The biggest problem that I can spot at a quick glance is the "exit 1"
inside the event listener.
That's a big no-no, because it nukes the whole application life cycle
abruptly, and needlessly: it's sufficient to return the 403 response from
the listener to short circuit the dispatch event and let the application
complete it gracefully.
Other than that, I can't recommend enough to test your authentication and
authorization modules thoroughly.
Il giorno ven 26 feb 2016 alle ore 16:00 David Mintz <[hidden email]>