使用 Zend_Auth 保护所有控制器 [英] Using Zend_Auth to secure all controllers

问题描述

我将如何全局保护我的所有控制器(除了我的登录控制器)以确保我的应用程序在所有点都是安全的(没有隐藏的 ajax 调用后门等).我想我可以把它放在我的引导文件中，但这感觉不对?我试图避免向每个控制器添加任何代码.

How would i globally secure all my controllers (except for my Login controller) to ensure my application is secure at all points (no hidden backdoor to ajax calls, etc). I thought that I might put it in my bootstrap file, but this doesn't feel right? I'm trying to avoid adding any code to each controller.

建议?

推荐答案

edit:这是对@singles 响应的补充.

edit: this is a complement of @singles response.

你必须明白有两种不同的东西.身份验证和Acl.身份验证告诉您谁是用户，例如，您可以将没有身份验证的用户重定向到您的登录控制器，并在登录后设置身份验证身份.然后 Acl 系统根据 Auth 数据(可能是用户 ID 或角色，存储在 Auth 存储中)做出是/否决定.

You must understand there are 2 different things. Auth and Acl. Auth tells you who is the user, and you can for example redirect user having no Auth to you login controller, and set an auth identity after login. then the Acl system take yes/no decisions based on the Auth data (could be the user id or is role, stored in the Auth storage.

好的解决方案是拥有 2 个 控制器插件(在引导程序上以良好的顺序注册，Auth 然后 Acl).如果您不使用控制器插件，则必须在需要时调用每个控制器中的 Acl 检查.如果您总是需要它，请使用插件.

On nice solution is to have 2 controllers plugins (registered in the good order on the bootstrap, Auth then Acl). If you do not use Controller plugins you'll have to call the Acl check in each controller, when needed. If you always need it, then use plugins.

在您的 Auth 插件中实现 preDispatch() 以设置例如匿名身份，如果您没有从 Zend_Auth 返回的身份.这是一个真实的代码片段:

Implement the preDispatch() in you Auth plugin to set for example an anonymous identity if you have no identity return from Zend_Auth. This is a code snippet of a real one:

public function preDispatch(Zend_Controller_Request_Abstract $request)
{
    $module = $request->getModuleName();
    $controller = $request->getControllerName();
    $action = $request->getActionName();
    $auth = Zend_Auth::getInstance();
    if (!$auth->hasIdentity()) {
        // set a default anonymous identity
        $auth->getStorage()->write(array('name' => 'anonymous','role' => 1,));
    }
(...)

对于Acl 控制器插件，任务也在preDispatch() 中.您可以为每个请求的 url 启动 acl 检查(因此对于每个用户请求，甚至是 ajax).这是一个部分片段，因此这只是您如何处理事情的示例:

And for the Acl controller plugin the task is as well in preDispatch(). You can launch an acl check for each requested url (so for each user request, even ajax). Here's a partial snippet, so this just an example of how you could handle things:

public function preDispatch(Zend_Controller_Request_Abstract $request) {
    $controller = $request->controller;
    $module = $request->module;
    $action = $request->action;
    // here you should code something nice retrieving you Zend_Acl object
    // with some caching options maybe, building roles, ressources, etc
    $this->_acl = $this->getAcl(); 
    if (!$this->_acl->isCurrentUserAllowed($module,'see')) {
        $auth = Zend_Auth::getInstance();
    $identity  = $auth->hasIdentity('identity')? $auth->getIdentity() : null;
    if(isset($identity)) {
            if($identity['name'] == 'anonymous') {
                // WARNING: avoid infinite redirect loops on login page
                if (!($request->getControllerName() == 'login' 
                    && $request->getActionName()=='login' 
                    && $request->getModuleName() == 'default')) {
                        $request->setControllerName('login')
               ->setActionName('login')
               ->setModuleName('default');
            return;
(...)

在这个系统中，最后一个重要的部分是 LoginController，如果登录成功，你应该启动身份记录:

and in this system the last important part is the LoginController where in case of succesful login you should initate the identity record:

(...)
$auth = Zend_Auth::getInstance();
Zend_Session::regenerateId();
$storage = $auth->getStorage();
$rowobject = $authAdapter->getResultRowObject(null,'passwd');
$storage->write((array)$rowobject);
(...)

这篇关于使用 Zend_Auth 保护所有控制器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！