I want to create a RESTful API using the Zend Framework 2. Even though I'm pretty unexperienced with ZF2 I've choosen this framework because of it's loose coupeling and the fact that the code is audited on a regular basis. I found the tool Apigility provided by Zend and it seems pretty straight forward to implement things. But there's one thing which is not covered directly and I'm not even sure if Apigility makes sense for me:
I need a user role concept where some users are only able to view and modify ressources they created by themselves while other users are able to view and modify all ressources. There are also endpoints(controllers) which shall only available for certain users.
Permission management to certain endpoints could be realized with the ACL module but I don't know how to achieve the filtering of the ressources.
You're going to need to take a couple strategies to get all of this done.
Your endpoint access control can be handled by extending the default authorization listener (or adding additional listeners) provided by zf-mvc-auth. That should allow you to control if an endpoint can be seen at all.
As far as access control on your resources (filtering), you're probably going to need to inject an Authorization container of some nature into your resource services to handle your authorization logic there. Take a peek at the zfc-rbac cookbook for what that might look like (https://github.com/ZF-Commons/zfc-rbac/blob/master/docs/07.%20Cookbook.md#a-real-world-application-part-4---checking-permissions-in-the-view)
Related
I already tried http://service/?wadl to get a wadl file, but nothing is returned.
I read there isn't really a standard for wadl files in REST (but there is one for SOAP's WSDL), but I thought maybe it would exist and be web-service framework specific to PHP Symfony.
Is there a default wadl url for pulling a list of function signatures?
There would be, if you create it. Symfony does not define URLs for you, it's just a framework.
A Symfony application is not necessarily a REST API application, or even a Web application. It could be a console application, a message consumer, or anything else. It's not a given that "method signature" should be publicly available via any kind of endpoint.
If you want to an endpoint providing some functionality (say, a WADL endpiont, or a WSDL endpoint, or an anything endpoint), you need to provide it by creating and configuring it.
Some libraries built on top of Symfony like Api-Platform or NelmioApiDoc can provide some automatic or semi-automatic documentation for an API built on top of symfony, but how to configure each would depend on one actually using these libraries, and what's one's use-case.
We're in the process of building an application entirely based on ZF2. The application is split into 3 main divisions namely a Core, API and Front End section / division.
At some point, we want to open the system up for people to develop 3rd party modules which will go on offer for inclusion in the different profiles customers have. These 3rd party modules would either extend functionality or be able to enhance existing processes by hooking into events fired from the Core Level.
These 3rd party modules could use the API, however, the current API is outward focused and does not lend itself to enhancing and extending the system from this perspective.
So, the alternative would be to allow access to the Core directly, which we feel might not be desirable as we must have a means to control access to these vital components and underlying data.
I am considering building a separate API aimed at trying to manage access from a module level within the Application life cycle, however, I am not entirely sure how something like this would look like.
The folder structure would look something like the following:
-config
-data
-AppCore
--Core
--CoreForms
--CoreContacts
-AppAPI
--APIForms
--APIContacts
-APPFront (This fodler will be into a seperate instance of ZF2 installation and communicate via the APPApi)
--FrontForms
--FrontContacts
-3rdPartyModules
-public
-vendor
Developed modules would reside within the 3rdPartyModules folder within the entire structure.
The question is, how would one go about limiting access to Core resources, for instance, any 3rd party modules must not be able to consume the standard database adapter. In this case, db_adapter (Zend\Db\Adapter\Adapter).
These modules will have a separate database setup where data should be stored specific to these modules, so something like db_adapter_3rdparty would be made available instead.
I have considered using interfaces to be implemented within these 3rd party modules and then have a check performed by any of the core module classes and functions, however, this would be cumbersome and inefficient.
Currently, the API functionality is only accessible via REST, so that would not be option for hooking into the system as keys would become involved and be an admin nightmare.
So the question is then, allowing modules to be installed within the overall application, would you be able to limit access to application resources, if so, what would be the most efficient way of implementing such control and whether it is a good idea to allow this to take place?
I've done quite a bit searching and could not find anything close along the lines of what is required, apart from actually installing modules, configuring them etc.
Many thanks in advance!
I am currently exploring Zend_Auth, part of Zend Framework, but am dissapointed with the lack of more advanced features such as nonces, authentication tokens, lock-out, etc. In one of my recent projects, I implemented an authentication and ACL (Access Control List) scheme that has the following features:
Salted hashes
Automatic IP address lockout
Nonces (several types)
Authentication tokens (which persist for the entire session)
It would be great if I could abstract this functionality and make a reusable authentication class, but I was curious about whether a feature-rich authentication module already existed, so I could save myself the work. If not, I will most definitely do that.
I suppose my questions is this: What (database-based) authentication module/scheme are you currently using, and are you happy with its features? Specifically, is anyone using one that supports the features I listed above?
I look forward to your responses.
Funny thing, I was going to answer "Zend Framework!" when I saw this question. I guess that you are already using that.
I've done a lot of what you are doing using ZF as well. True that it is not all made for you, but the parts are there. Honestly, if it was already put together, it would not be flexible and not apply to many use cases. I'd rather make it suit the app I'm building, rather than build my app around it. You can make your code into library and include that with your other ZF apps.
I'd be interested in other options as well though.
I know questions like this have been asked numerous times, but not quite this one. Forgive me if I overlooked an obvious duplicate.
In the core of many of my web applications is a self-written user/session management class that in its origins dates back to 2002.
I have decided that it is time for a fundamental re-write or, preferably, the introduction of a ready-made standard library.
My requirements for that library would be:
Object oriented, clean, excellent code
Full session management: Wrapper to session_start() and consorts
Would ideally provide various storage methods (PHP Standard /tmp, database based)
Would ideally be able to connect to different types of user data storage, but mySQL will do fine
Would ideally provide convenient functions for supporting OpenID, but that's a fancy thought, no requirement right now
Methods: Verify session, get user data, get session data, log in user, log out user
Settings: Session lifetime, password encryption
Must be Open Source
And if it's very generic, a user management API or a generic connector to the user management of the surrounding application would be nice:
Create/Update/delete user records
Fetch and modify data of currently logged in user
this is so basic, and so security relevant, that I would expect that there is a standard solution to this, however I don't know of any, and all the big CMSs and blogs seem to be rolling their own.
My two questions:
Do you know such a component as a generic, stand-alone library?
Could somebody with deep knowledge in Zend Framework tell me whether it is possible to use Zend_auth and/or Zend_session standalone, at the core of a big application that has otherwise nothing to do with ZF, without running in to trouble?
May I suggest the authentication library that I have written? It is a generic library (not written for or part of a framework): http://ulogin.sourceforge.net
Could somebody with deep knowledge in Zend Framework tell me whether it is possible to use Zend_auth and/or Zend_session standalone, at the core of a big application that has otherwise nothing to do with ZF, without running in to trouble?
I don't have deep knowledge of the Zend Framework, but I have used various components (e.g. Zend_Search) without creating a Zend_Application object or using the MVC framework and I am sure the rest of the library is also designed to be totally modular. Last time I dug though the Zend_Session code, I didn't find any includes outside Zend/Session/. A quick google seemed to confirm this for Zend_Auth, along with the Zend FAQ which states:
Is ZF a component library or a framework?
Simple answer: both. Zend Framework provides all the components required for most web applications in a single distribution. But Zend Framework components are also loosely coupled, making it easy to use just a few components in a web application- even alongside other frameworks! Using this use-at-will architecture, we are implementing features commonly found in more monolithic frameworks. In fact, we are currently working on a tooling component for the 1.8 release that will make it simpler to build applications using ZF components, yet will not sacrifice the use-at-will nature of existing ZF components. It's a testament to the use-at-will architecture of Zend Framework that the tooling component itself can be used standalone.
The only thing I had to do when not using Zend_Search with the MVC framework was add the directory where you installed the Zend Framework to the include path due to the includes in the Zend library. The documentation doesn't document the includes you need when not using the Zend Autoloader, but as everything uses the PEAR class naming scheme, it is easy to deduce from the class names you are using. (so the class Foo_Bar_File would require you to include Foo/Bar/File.php )
There are several OpenID libraries available.
http://wiki.openid.net/Libraries#php
For the rest you might as well roll your own, since figuring out someone else's library would probably be more trouble than it's worth.
My understanding is that there is no standard library because there is no standard definition of what a user is.
In some of my applications, users simply log in to do stuff. In others, users are part of a company and their permissions and data access are limited by the limits of that company and the subscription level paid for by the company. In other applications, some users are admins with access to everything, some users are admins with access to some data (row level), and other users are the clients of those admins, with access only to their own data. Some users are tied to firms/companies/customers, other users are not. Some users are just a username and password, others are a large object graph with clients, order histories, report preferences, comments, etc.
Maybe I'm wrong and there's some clean way of abstracting all of those requirements into a system that doesn't require five layers of subclassing and a thousand DB hits to log someone in. I haven't found it though.
Is there any open-source, PHP based, role-based access control system that can be used for CodeIgniter?
Maybe I'm misunderstanding the question, but isn't the whole point of Role-Based Access Control (RBAC) to avoid Access Control Lists (ACLs)?
RBAC differs from access control lists (ACLs) (...) in that it assigns permissions to specific operations with meaning in the organization, rather than to low-level data objects. For example, an access control list could be used to grant or deny write access to a particular system file, but it would not say in what ways that file could be changed. In an RBAC-based system, an operation might be to create a 'credit account' transaction in a financial application (...). The assignment of permission to perform a particular operation is meaningful because the operations are fine-grained and themselves have meaning within the application.
(Quote: Wikipedia)
I don't know the specifics on Zend_ACL or the other implementations mentioned, but if they are ACL-based, I would not recommend using them for role-based authorization.
Brandon Savage gave a presentation on his PHP package "ApplicationACL" that may or may not accomplish role-based access. PHPGACL might work as well, but I can't tell you for sure.
What I can tell you, however, is the Zend_ACL component of the Zend Framework will do role-based setups (however you'll have to subclass to check multiple roles at once). Granted the pain of this is you'll have to pull out Zend_ACL, I do not believe it has any external dependencies, from the monolithic download (or SVN checkout).
The nice thing about Zend_ACL is though its storage agnostic. You can either rebuild it every time or it's designed to be serialized (I use a combination of both, serialize for the cache and rebuild from the DB).
I created an Open Source project called PHP-Bouncer which may be of interest to you. It's still fairly young, but works well and is easy to configure. I ended up developing it because none of the existing solutions seemed to meet my needs. I hope this helps!
phpgacl http://phpgacl.sourceforge.net/ is a generic acl based access control framework
while I don't know about any CI specific implementation, i know that you only need the main class file to make phpgacl work. So i belive that integration with CI won't be any problem. (I've work passingly with CI)
Here are two RBAC libraries for PHP I found:
https://github.com/leighmacdonald/php_rbac
https://github.com/brandonlamb/php-rbac
I actually used the first one in PolyAuth: https://github.com/Polycademy/PolyAuth/
It's a full featured auth library that includes NIST level 1 RBAC. And yes, RBAC is not the same as an ACL. I use Codeigniter as well, all you have to do is use the PDO driver and pass in the connection id. See this tutorial for how to do that: http://codebyjeff.com/blog/2013/03/codeigniter-with-pdo
Found out about Khaos ACL which is a CI library... I'm also checking out phpgacl and how to use it for CI... Have'nt checked Zend ACL yet. But maybe it can be "ported" to CI
Try DX_Auth plugin for CodeIgniter. I am working on a similar (rather, superset) of the functions that DX_Auth have. My set of CI addon's include display of menus (that can be controlled via CSS), Role-bases access controll before controller is invoked and other features. I hope to publish it soon. Will give project URL when I do so
RBAC != ACL - Roland has the only correct answer for this question.
BTW of course it is an essential part of a framework to implement any kind of permission system - at least there is no point in using a framework, if it does not give you a well engeneered RBAC system - it might be better using a simple template system with any ORM layer then.
It is a common antipattern in the php world, that frameworks like Ruby or Django are "cloned" only as a subset of what these modern frameworks deliver - as a typical syndrome yuo see a lack of good ACL or RBAC integration into these frameworks - what essentially is a joke.
There is currently only the Yii PHP Framework that comes with a decent RBAC implementation.
I know the trail is cold, but a new project has popped up :
PHP-RBAC is a PHP Hierarchical NIST Level 2 Standard Role Based Access Control and is pretty mature. It is also an OWASP project.
I hope you enjoy it at http://phprbac.net
http://www.jframework.info (deadlink)
jFramework has a standard NIST level 2 RBAC with enhancements which is said to be the fastest available (includes benchmarks) it can operate on a single SQLite database file and is tested thoroughly, works like a glove.
Has a dependency on jFramework DBAL but you can simple replace DBAL SQL Queries in the code with your desired DBAL and of course you can use jFramework in a SOP manner.
Ion Auth Library uses users and groups - https://github.com/benedmunds/CodeIgniter-Ion-Auth
but there are no working RBAC system to use them and manage. But you can white your functions.