当前位置: 文江博客话题详情

Zend_Auth 链接适配器和所有权角色 acl

发布于 2024-12-03 16:16:48 字数 590 浏览 15 评论 0原文

我设置了 Zend_Acl 和 Zend_Auth 方案,其中使用 Zend_Auth_Adapter_Ldap 对用户进行身份验证并将其存储在会话中。我使用控制器插件来检查 $auth->hasIdentity()$acl->isAllowed() 是否在需要时显示登录表单。

除Zend_Auth 中的会话检查。我还需要将用户创建的内容的角色切换为“所有者”。

我的担忧:

  • 如果常规会话身份验证失败,登录 cookie 只能用作后备,因此会话应该经过身份验证
  • 如果登录 cookie 和会话 cookie 都失败,API 密钥应该用作后备
  • 我不想将密码存储在任何地方,它应该只驻留在 LDAP 中
  • 我需要持久存储身份,因为如果没有完整的用户名和密码,就无法在 LDAP 中查找它
  • 该角色取决于 LDAP 组成员身份(需要持久存储)以及身份是否有效应被视为所有者内容(意味着它在请求之间发生变化,除非管理员)

使用 Zend Framework MVC 和 Zend_Auth + Zend_Acl 解决此问题的好模式/方法是什么?

原文

I set up a Zend_Acl and Zend_Auth scheme where user is authenticated using Zend_Auth_Adapter_Ldap and stored in session. I use a controller plugin to check if $auth->hasIdentity() and $acl->isAllowed() to display login form if needed.

What I want to do is to add login cookies (my implementation of best practices), and API keys in addition to the session check in Zend_Auth. I also need to switch the role to 'owner', on content created by the user.

My concerns:

  • Login cookie should only be used as fallback if regular session auth fails, and thus the session should be authenticated
  • API keys should be used as fallback if both login cookie and session cookie fails
  • I don't want to store the password anywhere, it should only reside in LDAP
  • I need persistent storage of the identity, as looking it up in LDAP is not possible without full username and password
  • The role is dependent both on LDAP group membership (which needs to be persistently stored), and if the identity should be considered owner of the content (meaning it's changing in between requests, unless admin)

What's a good pattern / approach to solve this using Zend Framework MVC and Zend_Auth + Zend_Acl ?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

独孤求败 2024-12-10 16:16:48

您可以创建自己的适配器/存储类,并实现 Zend_Auth_Adpater_Interface 和 Zend_Auth_Storage_Interface

在这些类中,您可以重用原始适配器(如 LDAP)或存储,并且只编写实现您的身份验证规则的代码。

例如,为 Zend_Auth_Adapter 使用多个源:

<?php 
class My_Auth_Adapter implements Zend_Auth_Adapter_Interface
{
    private $ldapAdapter;
    private $cookieAdapter;
    private $apiKeyAdapter;

    public function __construct($ldapAdapter, $cookieAdapter, $apiKeyAdapter) {
    {
        $this->ldapAdapter = $ldapAdapter;
        $this->cookieAdapter = $cookieAdapter;
        $this->apyKeyAdapter = $apiKeyAdapter;
    }
    public function authenticate()
    {
         if ($this->ldapAdapter->authenticate()) {
             //return the Zend_Auth_Restult
         } elseif ($this->cookieAdapter->authenticate() {
            //return the result
         } elseif ($this->apiKeyAdapter->authenticate() {
           //return the result
         } else {
           //Create and return a Zend_Auth_Result which prevents logging in
          }
     }
}

我不确定是否理解您的登录规则,但存储类的概念仍然相同:

 <?php 
 class My_Auth_Storage implements Zend_Auth_Storage_Interface
  private $sessionStorage;
  private $cookieStorage;
  private $apiStorage;

  public function read()
  {
      if (!$this->sessionStorage->isEmpty())
      {
           return $this->sessionStorage->read();
      } elseif (!$this->cookieStorage->isEmpty())
      { 
           return $this->cookieStorage->read();
      } //And so one, do not forget to implement all the interface's methods

通过此实现,您可以拥有多个凭证源和多个会话存储引擎(cookie、会话、数据库或任何你想使用的)。

对于您的 acl 问题,您可以在控制器插件中获取 LDAP 组,并在身份验证后将其存储在您需要的任何位置。然后,您可以使用第二个插件来检查每个请求的 ACL。

you can create your own adapter/storage classes, with implementing Zend_Auth_Adpater_Interface and Zend_Auth_Storage_Interface

In these classes, you can re-use original adapters (like LDAP) or storages, and only write the code that implements your auth rules.

for example, using multiple sources for the Zend_Auth_Adapter :

<?php 
class My_Auth_Adapter implements Zend_Auth_Adapter_Interface
{
    private $ldapAdapter;
    private $cookieAdapter;
    private $apiKeyAdapter;

    public function __construct($ldapAdapter, $cookieAdapter, $apiKeyAdapter) {
    {
        $this->ldapAdapter = $ldapAdapter;
        $this->cookieAdapter = $cookieAdapter;
        $this->apyKeyAdapter = $apiKeyAdapter;
    }
    public function authenticate()
    {
         if ($this->ldapAdapter->authenticate()) {
             //return the Zend_Auth_Restult
         } elseif ($this->cookieAdapter->authenticate() {
            //return the result
         } elseif ($this->apiKeyAdapter->authenticate() {
           //return the result
         } else {
           //Create and return a Zend_Auth_Result which prevents logging in
          }
     }
}

I am not sure to understand your login rules, but the concept remains the same for the Storage class :

 <?php 
 class My_Auth_Storage implements Zend_Auth_Storage_Interface
  private $sessionStorage;
  private $cookieStorage;
  private $apiStorage;

  public function read()
  {
      if (!$this->sessionStorage->isEmpty())
      {
           return $this->sessionStorage->read();
      } elseif (!$this->cookieStorage->isEmpty())
      { 
           return $this->cookieStorage->read();
      } //And so one, do not forget to implement all the interface's methods

With this implementation, you can have multiple credential sources, and multiple session storage engines (cookie, session, db, or whatever you want to use).

For your acl concerns, you can fetch the LDAP group in you controller plugin and store it wherever you need, after authentication. You can then use a second plugin that checks ACLs on each request.

回复 原文
~没有更多了~

关于作者

吃→可爱长大的

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

佚名

文章 0 评论 0

羁客

文章 0 评论 0

天天爱笑的徐老师

文章 0 评论 0

文章 0 评论 0

夏日落

文章 0 评论 0

隐诗

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文