Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Community News:
Laravel 5 Now Includes Authorization
Sep 01, 2015 @ 10:50:41

In the latest release of the Laravel framework (v5.1.1) they've introduced authorization handling to the native framework. This allows you to integrate permissions checks and perform policy validation both on the backend and in the templates.

In addition to providing authentication services out of the box, Laravel also provides a simple way to organize authorization logic and control access to resources. There are a variety of methods and helpers to assist you in organizing your authorization logic.

The functionality includes the concepts of "abilities" (permissions, essentially) and validate the allow/deny status based on object properties, such as Users. The documentation shows how to perform the evaluations in the controllers, user model, form requests and even in the Blade templates. There's also a section on creating policies for more complex evaluations than just one-off permission checks.

To get a feel for what the community things of this new functionality, be sure to check out this Reddit thread with feedback, both positive and negative, on how it was implemented.

tagged: laravel framework authorization functionality permission policy allow deny

Link: http://laravel.com/docs/5.1/authorization

SitePoint PHP Blog:
PHP Authorization with JWT (JSON Web Tokens)
Jun 04, 2015 @ 09:51:17

On the SitePoint PHP blog today there's a tutorial posted showing you how to handle authorization with JWTs, JSON Web Tokens. These tokens provide a bit more context around the current session including things like when the token was issued and when it should time out.

If you like computer security topics, you will know that one of the most discussed and controversial topics is user authentication. Within its context, you will find a broad range of study areas, from new mechanisms to usability. It is, thus, to my surprise that JSON Web Tokens is a topic not often talked about, and I think it deserves to be in the spotlight today. We will see how easy it is to integrate it in an API authentication mechanism.

He starts with a comparison of JWTs and sessions, pointing out both similarities and differences between the two. He then gets into the official JWT specification (an approved RFC) that defines the structure and what a resulting JWT string looks like. He then moves on and shows how to integrate them with a current application via the php-jwt library. He helps you get the dependencies installed and sets up both the encoding and decoding methods. He integrates this with a simple frontend Javascript request to fetch content and push it into the page. This request verifies the JWT on receipt and returns 400 HTTP error codes if this fails.

tagged: tutorial jwt jsonwebtoken phpjwt authorization example resource

Link: http://www.sitepoint.com/php-authorization-jwt-json-web-tokens/

SitePoint PHP Blog:
Symfony2 Pre-registration and Invite System
May 07, 2015 @ 08:25:48

The SitePoint PHP blog has kicked off a new series of posts today with part one of a set of tutorials showing you how to create a registration and invitation system with Symfony2. While they've talked about general Symfony2 development before, this series will focus more on the security side, on authentication and authorization.

In this article series of two parts, we are going to talk about a very important area of web application development: Authentication and Authorization. Symfony2 has a very detailed elaboration of these two topics in its official documentation. Anyone who is seriously looking into this is encouraged to read through that official document after absorbing the essentials from this tutorial.

The author starts with a brief list of common user management tasks including registration via a form, sending confirmation emails and verifying the user's login. He helps you create the underlying "user" table (complete with the SQL) and talks a bit about the contents of a few of the columns. He includes the settings you'll need to put into your "security.yml" configuration file and a bit of detail on what each section and its settings mean. He then moves on to the "User" entity and class file, adding some functionality to the standard generated class. He also includes the code needed to create the invite and registration actions.

tagged: registration invite system symfony2 tutorial user management authentication authorization

Link: http://www.sitepoint.com/symfony2-pre-registration-invite-system/

Ralph Schindler:
Authentication & Authorization in Apigility
Mar 27, 2014 @ 11:04:21

Those interested in the Apigility project from Zend might want to check out this new post from Ralph Schindler on how it handles authentication and authorization for all of the requests.

Apigility takes a lightweight, layered, yet extensible approach to solving both problems of authentication and authorization. The infrastructure is already in place and ready to be configured to use, or for more advanced use cases: to be extended. Many of these feature can be easily explored through the Apigility user interface.

He gets into authentication first, defining it briefly before getting into the Apigility-specific implementation. He talks about the three methods (HTTP basic, HTTP digest and OAuth2) and mentions where it falls in the execution as well as some screenshots of its setup. Following this he talks about the other half of the equation, authorization. He covers the "Authentication" header, the identity types and where you can find the configuration settings. He finishes off the post with an in-depth look at the different components, events and services/models that make up the authentication and authorization system and make it work.

tagged: authentication authorization apigility introduction configuration

Link: http://ralphschindler.com/2014/03/26/authentication-authorization-in-apigility

BitExpert.de Blog:
Composer, Bower and HTTP Basic Auth
Dec 27, 2013 @ 11:16:23

Stephan Hochdörfer has shared a handy tip for the Composers users out there that may have to deal with username/password protected repositories as a part of your package install process. In his post he shows how to use a simple "expect" script to automatic the HTTP Basic Auth login.

A couple of months ago when we set-up our own internal Satis repository to host our custom Composer packages. We ran into an "unpleasant" issue with Composer that had this PR as an result. To sum things up: We are using HTTP Basic Auth to password-project our Satis repository. There was no way we could switch to an SSL client certificate to allow Composer to authenticate itself automatically without asking for a password. Asking for the password on a developer`s machine is no big thing, but it since we need an automated Composer run in our Jenkins environment, there was no way to set things up.

As Composer doesn't currently support this functionality, they had to find a way around it. They went with an expect script that is used to work with the prompts and send the username/password information when expected. He also points out that this could be useful for other situations and tools - like a Bower build.

tagged: composer satis username password http basic authorization bower expect

Link: http://blog.bitexpert.de/blog/composer-bower-and-http-basic-auth/

Zend:
Apigility Progress report: zf-mvc-auth, packagist, and PHP's built-in web server
Nov 01, 2013 @ 15:52:11

In a new post to the Apigility forums today Matthew Weier O'Phinney has announced the release of an authentication/authorization component for the recently announced project from Zend. Apigility is a Zend Framework-based tool for easily constructing and managing an API.

We've been working hard on Apigility since ZendCon, and have released some more code into the wild. zf-mvc-auth exists to provide both authentication and authorization for your APIs; in fact, it's a bit of a general-purpose library for ZF2 MVC apps! Right now, we support HTTP basic and digest authentication out of the box, and will be working next on OAuth support. Authorization is done by default via ZendPermissionsAcl, as we discovered a problem with using RBAC: RBAC is deny-by-default, which does not work when you want an open-by-default schema. You may opt-in to deny-by-default, as well as mark individual services as requiring permission by default. Finally, you have the option of denying/allowing per HTTP method of a service as well.

You can find out more details about this functionality in this quick screencast. The zf-apgility module depends on this new zf-mvc-auth module, so it will be included and available by default in your APIs. In that same post Matthew also talks about the listing of the Apigility packages on Packagist service and a note for those wanting to use the built-in HTTP server to run the tool (a PHP version dependency).

tagged: apigility progress zendframework mvc authentication authorization packagist http server

Link: https://groups.google.com/a/zend.com/forum/#!topic/apigility-users/_mOPkxxmGYI

7PHP.com:
Win Free Tickets To Nomad PHP EU - "Dispelling the Myths About Auth*"
Oct 15, 2013 @ 11:08:37

The 7PHP.com site has announced a giveaway of free tickets to this month's Nomad PHP virtual user group meeting, the European chapter. The topic for this month's EU meeting is authorization and authentication (disclaimer: I am the speaker).

Here I am again for another NomadPHP Ticket(s) give-away. Two tickets will be given away – to the 1st & 2nd draw winner! If you did not know, NomadPHP is virtual PHP User Group mainly for people who do not have the chance to avail of a local PHP user group. But it is open to ANYONE around the world. I also remind you that NomadPHP is an initiative brought forward by the icon of The PHP Community, namely ‘His Awesomeness’ Mr Cal Evans.

To enter the contest to win the tickets, you just make a comment on the post and he'll select the winners before the event. The meeting is Thursday, October 17th at 8pm CEST.

tagged: nomadphp europe authentication authorization myth virtual usergroup

Link: http://7php.com/nomadphp-tickets-17oct2013/

Michael Kimsal:
Why do no almost no web frameworks come with any authentication/authorization?
Feb 22, 2013 @ 10:14:08

In a new post to his site Michael Kimsal poses an interesting question about something he's noticed in several frameworks - and not just PHP ones: there seems to be a lack of authentication/authorization functionality coming bundled in.

Why do almost no web frameworks provide any default authentication/authorization functionality, with default examples of best practices for common use cases. The standard response I’ve gotten for years was/is “well, everyone’s needs for authentication are different”. No, they are not. A (very?) large majority of web applications (which is what most web frameworks are used to build), require some form of user login and authorization management, and often self-registration, dealing with lost passwords, etc.

He points out that by not having something a user can immediately deploy that's been well tested and relatively risk-free, it can introduce security holes as a developer is "left to fend for themselves". He suggests that the "not everyone's the same" mentality that seems to go with authentication/authorization isn't as valid as once thought. He does point out that both Symfony2 and Zend Framework 2 come with ACL functionality, but no common user handling. He mentions ones in a few other tools used in other languages too like Devise in Ruby, Spring Security in Grails and a membership system in ASP.NET.

tagged: framework opinion authorization authentication missing feature

Link:

PHPMaster.com:
Understanding the Observer Pattern
Feb 23, 2012 @ 11:39:10

PHPMaster.com has a new tutorial looking at another popular design pattern, the Observer pattern, and sharing some example code putting it to use. (Their other design pattern articles include ones on command and factory patterns).

In this article I’ll show you how to implement the Observer Pattern. You’ll learn how various classes in the pattern relate to one another as subject and observers, how the subject notifies observers of a change in its state, and how to identify scenarios where it would be suitable to use the Observer Pattern in your own code.

The introduce the pattern by using an abstract "Observer" and "Subject" (that defines "attach", "detach", "getState", "setState", "notify" and "getObservers" methods) observer classes to coordinate the attached classes. They extend these classes with "Auth" and "Auth_ForumHook" show how to attach the "Auth_ForumHook" classes to the main "Auth" observer manager and change the state of the observer to notify it of an update.

You can find a more detailed explanation of the Observer pattern on Wikipedia.

tagged: observer design pattern tutorial authorization

Link:

Leaseweb Labs Blog:
Migration to Symfony2 continued
Feb 09, 2012 @ 11:51:59

On the LeaseWeb Labs blog there's a continuation from a previous post about migrating your Symfony1 application over to Symfony2. In the first part of this series of posts, Stefan Koopmanschap talked about wrapping your code to make it work. In this second post, Maurtis van der Schee tackles two issues Stefan mentioned - performance problems and handling authorization/authentication.

On December 21, 2011 Stefan Koopmanschap wrote an excellent article on this blog titled "Painless (well, less painful) migration to Symfony2." [...] We were very much inspired by his passionate elucidation and we were fully convinced of the urge to start migrating to Symfony2 as soon as possible. However, he also provided us with a "A word of caution" about 2 things: performance and authentication/authorization. This might get some people worried, but not us: it challenged us to find a solution for those two open issues.

They explain why these two things are a problem and some of their solutions they've created - a .htaccess for routing and manually replicating the Symfony2 session in the Symfony1 code. Included in the post are the rewrite rules and code to make these two things happen (and a small configuration change to make them work).

tagged: symfony2 migration wrapper authentication performance authorization

Link: