dongyong9224 2011-09-08 09:59
浏览 38
已采纳

Zend_Auth链接适配器和所有权角色acl

I set up a Zend_Acl and Zend_Auth scheme where user is authenticated using Zend_Auth_Adapter_Ldap and stored in session. I use a controller plugin to check if $auth->hasIdentity() and $acl->isAllowed() to display login form if needed.

What I want to do is to add login cookies (my implementation of best practices), and API keys in addition to the session check in Zend_Auth. I also need to switch the role to 'owner', on content created by the user.

My concerns:

  • Login cookie should only be used as fallback if regular session auth fails, and thus the session should be authenticated
  • API keys should be used as fallback if both login cookie and session cookie fails
  • I don't want to store the password anywhere, it should only reside in LDAP
  • I need persistent storage of the identity, as looking it up in LDAP is not possible without full username and password
  • The role is dependent both on LDAP group membership (which needs to be persistently stored), and if the identity should be considered owner of the content (meaning it's changing in between requests, unless admin)

What's a good pattern / approach to solve this using Zend Framework MVC and Zend_Auth + Zend_Acl ?

  • 写回答

1条回答 默认 最新

  • duanlan6259 2011-09-11 09:30
    关注

    you can create your own adapter/storage classes, with implementing Zend_Auth_Adpater_Interface and Zend_Auth_Storage_Interface

    In these classes, you can re-use original adapters (like LDAP) or storages, and only write the code that implements your auth rules.

    for example, using multiple sources for the Zend_Auth_Adapter :

    <?php 
class My_Auth_Adapter implements Zend_Auth_Adapter_Interface
{
    private $ldapAdapter;
    private $cookieAdapter;
    private $apiKeyAdapter;

    public function __construct($ldapAdapter, $cookieAdapter, $apiKeyAdapter) {
    {
        $this->ldapAdapter = $ldapAdapter;
        $this->cookieAdapter = $cookieAdapter;
        $this->apyKeyAdapter = $apiKeyAdapter;
    }
    public function authenticate()
    {
         if ($this->ldapAdapter->authenticate()) {
             //return the Zend_Auth_Restult
         } elseif ($this->cookieAdapter->authenticate() {
            //return the result
         } elseif ($this->apiKeyAdapter->authenticate() {
           //return the result
         } else {
           //Create and return a Zend_Auth_Result which prevents logging in
          }
     }
}

    I am not sure to understand your login rules, but the concept remains the same for the Storage class : 

     <?php 
 class My_Auth_Storage implements Zend_Auth_Storage_Interface
  private $sessionStorage;
  private $cookieStorage;
  private $apiStorage;

  public function read()
  {
      if (!$this->sessionStorage->isEmpty())
      {
           return $this->sessionStorage->read();
      } elseif (!$this->cookieStorage->isEmpty())
      { 
           return $this->cookieStorage->read();
      } //And so one, do not forget to implement all the interface's methods

    With this implementation, you can have multiple credential sources, and multiple session storage engines (cookie, session, db, or whatever you want to use).

    For your acl concerns, you can fetch the LDAP group in you controller plugin and store it wherever you need, after authentication. You can then use a second plugin that checks ACLs on each request.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 机器学习训练相关模型
  • ¥15 Todesk 远程写代码 anaconda jupyter python3
  • ¥15 我的R语言提示去除连锁不平衡时clump_data报错,图片以下所示,卡了好几天了,苦恼不知道如何解决,有人帮我看看怎么解决吗?
  • ¥15 在获取boss直聘的聊天的时候只能获取到前40条聊天数据
  • ¥20 关于URL获取的参数,无法执行二选一查询
  • ¥15 液位控制,当液位超过高限时常开触点59闭合,直到液位低于低限时,断开
  • ¥15 marlin编译错误,如何解决?
  • ¥15 有偿四位数,节约算法和扫描算法
  • ¥15 VUE项目怎么运行,系统打不开
  • ¥50 pointpillars等目标检测算法怎么融合注意力机制