eZ Components - AuthenticationDatabaseTiein
Table of Contents
Introduction
Description
The purpose of the Authentication component is to provide support for different means of identification and authentication of users using different providers and protocols.
AuthenticationDatabaseTiein provides a Database filter for the Authentication component by using the Database component, and an implementation of a database store (backend) for OpenID authentication.
Class overview
An overview of the most important classes in the Authentication component and this component.
Base classes
- ezcAuthentication
- Main class of Authentication. It is a container for authentication filters, which will be run in sequence. The method run() returns true or false depending on the success of the authentication filters. Implemented in Authentication.
- ezcAuthenticationCredentials
- Structure which holds user credentials. Types are id credentials (ezcAuthenticationIdCredentials) and id + password credentials (ezcAuthenticationPasswordCredentials). Implemented in Authentication.
Authentication filters
- ezcAuthenticationDatabaseFilter
- Filter to authenticate against a database. Uses a database instance provided by the Database component (via the ezcDbInstance::get() function).
Stores
OpenID uses a store to hold the generated nonces and the associations (in "smart" mode). If there is no store specified, then nonces are not checked.
- ezcAuthenticationOpenidStore
- Abstract class from which the different stores inherit. Implemented in Authentication.
- ezcAuthenticationOpenidFileStore
- Uses file storage. Nonces are stored in files named after the nonce itself, and associations are stored in files named after the OpenID provider with which the association is made. Implemented in Authentication.
- ezcAuthenticationOpenidDbStore
- Database storage. Nonces and associations are stored in two tables, with names defined as options in ezcAuthenticationOpenidDbStoreOptions.
Authentication filters
Database
The following example shows how to authenticate against a database.
- <?php
- require_once 'tutorial_autoload.php';
- $credentials = new ezcAuthenticationPasswordCredentials( 'jan.modaal', 'b1b3773a05c0ed0176787a4f1574ff0075f7521e' );
- $database = new ezcAuthenticationDatabaseInfo( ezcDbInstance::get(), 'users', array( 'user', 'password' ) );
- $authentication = new ezcAuthentication( $credentials );
- $authentication->addFilter( new ezcAuthenticationDatabaseFilter( $database ) );
- if ( !$authentication->run() )
- {
- // authentication did not succeed, so inform the user
- $status = $authentication->getStatus();
- $err = array(
- 'ezcAuthenticationDatabaseFilter' => array(
- ezcAuthenticationDatabaseFilter::STATUS_USERNAME_INCORRECT => 'Incorrect username',
- ezcAuthenticationDatabaseFilter::STATUS_PASSWORD_INCORRECT => 'Incorrect password'
- )
- );
- foreach ( $status as $line )
- {
- list( $key, $value ) = each( $line );
- echo $err[$key][$value] . "\n";
- }
- }
- else
- {
- // authentication succeeded, so allow the user to see his content
- }
- ?>
First, a credentials object is created with username jan.modaal and password 'b1b3773a05c0ed0176787a4f1574ff0075f7521e' (sha1() hash).
An authentication object is created using the credentials object, and a Database filter is added to it. The $database structure specifies the database instance (ezcDbInstance::get()), the table name ('users') and the username and password fields in the table ('user', 'password').
After running the authentication (line 8), if the username and the password do not pass through the Database filter, then the credentials are incorrect and the user must be informed. The getStatus() method is used for this. The values in the status returned must be cycled through and for each value a response is created for the user ("Username incorrect", "Password incorrect").
If run() returned true (line 24) then the user is logged-in and he can see his content.
Fetch extra data during Database authentication
Any value from the table which holds the users can be fetched. The exact column names must be specified. Example:
// $filter is an ezcAuthenticationDatabaseFilter object
$filter->registerFetchData( array( 'name', 'country' ) );
After the authentication process is finished (after run()), retrieve the extra data:
// $filter is an ezcAuthenticationDatabaseFilter object
$data = $filter->fetchData();
For the previous example, the $data array will be something like this:
array( 'name' => array( 'John Doe' ),
'country' => array( 'US' )
);
OpenID
OpenID "smart" (stateful) mode
The following example shows how to authenticate against OpenID in "smart" (stateful) mode, using a database store.
- <?php
- require_once 'tutorial_autoload.php';
- // no headers should be sent before calling $session->start()
- $session = new ezcAuthenticationSession();
- $session->start();
- $url = isset( $_GET['openid_identifier'] ) ? $_GET['openid_identifier'] : $session->load();
- $action = isset( $_GET['action'] ) ? strtolower( $_GET['action'] ) : null;
- $credentials = new ezcAuthenticationIdCredentials( $url );
- $authentication = new ezcAuthentication( $credentials );
- $authentication->session = $session;
- if ( $action === 'logout' )
- {
- $session->destroy();
- }
- else
- {
- $options = new ezcAuthenticationOpenidOptions();
- $options->mode = ezcAuthenticationOpenidFilter::MODE_SMART;
- // define a database store by specifying a database instance
- $options->store = new ezcAuthenticationOpenidDbStore( ezcDbInstance::get() );
- $filter = new ezcAuthenticationOpenidFilter( $options );
- $authentication->addFilter( $filter );
- }
- if ( !$authentication->run() )
- {
- // authentication did not succeed, so inform the user
- $status = $authentication->getStatus();
- $err = array(
- 'ezcAuthenticationOpenidFilter' => array(
- ezcAuthenticationOpenidFilter::STATUS_SIGNATURE_INCORRECT => 'OpenID said the provided identifier was incorrect',
- ezcAuthenticationOpenidFilter::STATUS_CANCELLED => 'The OpenID authentication was cancelled',
- ezcAuthenticationOpenidFilter::STATUS_URL_INCORRECT => 'The identifier you provided is invalid'
- ),
- 'ezcAuthenticationSession' => array(
- ezcAuthenticationSession::STATUS_EMPTY => '',
- ezcAuthenticationSession::STATUS_EXPIRED => 'Session expired'
- )
- );
- foreach ( $status as $line )
- {
- list( $key, $value ) = each( $line );
- echo $err[$key][$value] . "\n";
- }
- ?>
- Please login with your OpenID identifier (an URL, eg. www.example.com or http://www.example.com):
- <form method="GET" action="">
- <input type="hidden" name="action" value="login" />
- <img src="http://openid.net/login-bg.gif" /> <input type="text" name="openid_identifier" />
- <input type="submit" value="Login" />
- </form>
- <?php
- }
- else
- {
- ?>
- You are logged-in as <b><?php echo $url; ?></b> | <a href="?action=logout">Logout</a>
- <?php
- }
- ?>
A database store is defined at line 25. This store will also hold the nonces which are used to prevent replay attacks.
The database store requires that certain tables are present in the database. To load the .dba definition for these tables into your database you must have the DatabaseSchema component installed. Use the following code to load the schema:
- <?php
- require_once 'tutorial_autoload.php';
- $db = ezcDbInstance::get(); // replace if you get your database instance differently
- $schema = ezcDbSchema::createFromFile( 'array', 'openid_db_store_schema.dba' );
- $schema->writeToDb( $db );
- ?>
Securing applications
Securing applications - A guide to improve the security of online applications. It is not exhaustive, but it provides solutions against common attacks.