updated Zend_Auth proposal

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

updated Zend_Auth proposal

Darby Felton
Hi all,

The Zend_Auth (i.e., authentication) component proposal has been
approved for incubator development, and I have taken a first crack at
revising the proposal post-approval to reflect current status:

http://framework.zend.com/wiki/x/uAw

The class skeletons have been updated to reflect what is currently in
the incubator, a first commit of the classes to SVN.

As I continue working on a branch of Zend_Acl this week, the framework
access control list component, I would like interested people to have a
chance to review the proposal in its updated state and provide feedback,
as your comments and questions continue to be extremely valuable in this
phase of Zend_Auth development.

Some decision points in which I am currently interested include:

- Sorin's authentication code, which is attached to the proposal, I have
not yet reviewed, though I intend to do so. You can help me by reviewing
this code to get ideas for consideration with Zend_Auth.

- How does Zend_Auth persist authentication tokens in the session?
Obviously we would use Zend_Session to do this, but exactly how?
Consider that an authentication token is generated from a particular
authentication request, binding it to a particular adapter. I expect
that multiple Zend_Auth objects may be used in an application, perhaps
using different adapters, and in order to support this, the tokens must
be distinctly identifiable within the session.

- Applications will likely need to determine whether an authentication
token already exists for a given identity. If a valid token does not
already exist, the application may display a login form, for example. If
a valid token does exist, however, the application could simply continue
using the existing token. How exactly does the application ask this
question? Consider that the answer to the above question, how tokens are
persisted in the session, may be related to this question.

- How else can you help? We need concrete adapters for Zend_Auth to be
written, and you can write them. We already intend to complete the
Digest authentication adapter, which should be fairly simple, and there
is a PEAR counterpart to which a developer could refer. We also have
many votes for a database authentication adapter, as supported through
Zend_Db, and this could be an interesting component to develop, as well.

The Zend_Auth development is very much in its infancy, and this is an
excellent opportunity for you to get involved to help us make good
decisions on the development moving forward. After this week I will be
giving Zend_Auth more attention, and all comments and questions received
during this time will be reviewed next week.

Thank you for your support!

Best regards,
Darby

Reply | Threaded
Open this post in threaded view
|

Re: updated Zend_Auth proposal

Stanislav Malyshev
Hi!

> The class skeletons have been updated to reflect what is currently in
> the incubator, a first commit of the classes to SVN.

The code in the proposal now is:
     public function authenticate($useSession = true)
     {
         $args = func_get_args();
         $args = array_slice($args, 1);
         $token = call_user_func_array(array($this->_adapter,
__METHOD__), $args);


If I understand it correctly, this means that first parameter for the
method call is always useSession. I think it would be confusing to the
users. I would propose to do it like this:

1. authenticate() receives _only_ the parameters to pass to the adapter
2. useSession is a (protected) property for Zend_Auth object
3. useSession is set to true by default and is second argument to
Zend_Auth ctor
4. Method setSession() allows to change useSession (you are welcome to
choose better name for the method, of course :)

As discussed below, we need in Zend_Auth a method (tentatively named
isLoggedIn) to check if we are already logged in (i.e. session contains
valid token). This method would always return false if useSession is
false as above, and would return true (or even better - valid token) if
useSession is true and we have stored token that is valid. And a method
to "forget" session token of course.


> - How does Zend_Auth persist authentication tokens in the session?

I think Zend_Auth should have a namespace inside the session. The
namespace name would be stored in protected variable and can be changed
by setter method and maybe also be an optional ctor parameter (after
useSession, since if one doesn't use sessions one obviously needs not a
namespace for it). I.e. code like this:

// in class
protected $_session_space = "Zend_Auth";
protected $_session = null;

// in ctor
function __construct(Zend_Auth_Adapter $adapter, $use_session = true,
$session_name = null) {
// null means use default
...
   if($session_name) {
     $this->_session_space = $session_name;
   }
...
}

// in _initSession (protected)
if(!$this->_session) {
   $this->_session = new Zend_Session($this->_session_space);
}

// in isLoggedIn()
if($useSession) {
   $this->_initSession();
   $token = $this->_session->authToken;
   if($token && $token->isValid()) {
      return $token;
   } else {
      unset($this->_session->authToken);
      return false;
   }
} else {
   return false;
}

Note that we have to defer session initialization to give user the
chance to change the namespace (and probably more - see below) after
instantiating the Zend_Auth object.

> authentication request, binding it to a particular adapter. I expect
> that multiple Zend_Auth objects may be used in an application, perhaps
> using different adapters, and in order to support this, the tokens must
> be distinctly identifiable within the session.

Well, here we might use either different namespaces or different
variables inside a namespace. I think we should definitely use separate
namespace, and there should be a possibility to change namespace, but we
can also give possibility to change var name (authToken above) and use
different vars inside single namespace. I don't have yet any opinion on
which is better, what do you think?

> - Applications will likely need to determine whether an authentication
> token already exists for a given identity. If a valid token does not

That's isLoggedIn() above. Better name may be required :)
--
Stanislav Malyshev, Zend Products Engineer
[hidden email]  http://www.zend.com/

Reply | Threaded
Open this post in threaded view
|

Re: updated Zend_Auth proposal

Darby Felton
Thanks, Stas, for the helpful hints! I believe that I have included
most, if not all, of your suggestions in the latest version of
Zend_Auth, though there is more yet @todo.

Please let me know if you see that I have missed something.

Thanks again,
Darby

Stanislav Malyshev wrote:

> Hi!
>
>> The class skeletons have been updated to reflect what is currently in
>> the incubator, a first commit of the classes to SVN.
>
> The code in the proposal now is:
>     public function authenticate($useSession = true)
>     {
>         $args = func_get_args();
>         $args = array_slice($args, 1);
>         $token = call_user_func_array(array($this->_adapter,
> __METHOD__), $args);
>
>
> If I understand it correctly, this means that first parameter for the
> method call is always useSession. I think it would be confusing to the
> users. I would propose to do it like this:
>
> 1. authenticate() receives _only_ the parameters to pass to the adapter
> 2. useSession is a (protected) property for Zend_Auth object
> 3. useSession is set to true by default and is second argument to
> Zend_Auth ctor
> 4. Method setSession() allows to change useSession (you are welcome to
> choose better name for the method, of course :)
>
> As discussed below, we need in Zend_Auth a method (tentatively named
> isLoggedIn) to check if we are already logged in (i.e. session contains
> valid token). This method would always return false if useSession is
> false as above, and would return true (or even better - valid token) if
> useSession is true and we have stored token that is valid. And a method
> to "forget" session token of course.
>
>
>> - How does Zend_Auth persist authentication tokens in the session?
>
> I think Zend_Auth should have a namespace inside the session. The
> namespace name would be stored in protected variable and can be changed
> by setter method and maybe also be an optional ctor parameter (after
> useSession, since if one doesn't use sessions one obviously needs not a
> namespace for it). I.e. code like this:
>
> // in class
> protected $_session_space = "Zend_Auth";
> protected $_session = null;
>
> // in ctor
> function __construct(Zend_Auth_Adapter $adapter, $use_session = true,
> $session_name = null) {
> // null means use default
> ...
>   if($session_name) {
>     $this->_session_space = $session_name;
>   }
> ...
> }
>
> // in _initSession (protected)
> if(!$this->_session) {
>   $this->_session = new Zend_Session($this->_session_space);
> }
>
> // in isLoggedIn()
> if($useSession) {
>   $this->_initSession();
>   $token = $this->_session->authToken;
>   if($token && $token->isValid()) {
>      return $token;
>   } else {
>      unset($this->_session->authToken);
>      return false;
>   }
> } else {
>   return false;
> }
>
> Note that we have to defer session initialization to give user the
> chance to change the namespace (and probably more - see below) after
> instantiating the Zend_Auth object.
>
>> authentication request, binding it to a particular adapter. I expect
>> that multiple Zend_Auth objects may be used in an application, perhaps
>> using different adapters, and in order to support this, the tokens must
>> be distinctly identifiable within the session.
>
> Well, here we might use either different namespaces or different
> variables inside a namespace. I think we should definitely use separate
> namespace, and there should be a possibility to change namespace, but we
> can also give possibility to change var name (authToken above) and use
> different vars inside single namespace. I don't have yet any opinion on
> which is better, what do you think?
>
>> - Applications will likely need to determine whether an authentication
>> token already exists for a given identity. If a valid token does not
>
> That's isLoggedIn() above. Better name may be required :)
Reply | Threaded
Open this post in threaded view
|

Re: updated Zend_Auth proposal

Bugzilla from superbiji@gmail.com
In reply to this post by Darby Felton
In my auth class,

I use a filter to "inject" auth to controller, i don't know how Zend_Auth



I save these to session:
1. username who login
2. last active time() for detecting idle

snip:
        if ($user->isAuthenticated())
        {

            // check idle time
            if (time() - $user->getactivetime() > MAXIDLE)
            {
                                if ($controller instanceof WsController)
                                {
                                        throw new
SecurityException("Session expired");
                                }

                //$request->setAttribute("login_info", "Session expired.");
                $controller->forward("Default", "Logout");
                return;
            }

            // reset idle time
            $user->setactivetime();

            // the user is authenticated
            if ($credential === null || $user->hasCredential($credential))
            {
                // the user has access, continue
                $filterChain->execute();
            }





On 29/11/06, Darby Felton <[hidden email]> wrote:
> Hi all,
>
> The Zend_Auth (i.e., authentication) component proposal has been
> approved for incubator development, and I have taken a first crack at
> revising the proposal post-approval to reflect current status:
>
> http://framework.zend.com/wiki/x/uAw
>