the right way from the beginning.
There are a lot of info and posts all around the web but all of them adopt different practices and approaches.
Is there something which seems like a "standard" in the restful world?
Is there something which seems like a "standard" in the restful world?
Not beyond the level of using HTTP. There's a bunch of media types for encoding of API data (see hypermedia below), a lot of different best practices and a good amount of RFC's that covers various aspects of working with HTTP (like for instance authorization using OAuth2).
Here's a compilation of resources worth reading ... I think you will get the most out of reading through one or two of the books.
Authorative resources
Fieldings original thesis on REST: http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm
Books
RESTful Web APIs: http://shop.oreilly.com/product/0636920028468.do
RESTful Web Services Cookbook: http://shop.oreilly.com/product/9780596801694.do
REST in Practice : http://shop.oreilly.com/product/9780596805838.do
RESTful Web Services: http://amzn.com/0596529260
Web API Design: https://pages.apigee.com/web-api-design-website-h-ebook-registration.html
InfoQ E-magazine on REST: http://www.infoq.com/minibooks/emag-rest
Authentication
Basic considerations: http://soabits.blogspot.dk/2014/02/api-authentication-considerations-and.html
OAuth2 spec: https://www.rfc-editor.org/rfc/rfc6749
Error handling
Best practices: http://soabits.blogspot.dk/2013/05/error-handling-considerations-and-best.html
"vnd.error" a media type for error details: https://github.com/blongden/vnd.error
Problem details for HTTP APIs: https://datatracker.ietf.org/doc/html/draft-ietf-appsawg-http-problem-00
Hypermedia
Fielding's fameous rant: http://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven
Selling the benefits of hypermedia: http://soabits.blogspot.dk/2013/12/selling-benefits-of-hypermedia.html
HAL media type: HAL: http://stateless.co/hal_specification.html
Sirene media type: Sirene: https://github.com/kevinswiber/siren
Collection+JSON: http://amundsen.com/media-types/collection/format/
JSON API: http://jsonapi.org/
Hydra: http://www.markus-lanthaler.com/hydra/
RFC 5988 Web Linking https://www.rfc-editor.org/rfc/rfc5988
URL structures
Basic considerations: http://soabits.blogspot.dk/2013/10/url-structures-and-hyper-media-for-web.html
Partial updates
Considerations about partial updates: http://soabits.blogspot.dk/2013/01/http-put-patch-or-post-partial-updates.html
JSON-Patch: https://www.rfc-editor.org/rfc/rfc6902
Some consideration about PHP for building rest APIs
PHP is a widely used technology since many years.
But during this long period it has shown some relevant problems: it became a monstrous technology and its usage has shown some security vulnerability like SQL injection, lack of a centralized packaging registry, inconsistent API and subpar performance.
For building REST apis there are more modern technologies, like Ruby on Rails and Django, or Node.js, which is easily approachable.
Using PHP for building Rest APIS
You can of course build your apis in php also if better technologies have born in last years. Many companies still uses it in production environments.
You can choose two different approach to build your infrastructure:
building everything from scratch interfacing directly with PHP APIs.
staying on an upper level and interface with third party, open
source libraries to perform some tedious processes like routing,
authentication and so on.
The second approach lets you save time and focus more on your business logic, by delegating some common operations to trusted third party written code.
For example you can check these libraries that are commonly used in PHP applications to get the job done faster:
https://github.com/chriso/klein.php helps you performing the routing
https://github.com/PHPAuth/PHPAuth help you with authentication process (check also https://github.com/firebase/php-jwt for stateless authentication).
https://github.com/mongodb/mongo-php-driver (mongodb) or https://github.com/cagartner/sql-anywhere-client (SQL) You will need to interface with a database and this links are examples of some clients libraries that helps you with the job
Using something like node.js
Node.js is a modern technologies built to allow people do what you are going to do. It's fast, scalable (php is less), easy to use and has a very frenetic community that write code and share open source.
For example, using http://expressjs.com/ you can manage the whole routing of your application in minutes. You write your application in javascript so you will have to worry about physiological javascript's problems (closures, async calls etc.), but after have solved this quite tricky part, with node.js you will build a more efficient rest APIs, and your server will need less CPU and power to accepting and answering requests.
For best practices there is a good guideline repository on GitHub. You can go to the following page for more information:
http-api-design
You can also look at Apiary to design APIs:
Apiary
For authentication actually the best thing to do is to rely on a framework instead of reimplementing from scratch. For learning purposes however thats a different case but for putting it out to production the best bet is to use what the framework provides. Most frameworks have a good implementation which probably has been iterated over time by the community to be quite robust. Certain frameworks like laravel also provides solution for csrf (cross site request forgery) attacks.
Another useful thing that you can look into is JWT (JSON Web Token). Here is useful link which summarises why it is so awesome:
Stateless tokens with JWT
I don't know how to look into scalability from an API perspective. To me it seems more like an infrastructural issue. However with authentication (session or token based) scalability could become an issue as for example if you have different number of instances serving your users you need to maintain either sticky session or session stored in a quick access key-value store or database.
Please have a look at my opinionated presentation about REST APIs based on JSON-LD, SemWeb, Hydra Core.
I am new to php, i have to consume a API written in .NET with REST and WCS as a service provider.
Also the SSO with SAML2 has to be there.
Frankly speaking i have no idea about what is REST and WCS.
While i see that SAML2 is supported in php.
Can somebody help if REST and WCS is supported in PHP?
I ma googling to get basic idea about what it does but could not find how to do it in php.
Please help
RESTful APIs in WCS v7 FEP7 opens up options to build store-websites using any web programming language and on any web framework while taking advantage of enterprise grade business logic in WCS.
I was part of a PoC to use python (Django) as an alternative over a year ago -- it is very easy and works great. Consuming REST service was just two lines of code:
sampleResponse = urllib2.urlopen('<STORE_URL>' + '/<URI>');
sampleJSON = json.load(sampleResponse);
I am sure PHP (SAML2), Ruby (Rails) should all work just as well.
Some things to remember:
WCS support will not extend to custom technologies - so you will need to extend your own support for store front issues.
You will need to separately size and plan for the horse power required to run your favorite runtime.
I suspect that you will most likely miss out on Commerce Composer feature (or at least requires additional customization there).
You may also need to manage SEO differently - not via WCS Management Center.
There may be others.
I'm writing an iPhone app as a hobby project and it will need a web service to provide it with data. It's not very different from what I do at work, but at work I only write views and controllers. Someone else is responsible for writing the model and usually the clients provide the web service.
I have done some web programming before, back when everyone were using MySQL and PHP, so my skills are a bit outdated, but I'm confident that I would be able to pull it of using the techniques I already know. However, I don't want to waste my time using obsolete tools. I've figured out that the state of the art would be to write a REST API. I was thinking that there should be some pretty good frameworks out there that pretty much just gives you a REST API with CRUD functionality as soon as you've defined a model.
I guess my question is: What would be the fastest way to get a REST API up and running? I really just want to focus on writing the iPhone app and not spend too much time on this API. It would be great if I could get web administration and revision history too. I should also add that the API isn't supposed to be public, so support for authentication would be great as well.
Just to be clear. I wouldn't mind a PHP framework. In fact it could possibly be better since I know that my current hosting supports it.
EDIT:
The links below which apparently were good for 3 years are no longer working so I went and found a couple of new tutorials that I think are going to stick around for a while. These are on the Ray Wenderlich site, a very well respected ios dev tutorial site. The first article actually references the broken links below but it is complete within itself:
How To Write A Simple PHP/MySQL Web Service for an iOS App
and the second one has a little twist to it. It used parse.com on the backend and AFNetworking. Both of which are quite excellent.
How To Synchronize Core Data with a Web Service – Part 1
I have fixed the broken links below by finding the articles in the way back machine. People seem to like the links so I will keep them. The links above should provide more food for thought.
I am doing exactly the same thing with my iphone app. I found this article on building a RESTful API in PHP:
https://web.archive.org/web/20130910164802/http://www.gen-x-design.com/archives/create-a-rest-api-with-php/
and there is also a followup article here:
https://web.archive.org/web/20130323001500/http://www.gen-x-design.com/archives/making-restful-requests-in-php/
with a link to source code at the bottom of the article.
I have programmed a REST API in ZEND Framework using the Zend_Rest_Controller, on the iPhone I used ASIHTTPRequest. My experience with both where good. At the beginning I had some trouble setting up ZEND and connecting it to mySQL, but once I figured out how to do it I was able to write the API very quickly. I can share more information with you if you have any further questions.
EDIT: There seems to be no official documentation on Zend_Rest_Controller. This link describes how to use it to create your API. You simply have to disable rendering in the init() of your subclass and implement the methods for each REST call.
Just to let you know:
I ended up using Ruby on Rails.
EDIT: Since this answer has been downvoted for not providing the reason behind choosing Ruby on Rails and also no instructions on how to write a REST API with it, I thought I would give you my motivation and some simple instructions.
I started reading a book about Ruby on Rails and realized that all I needed to do was to use scaffolding and I got a JSON REST API for free.
Here's a good guide to get you started: http://guides.rubyonrails.org/getting_started.html
When you have your Ruby on Rails environment up and running, creating your REST API isn't harder than running:
$ rails generate scaffold Post name:string title:string content:text
(Example from the above link.) I also found that Rails is very easy and free to deploy to heroku, which meant that I didn't have to pay for hosting for my very basic, low traffic, REST API. There are many other reasons why I am very happy to work with Ruby on Rails, but that's beyond the context of this question.
I followed a quite simple tutorial for creating RESTful APIs with PHP:
Corey Maynard - Creating a RESTful API with PHP
The main concept includes:
one abstract class that handles the parsing of the URI and returning the response, and
one concrete class that consists of just the endpoints for the API.
What about Python?
I'd use Python, Django and Piston.
I'd generate Django models from your
existent DB using inspectdb.
Add the Django admin to your models.
Add Django Piston to your app.
Profit.
With no experience with Python or Django probably it'll take you a day to develop this solution and all code is unit tested and proved to work.
If you want to use PHP I recommend using the CodeIgniter framework with Phil Sturgeon's REST server:
http://net.tutsplus.com/tutorials/php/working-with-restful-services-in-codeigniter-2
https://github.com/philsturgeon/codeigniter-restserver
Checkout the following PHP class that follows MVC.
http://www.phpclasses.org/package/5080-PHP-Implement-REST-Web-services-servers.html
Hope this helps.
If you already know PHP, there's nothing wrong with a PHP/MySQL backend. You can send all responses in iPhone-compatible plist xml format, and instantly turn the response into a NSDictionary/NSArray/NSNumber data structure with this short snippet of code:
NSString *response = [request responseString];
NSData* plistData = [response dataUsingEncoding:NSUTF8StringEncoding];
NSPropertyListFormat format;
NSString *errorStr;
NSDictionary* plist = [NSPropertyListSerialization propertyListFromData:plistData
mutabilityOption:NSPropertyListImmutable
format:&format
errorDescription:&errorStr];
I also use the ASIHTTP package for forming URLs, sending asynchronous requets, and receiving the responses, I highly recommend it:
http://allseeing-i.com/ASIHTTPRequest/
You should use whatever languages you are comfortable with for the web service. Any language that can formulate REST responses to requests is fine.
That said, if you want to get something running quickly, I suggest using Python on Google App Engine. It's free and you can use Java instead of Python if you so desire. App Engine supports authentication using OpenID and/or Google Accounts (not sure if they're mutually exclusive) so that should make things easier to code.
As far as making the requests on the iOS device, I suggest using ASIHTTPRequest.
Another option is restSQL, an ultra-lightweight persistence framework. See http://restsql.org. It supports MySQL and PostgreSQL and runs in a standard Java EE container, e.g. Apache Tomcat.
restSQL is a very unconventional data access layer. restSQL is not an object-oriented view of the database. It presents flat or hierarchical "views" of relational database tables. These views are query-able and updatable through a simple REST-based HTTP or Java API. The HTTP interface is based on REST principles, which use HTTP’s built-in features, rather than abstracting away from them.
You want a 'REST API with CRUD functionality' and that's exactly restSQL's sweet spot. You could do this with no code. Simply define your SQL Resources via XML files and start doing HTTP calls against them with full CRUD capability.
I'm wondering if there are any abstraction frameworks for one of the PHP gui libraries. We have PHP-GTK, a PHP/Tk interface, and seemingly also PHP-QT. (Not tried any.)
I know that writing against the raw Gtk+ interface in Python is just bearable, and it therefore seems not very enticing for PHP. I assume it's the same for Qt, and Tk is pretty low-level too. So I'm looking for something that provides a nicer object structure atop any of the three. Primarily TreeViews are always a chore and php-gtk callbacks are weird in PHP, so I'd like a simplification for that. If it eases adding the GUI/View atop my business logic without much control code, that might already help.
And so since GUI apps are an area where MVC or MVP would actually make sense, I'd like to know if any library for that exists.
Still open for answers.
(There will probably be a second bounty round. It's an uncommon topic, so needs more research.)
[Not an answer. Just wanted to remove this from the question, as it's only related, not a solution.]
There is the PHP interface preprocessor. However it is very simple and low-level. It provides an output interface for Gtk, as well as ncurses, but also PDF or XHTML serialization. Which is interesting, as it's close to real MVC constructs in allowing to exchange the View for different backends without adapting the Controller even. But then it only provides the basic widgets, and not a whole lot of simplifications. Thus I only consider it related to my original question. So, a side note.
Have you tried WinBinder? Not exactly MVC related, but a very nice extension to create gui based programs in PHP.
Now there are a few options that work on newer versions of php. Some of these do not provide you with MVC out of the box, but you can use them to make GUI application in php.
There is the very easy to use php-gui. It does not require any special php extentions, you can just install it with composer like any other php library or framework you depend on. It is geared toward simple, standard user interfaces.
If you need to make something very custom and graphically advanced, and are willing to use an API that was designed to make games in C (or if you want to make a game in php), you could use OpenGL via SDL via FFI via ffi-sdl. It currently (as of 6/1/2020) requires php 7.4 or greater as it uses the recently added ffi feature of php. Even though this relies on the ffi extension, php-ffi is still easy to add to your project. It is still sort of extensionless (like php-gui) because there are no extensions tailor made just for this for it to work. Unlike some other extensions, there is not much chance ffi will not be maintained since it is a feature of php itself. Most people will just need to add ff-sdl to their project using composer, and possibly enable ffi in their php.ini.
I just learned you could also use PeachPie. It allows you to compile and run php code for/on .NET, so you would gain access to .NET GUI libraries, including MVC ones.
I really doubt that you'll find anything like that ready to use OotB. PHP GUI programming has totally failed few years ago.
What you can do however, is use some kind of bridge to interface decent MVC from another language. Which PHP you have following choices:
PHP/Java bridge http://php-java-bridge.sourceforge.net/pjb/
Boost.PHP (C++) https://github.com/moriyoshi/boost.php/wiki
SWIG (C, C++ via wrappers) http://www.swig.org/
http://phpketchup.isgreat.org/ PHPKetchup is a new project in planning stage. There isn't any code available for now (also seems intended commercial, not open source). It was announced as framework atop PHP-GTK. There is a conception document which explicitly lists the goal as designing a MVC framework.
However it seems like they take inspiration from CodeIgniter and mostly the common PHP framework structure. The focus seems not to lie on integrating PHP-GTK with the application logic, but mostly to provide a database interface as model and a thin Gtk interface for the View.
MVC Architecture:
We will design and implement Model-View-Controller (MVC) architecture for the PHP-GTK framework. SQLite will be used for Model. PHP-GTK functions and Glade files will be integrated in View after removal of HTML, CSS and Javascript. Controller will be modified accordingly to work with the newly created View.
So it might just be MVC in name and organization, but one of the diagrams mentions "PHP-GTK functions addition" and there are further hints of object-structured Gtk helpers.
Does anybody know a good web framework that includes an ORM mapper and allows straight forward implementation of web services? I'm looking for a framework written in PHP or C++. I'm looking for the following features (not all of them required, some will do nicely)
data definition in one place used by database and web service
WSDL generation
XML output/JSON output
boilerplate code generation
So what I would like is a framework that let's me specify the objects, the web service functions on those objects and then generate everything that is required leaving me to fill the business logic (connecting the database to the web service).
Anything like that out there?
Background information for why I need this:
I'm looking into creating a web project: the client is a rich web application that fetches all its data using AJAX. It will be completely custom made using only a low level javascript library. The server back end is supposed to serve static content and javascript (basically the rich web application) and to provide a RESTful web service API (which I would like to implement using aforementioned framework).
I would recommend using Zend_Framework and replacing Zend_Db with Doctrine as your ORM.
You can use Zend_Service to consume webservices and Zend_Rest_Controller to serve a REST API.
There are some good screencasts on integrating Doctrine and Zend here. If you have alot of PHP experience, it shouldn't take very long to integrate. I believe there are even some sample integrations on Github.