News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ralph Schindler:
Authentication & Authorization in Apigility
March 27, 2014 @ 11:04:21

Those interested in the Apigility project from Zend might want to check out this new post from Ralph Schindler on how it handles authentication and authorization for all of the requests.

Apigility takes a lightweight, layered, yet extensible approach to solving both problems of authentication and authorization. The infrastructure is already in place and ready to be configured to use, or for more advanced use cases: to be extended. Many of these feature can be easily explored through the Apigility user interface.

He gets into authentication first, defining it briefly before getting into the Apigility-specific implementation. He talks about the three methods (HTTP basic, HTTP digest and OAuth2) and mentions where it falls in the execution as well as some screenshots of its setup. Following this he talks about the other half of the equation, authorization. He covers the "Authentication" header, the identity types and where you can find the configuration settings. He finishes off the post with an in-depth look at the different components, events and services/models that make up the authentication and authorization system and make it work.

0 comments voice your opinion now!
authentication authorization apigility introduction configuration

Link: http://ralphschindler.com/2014/03/26/authentication-authorization-in-apigility

BitExpert.de Blog:
Composer, Bower and HTTP Basic Auth
December 27, 2013 @ 11:16:23

Stephan Hochdörfer has shared a handy tip for the Composers users out there that may have to deal with username/password protected repositories as a part of your package install process. In his post he shows how to use a simple "expect" script to automatic the HTTP Basic Auth login.

A couple of months ago when we set-up our own internal Satis repository to host our custom Composer packages. We ran into an "unpleasant" issue with Composer that had this PR as an result. To sum things up: We are using HTTP Basic Auth to password-project our Satis repository. There was no way we could switch to an SSL client certificate to allow Composer to authenticate itself automatically without asking for a password. Asking for the password on a developer`s machine is no big thing, but it since we need an automated Composer run in our Jenkins environment, there was no way to set things up.

As Composer doesn't currently support this functionality, they had to find a way around it. They went with an expect script that is used to work with the prompts and send the username/password information when expected. He also points out that this could be useful for other situations and tools - like a Bower build.

0 comments voice your opinion now!
composer satis username password http basic authorization bower expect

Link: http://blog.bitexpert.de/blog/composer-bower-and-http-basic-auth/

Zend:
Apigility Progress report zf-mvc-auth, packagist, and PHP's built-in web server
November 01, 2013 @ 15:52:11

In a new post to the Apigility forums today Matthew Weier O'Phinney has announced the release of an authentication/authorization component for the recently announced project from Zend. Apigility is a Zend Framework-based tool for easily constructing and managing an API.

We've been working hard on Apigility since ZendCon, and have released some more code into the wild. zf-mvc-auth exists to provide both authentication and authorization for your APIs; in fact, it's a bit of a general-purpose library for ZF2 MVC apps! Right now, we support HTTP basic and digest authentication out of the box, and will be working next on OAuth support. Authorization is done by default via ZendPermissionsAcl, as we discovered a problem with using RBAC: RBAC is deny-by-default, which does not work when you want an open-by-default schema. You may opt-in to deny-by-default, as well as mark individual services as requiring permission by default. Finally, you have the option of denying/allowing per HTTP method of a service as well.

You can find out more details about this functionality in this quick screencast. The zf-apgility module depends on this new zf-mvc-auth module, so it will be included and available by default in your APIs. In that same post Matthew also talks about the listing of the Apigility packages on Packagist service and a note for those wanting to use the built-in HTTP server to run the tool (a PHP version dependency).

0 comments voice your opinion now!
apigility progress zendframework mvc authentication authorization packagist http server

Link: https://groups.google.com/a/zend.com/forum/#!topic/apigility-users/_mOPkxxmGYI

7PHP.com:
Win Free Tickets To Nomad PHP EU - "Dispelling the Myths About Auth*"
October 15, 2013 @ 11:08:37

The 7PHP.com site has announced a giveaway of free tickets to this month's Nomad PHP virtual user group meeting, the European chapter. The topic for this month's EU meeting is authorization and authentication (disclaimer: I am the speaker).

Here I am again for another NomadPHP Ticket(s) give-away. Two tickets will be given away - to the 1st & 2nd draw winner! If you did not know, NomadPHP is virtual PHP User Group mainly for people who do not have the chance to avail of a local PHP user group. But it is open to ANYONE around the world. I also remind you that NomadPHP is an initiative brought forward by the icon of The PHP Community, namely 'His Awesomeness' Mr Cal Evans.

To enter the contest to win the tickets, you just make a comment on the post and he'll select the winners before the event. The meeting is Thursday, October 17th at 8pm CEST.

0 comments voice your opinion now!
nomadphp europe authentication authorization myth virtual usergroup

Link: http://7php.com/nomadphp-tickets-17oct2013/

Michael Kimsal:
Why do no almost no web frameworks come with any authentication/authorization?
February 22, 2013 @ 10:14:08

In a new post to his site Michael Kimsal poses an interesting question about something he's noticed in several frameworks - and not just PHP ones: there seems to be a lack of authentication/authorization functionality coming bundled in.

Why do almost no web frameworks provide any default authentication/authorization functionality, with default examples of best practices for common use cases. The standard response I've gotten for years was/is "well, everyone's needs for authentication are different". No, they are not. A (very?) large majority of web applications (which is what most web frameworks are used to build), require some form of user login and authorization management, and often self-registration, dealing with lost passwords, etc.

He points out that by not having something a user can immediately deploy that's been well tested and relatively risk-free, it can introduce security holes as a developer is "left to fend for themselves". He suggests that the "not everyone's the same" mentality that seems to go with authentication/authorization isn't as valid as once thought. He does point out that both Symfony2 and Zend Framework 2 come with ACL functionality, but no common user handling. He mentions ones in a few other tools used in other languages too like Devise in Ruby, Spring Security in Grails and a membership system in ASP.NET.

0 comments voice your opinion now!
framework opinion authorization authentication missing feature


PHPMaster.com:
Understanding the Observer Pattern
February 23, 2012 @ 11:39:10

PHPMaster.com has a new tutorial looking at another popular design pattern, the Observer pattern, and sharing some example code putting it to use. (Their other design pattern articles include ones on command and factory patterns).

In this article I'll show you how to implement the Observer Pattern. You'll learn how various classes in the pattern relate to one another as subject and observers, how the subject notifies observers of a change in its state, and how to identify scenarios where it would be suitable to use the Observer Pattern in your own code.

The introduce the pattern by using an abstract "Observer" and "Subject" (that defines "attach", "detach", "getState", "setState", "notify" and "getObservers" methods) observer classes to coordinate the attached classes. They extend these classes with "Auth" and "Auth_ForumHook" show how to attach the "Auth_ForumHook" classes to the main "Auth" observer manager and change the state of the observer to notify it of an update.

You can find a more detailed explanation of the Observer pattern on Wikipedia.

0 comments voice your opinion now!
observer design pattern tutorial authorization


Leaseweb Labs Blog:
Migration to Symfony2 continued
February 09, 2012 @ 11:51:59

On the LeaseWeb Labs blog there's a continuation from a previous post about migrating your Symfony1 application over to Symfony2. In the first part of this series of posts, Stefan Koopmanschap talked about wrapping your code to make it work. In this second post, Maurtis van der Schee tackles two issues Stefan mentioned - performance problems and handling authorization/authentication.

On December 21, 2011 Stefan Koopmanschap wrote an excellent article on this blog titled "Painless (well, less painful) migration to Symfony2." [...] We were very much inspired by his passionate elucidation and we were fully convinced of the urge to start migrating to Symfony2 as soon as possible. However, he also provided us with a "A word of caution" about 2 things: performance and authentication/authorization. This might get some people worried, but not us: it challenged us to find a solution for those two open issues.

They explain why these two things are a problem and some of their solutions they've created - a .htaccess for routing and manually replicating the Symfony2 session in the Symfony1 code. Included in the post are the rewrite rules and code to make these two things happen (and a small configuration change to make them work).

0 comments voice your opinion now!
symfony2 migration wrapper authentication performance authorization


Oracle Technology Network:
PHP Web Auditing, Authorization and Monitoring with Oracle Database
September 13, 2010 @ 14:10:25

On the Oracle Technology Network today there's a new article from Chris Jones about using the client identifier in the OCI8 PHP-to-Oracle connections to help with auditing, profiling and monitoring your Oracle database usage.

This "client identifier" can be used by Oracle Database to distinguish between individual web application users who all connect to the database using one common set of database credentials. For example, every page in a web site might physically connect to the database as the same database user PHPUSER. If two different people 'Chris' and 'Alison' are using the site, these two user names can be set as their respective client identifiers and be passed into the database.

He shows how to set these client identifiers via the oci_set_client_identifier function (and how you could use it in older versions of the OCI8 driver too). He provides a sample application to help you get a good overall picture complete with SQL to load the database and a basic login page to submit and pull that data back out.

He moves over to the database side where he talks about enabling auditing, pulling out the logged application ID and how to use this identifier to restrict access via a Virtual Private Database on the Oracle side.

0 comments voice your opinion now!
authorization monitoring auditing oracle database oci8


Tobias Schlitt's Blog:
Webdav authentication, authorization and locking
January 08, 2009 @ 08:44:16

In a new post Tobias Schlitt looks at a part of the recently released eZ Components version 2008.2 that includes, among other things, Webdav support.

My tasks for 2008.2 were dedicated to the Webdav component. This package allows you to easily integrate WebDAV access features into your applications. With the earlier 2007.2 release, this component was born. By then, it supported just rudimentary WebDAV features (compliance class 1) and we focused on its architecture to make it as flexible as possible.

He explains how a commonly requested feature - locking - was implemented in the component. You can find out more about the feature/component in this article from Tobias on the eZ Components website.

0 comments voice your opinion now!
authentication locking webdav ezcomponents authorization


Eclipse.org:
PHPIDE Code is Currently Undergoing Legal Review
May 17, 2006 @ 06:20:47

According to this post from the Eclipse site (mailing list), the PHPIDE code for Zend's project is undergoing a legal review and is awaiting a "legal authorization code".

There's not much more information than that in the main post, but several of the commentators are wondering if this will cause a delay for the next code release, if it will affect the Zend Debugger as well, and if it was an expected legal review.

There's no response yet from Guy Harpaz, the original poster of the thread, but we'll keep you updated.

0 comments voice your opinion now!
zend phpide legal review authorization zend phpide legal review authorization



Community Events





Don't see your event here?
Let us know!


voicesoftheelephpant introduction composer conference community release security laravel framework artisanfiles opinion version symfony series list tool podcast language library interview

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework