Authentication Best Practices?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication Best Practices?

Jamie Krasnoo
Hi All,

Before I dive headfirst in to creating the authentication for a site I'm
building. I thought I'd ask a few questions and get your opinion on the
best thing to do as far as security and authentication on a zf2 site. I'm
trying to make the Admin area as secure as possible. I've read opinions on
securing the admin area. One of which is making admins separate from
members, tables, user type and entity, authentication and all. If a regular
user happens to stumble upon the admin area to make sure the login for it
pops up and if they try to log in that they won't be able to. Is it worth
it at all to separate the users and authentication services for the areas
or it is overkill and an over complication?

Jamie
Reply | Threaded
Open this post in threaded view
|

Re: Authentication Best Practices?

Richie Bartlett
Jamie,
   That depends heavily upon your internal policies and application type. If you are building something that operates on an isolated LAN, then it may not be necessary to separate the admin login.
    However, for my web app, I am building a completely different app that is specifically for admins. It resides on a isolated server that has access to the user DB. The admin UI has it's own authentication provided by LDAP instead of another user DB. This completely separates web-users from admins with no possibility of overlap. In other words, users have no way of accessing the admin UI. This also gives me freedom of using different teams to develop the UI's in parallel. Plus, I can customize the interface of the internal interface with modules that should not be availed to public users. E.G., Splunk and SOLR can be installed for data mining and business intel.

iPadから送信
バートレット理路
#⃣090-6493-1691

2014/06/01 11:25、Jamie Krasnoo <[hidden email]> のメッセージ:

> Hi All,
>
> Before I dive headfirst in to creating the authentication for a site I'm
> building. I thought I'd ask a few questions and get your opinion on the
> best thing to do as far as security and authentication on a zf2 site. I'm
> trying to make the Admin area as secure as possible. I've read opinions on
> securing the admin area. One of which is making admins separate from
> members, tables, user type and entity, authentication and all. If a regular
> user happens to stumble upon the admin area to make sure the login for it
> pops up and if they try to log in that they won't be able to. Is it worth
> it at all to separate the users and authentication services for the areas
> or it is overkill and an over complication?
>
> Jamie

--
List: [hidden email]
Info: http://framework.zend.com/archives
Unsubscribe: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Authentication Best Practices?

jeremiah
In reply to this post by Jamie Krasnoo
There could be use cases for separate module or even separate app for admin. If you are doing a private app, e.g. one that requires users to be on a VPN, or if the app is going to value development efficiency  and user convenience highly, I'd say you're in good company making admin role and interface be part of the same app.

I'm very happy with bjyauthorize. The app I'm currently working on uses it and has passed some strict corporate security audits. Resources are a powerful way to segregate roles from whole areas of the app.

If you're not going to use an external identity provider, such as ldap, you'll need to build user management, and I'd recommend giving zfc_user a serious look, rather that rolling your own.

Jeremiah

> On May 31, 2014, at 7:25 PM, Jamie Krasnoo <[hidden email]> wrote:
>
> Hi All,
>
> Before I dive headfirst in to creating the authentication for a site I'm
> building. I thought I'd ask a few questions and get your opinion on the
> best thing to do as far as security and authentication on a zf2 site. I'm
> trying to make the Admin area as secure as possible. I've read opinions on
> securing the admin area. One of which is making admins separate from
> members, tables, user type and entity, authentication and all. If a regular
> user happens to stumble upon the admin area to make sure the login for it
> pops up and if they try to log in that they won't be able to. Is it worth
> it at all to separate the users and authentication services for the areas
> or it is overkill and an over complication?
>
> Jamie

--
List: [hidden email]
Info: http://framework.zend.com/archives
Unsubscribe: [hidden email]