dongyong9224 2011-09-08 09:59
浏览 38
已采纳

Zend_Auth链接适配器和所有权角色acl

I set up a Zend_Acl and Zend_Auth scheme where user is authenticated using Zend_Auth_Adapter_Ldap and stored in session. I use a controller plugin to check if $auth->hasIdentity() and $acl->isAllowed() to display login form if needed.

What I want to do is to add login cookies (my implementation of best practices), and API keys in addition to the session check in Zend_Auth. I also need to switch the role to 'owner', on content created by the user.

My concerns:

  • Login cookie should only be used as fallback if regular session auth fails, and thus the session should be authenticated
  • API keys should be used as fallback if both login cookie and session cookie fails
  • I don't want to store the password anywhere, it should only reside in LDAP
  • I need persistent storage of the identity, as looking it up in LDAP is not possible without full username and password
  • The role is dependent both on LDAP group membership (which needs to be persistently stored), and if the identity should be considered owner of the content (meaning it's changing in between requests, unless admin)

What's a good pattern / approach to solve this using Zend Framework MVC and Zend_Auth + Zend_Acl ?

  • 写回答

1条回答 默认 最新

  • duanlan6259 2011-09-11 09:30
    关注

    you can create your own adapter/storage classes, with implementing Zend_Auth_Adpater_Interface and Zend_Auth_Storage_Interface

    In these classes, you can re-use original adapters (like LDAP) or storages, and only write the code that implements your auth rules.

    for example, using multiple sources for the Zend_Auth_Adapter :

    <?php 
class My_Auth_Adapter implements Zend_Auth_Adapter_Interface
{
    private $ldapAdapter;
    private $cookieAdapter;
    private $apiKeyAdapter;

    public function __construct($ldapAdapter, $cookieAdapter, $apiKeyAdapter) {
    {
        $this->ldapAdapter = $ldapAdapter;
        $this->cookieAdapter = $cookieAdapter;
        $this->apyKeyAdapter = $apiKeyAdapter;
    }
    public function authenticate()
    {
         if ($this->ldapAdapter->authenticate()) {
             //return the Zend_Auth_Restult
         } elseif ($this->cookieAdapter->authenticate() {
            //return the result
         } elseif ($this->apiKeyAdapter->authenticate() {
           //return the result
         } else {
           //Create and return a Zend_Auth_Result which prevents logging in
          }
     }
}

    I am not sure to understand your login rules, but the concept remains the same for the Storage class : 

     <?php 
 class My_Auth_Storage implements Zend_Auth_Storage_Interface
  private $sessionStorage;
  private $cookieStorage;
  private $apiStorage;

  public function read()
  {
      if (!$this->sessionStorage->isEmpty())
      {
           return $this->sessionStorage->read();
      } elseif (!$this->cookieStorage->isEmpty())
      { 
           return $this->cookieStorage->read();
      } //And so one, do not forget to implement all the interface's methods

    With this implementation, you can have multiple credential sources, and multiple session storage engines (cookie, session, db, or whatever you want to use).

    For your acl concerns, you can fetch the LDAP group in you controller plugin and store it wherever you need, after authentication. You can then use a second plugin that checks ACLs on each request.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog