PHP: Autentication and Access Control in a modular web application

Hello,

This example is about the access control and authentication on a modular web application, developed in Symfony2 using the EventDispatcher, the logic of implementation can be used in different projects, that don’t necessarily use these tools. The basis of this access control is the usage of a main event dispatcher and listener (EventDriven) to detect destination request address and intercept it before it reaches that destination (controller + method ).

I first became aware of the idea of using Events to control access, I believe it was by on his blog a long time ago.

Anyway here I describe the usage of a Symfony2  custom EventListener to listen to a onKernelRequest

This usually happens this way:

Client -[call]-> Webserver -[dispatch event request]-> triggers onKernelRequest witch does validation -[Validates]-> if passes code continues normally inside symfony2  … Get the idea? I hope so.

First I implemented the interface in the AccessControl Class no other code will interact with this that’s the beauty of using a event for access control, you can have the event manage the control access of all modules without having to interact directly with them. The code is commented for easier reading…

Class AccessControl implements EventSubscriberInterface

public function __construct($em, $dispatcher, $security, $router)
{
$this->em = $em; // the EntityManager not used in this demo
$this->dispatcher = $dispatcher; // The SF2 EventDispatcher
$this->security = $security; // security.context
$this->router = $router; // router to know where the request is going to
}

And of course I will be listening to onKernelRequest events

public static function getSubscribedEvents()
{
return array(
KernelEvents::REQUEST => [‘onKernelRequest’, 0],
);
}

Here follows an example on access control without any dynamic database support

This is a basic decision path based on the destination route using the symfony name and the request from the client.

public function onKernelRequest($event)
{
if ($event->getRequestType() != HttpKernelInterface::MASTER_REQUEST) {
return null; // will only be handled if it’s from a external request else returns null
}

$user = $this->security->getToken()->getUser();  // get the current user information
$request = $event->getRequest(); // get the current request
$requested_uri = $request->getRequestUri(); // get the requested URI
$internal_route = $request->get(‘_route’); // this what is used to validate access

// $internal_route has the route name used by symfony witch I use to compare since it’s simpler

if ($internal_route == ‘fos_user_registration_register’) {
return true; // by default I allow the call to the registering of a new user
}

if ($user == ‘anon.’) {
$mainrequest = $event->getRequest();
// Matched route
$_route = $mainrequest->attributes->get(‘_route’);
// Matched controller
$_controller = $mainrequest->attributes->get(‘_controller’);
// All route parameters including the `_controller`
$params = $mainrequest->attributes->get(‘_route_params’);

if ($_route != ‘fos_user_security_login’) {

// if anonymous is not trying to login
// send him to login
$url = $this->router->generate(‘fos_user_security_login’);
$response = new RedirectResponse($url);
$event->setResponse($response);
}
return;
}

if ($user->hasGroup(“Admin”)) {
return true; // if the user has a group admin allow him to everywhere
}

$request = $event->getRequest();
$requested_uri = $request->getRequestUri();
$internal_route = $request->get(‘_route’); // this is what is used to validate access

if (mb_substr($internal_route, 0, mb_strlen(“lab_”)) == “lab_”) {
if ($user->hasGroup(“Laboratorio”)) {

// allow user to space _lab if he’s from the Group Laboratorio
return true;
} else {
// monolog here
throw new \Exception(“Unauthorized access. $internal_route”);
}
}

if (mb_substr($internal_route, 0, mb_strlen(“stock”)) == “stock”) {
if ($user->hasGroup(“Stock”)) {

// allow the user to access stock route names if he his in the stock Group
return true;
} else {
// monolog here
throw new \Exception(“Unauthorized access. $internal_route”);
}
}

if (mb_substr($internal_route, 0, mb_strlen(“user”)) == “user”) {
if ($user->hasGroup(“Admin”)) {

  // if the user is admin allow him to manage users
return true;
} else {
// monolog here
throw new \Exception(“Unauthorized access. $internal_route”);
}
}

}

After this, configure the services.xml file in Resources/config/  this will allow for the dependencies to be loaded in the object.

security.context provides information about the user logged (or not), router allow’s to generate a different destination route for the Event

In this gist you can see all the code used.

Best regards,

PHP Taking advantage of Traits and Doctrine2 for less lines of code

I did this app a time ago (~1 year) with Doctrine2+Symfony2 with simple Entities basically I was mimicking an excel sheet copying the values from the sheet to the database and setting all up for web usage.

The main Class was Item, this had Sub Entities Location, Protocol, State, etc…

These named here Location, Protocol, State had the same properties (fields), they also had to have a incrementable “Code” field witch, this was a basic copy paste to fill the tables and increment the number. Didn’t want to write the code to the different Entities so I used a Trait in a very lazy way I declared

TautoFill

namespace Far\AssetManagerBundle\Entity;

trait TautoFill {

    public function getAndInsert($val)
    {
        $this->_em->getConnection()->beginTransaction();

        $valtmp = strtoupper(str_replace(' ','',trim($val)));
        $Res = $this->findBy(['code' => $valtmp]);
        if (count($Res) > 0 && $Res[0] != null) {
            $obj = $Res[0];
            $obj->setTcount($obj->getTcount()+1);
            $this->_em->persist($obj);

            $this->_em->flush();

        } else {
            $tmp = $this->getClassName();
            $obj = new $tmp();
            $obj->setDescription($val);
            $obj->setCode($valtmp);
            $obj->setTcount(1);
            // persist
            $this->_em->persist($obj);
            $this->_em->flush();
        }

        $this->_em->getConnection()->commit();
        return $obj;
    }
}

So in a easy use TautoFill I got the data auto inserted and related to the main Item, without much work. Using a trait made the code more dynamic and easier to reimplement in the different situations without compromising hierarchy of the Entities.

An old Afgan story/Velha história Afegã (EN/PT)

“A man a women had a son, they decided to move to greener fields
, and eventually found a place where it was very beautiful
there a man rented a house to them. They lived well until one day
during the night a wolf went into their house and stole their son.
They wept, but eventually recovered and tried again, giving birth to a second son.
Soon after the child was born the renter visited them and congratulated
them. Bought were happy, until one day the wolf returned and stole their second
child.
Devastated they changed place, left that house and never returned, eventually had a third
child and although they weren’t in that green field they were safe has the wolf never returned.”

This is my remembering of a old story of writer Ayaan Hirsi Ali, that her
grandmother told her during her childhood. The lesson here is that greener
fields aren’t always the safest. The renter was the wolf. If you buy her
biography it will give you a better read.

“Um dia um homem e uma mulher tiveram o seu primeiro filho, felizes resolveram
mudar-se para um local mais belo, encontraram um local e um homem alugou-lhes
uma casa. Mais tarde enquanto dormiam um lobo entrou na casa e roubou-lhes o filho,
choraram e lamentaram-se mas eventualmente recuperaram. Tiveram o seu segundo
filho, felizes congratularam-se, o arrendatário visitou-os e congratulou-os pela
boa nova… Após algum tempo o lobo regressou, roubou o segundo filho,
lamentaram-se, choraram e resolveram mudar-se dali.
Em novo local que apesar de não ser tão belo encontraram segurança.O lobo não
apareceu.”

Este é um trecho da auto-biografia de Ayaan Hirsi Ali em que ela narra uma
história que lhe fora contada por sua avó. A lição a tirar daqui é que os
locais que parecem ser os mais belos nem sempre são os mais seguros. O
arrendatário era o lobo. Se comprarem a auto-biografia terão uma melhor leitura
desta história.

http://en.wikipedia.org/wiki/Ayaan_Hirsi_Ali
http://pt.wikipedia.org/wiki/Ayaan_Hirsi_Ali

Importance of measurement

Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.

– H. James Harrington

 

https://www.youtube.com/watch?v=parmTnIr3gE

Vim with a menu = NERDTree

Imagem vim the editor   NERDTree

 

Tabs:

Open tabs = t
next tab = gt , previous tab = gT

Window and file opening:

Open AND: split vertical = s , split horizontal = i
prepend the commands with g and you keep the focus on the NERDTree menu

Menu

Create file and whatever:

> (a)dd a childnode
  (m)ove the current node
  (d)elete the current node
  (c)opy the current node

= m -> file system menu
cd -> change to the dir of the selected node

Common “commands” for vim

:w -> save current window
:wq -> save and quit
:q -> quit
:qa -> close all and quit

Window resize splits

Height -> resize 100 OR by increment -> resize +10
Width -> vertical resize 100 OR by increment -> vertical resize +10

This should do… :-)

PHP NumberFormatter

These are results from NumberFormatter from PHP

in the command line:

php -r ‘$a = new \NumberFormatter(“en”, \NumberFormatter::CURRENCY_CODE); print $a->format(122).PHP_EOL;’

You should get

one hundred twenty-two

Or

 php -r ‘$a = new \NumberFormatter(“pt_PT”, \NumberFormatter::CURRENCY); print $a->format(11122).PHP_EOL;’

You will  get

11 122,00 €

Get the Currency code now

print $a->getTextAttribute(NumberFormatter::CURRENCY_CODE).”\n”;

EUR

Java, Scala

Reading about scala I could only be curious about it, went to read details about the language and how it works. I get the idea that this is happening:

PHP is moving in the Java style direction… (Not trying to compare anything.)

Java is moving into a simpler coding Groovy, Scala ( in some cases harder) has Gosling him self professed. Both languages are being used in the financial markets( scala 1, scala 2, scala 3, Groovy ) for trading algorithms and social network Twitter , LinkedIn, it is said that Actors in Scala are a great way for Async communication Akka.Actors is said to be even better. Would like to have seen this two years ago, could have used this instead of Perl for a daemon I wrote. Both Scala and Groovy can use imported Java code.

James Gosling:
http://www.theserverside.com/news/2240022782/James-Gosling-Interview-from-Basementcoderscom

“I like Scala, but my big problem is that the type theory has gotten really complicated. The language lawyers are driving the bus. It’s turning into something that journeyman developers and even people like me… I started getting into the Scala stuff and my head starts to spin and I go, “what?””

Some Scala comments.

http://www.schauderhaft.de/2010/12/05/is-it-bad-to-use-scala-as-java-with-a-more-concise-syntax/

http://www.infoq.com/news/2009/07/scala-replace-java

Notice:
Gosling is listed as an advisor at the Scala company Typesafe Inc.[13] and Strategic Advisor for Eucalyptus.[14]

Clearly I’m more curious about Scala http://twitter.github.io/scala_school/ although Groovy has company’s supporting it but at the moment I’m just looking and playing not using. Scala Puzzlers

Seguir

Get every new post delivered to your Inbox.