The document discusses authentication and authorization in the Yii framework, including its core application components like authentication manager and access control, as well as authorization approaches like role-based access control and access control lists. Yii provides tools for user authentication, defining user roles and permissions, and controlling access to application functions and data.
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Yii Framework Security
1. Application Security with Yii Framework
Authentication and Authorization
Ilko Kacharov | kachar136@gmail.com
2. Advantages of the framework
1. Very good documentation and many examples
2. Yii community is growing rapidly, has many free extensions
3. Easy approach to develop modules and components
4. Model, Controller, Module code generation tool may be used with custom code templates.
5. Abstract(static) component/module access Yii::app()->getComponent('db'); Yii::app()->getModule('ocstats');
6. It gives great power with strong code controlling, 100% true OOP framework, push-pull MVC
7. It is super fast because of the usage of autoloading functions
8. Easy configuration in php array, application may be started with different configs.
9. Easy to extend / customize, simple code structure
10. Yii Authentication API for multi-channel login, easy to extend, SOAP support
11. User Access Control using different schemes like RBAC, ACL
12. Web services and console applications can be build as easy as web apps.
13. Easy form creation and form validation (client and server side), built-in ajax support
14. Easy to setup database connections and database migrations. Query builder or plain queries
15. Easy to use CRUD functions (create,read,update,delete) Article::model()->findByPk()
16. Many ready to use web widgets and tools like menus, action tables, calendars, etc.
17. Integration with twitter bootstrap css layouts and js widgets (http://yii-booster.clevertech.biz/)
18. Multiple plain PHP layouts, templates and partial templates.
19. Automatic javascript/css registering and including in the main layout from anywhere
20. Friendly with third-party code
21. Internationalisation and translations module by module in php arrays, string extraction tool
22. Error handling and logging
3. Performance
RPS (requests per second) means how many requests an
application written in a framework can process per second and
APC stands for Alternative PHP Cache, a caching component used
for increase of application performance (in comparison to the
same metering with this extension turned off).
http://www.yiiframework.com/performance/
4. Core Application Components
Yii predefines a set of core application components to provide features common among Web applications.
For example, the request component is used to resolve user requests and provide information such as URL, cookies.
By configuring the properties of these core components, we can change the default behaviors of Yii in nearly every aspect.
Below we list the core components that are pre-declared by CWebApplication.
assetManager: CAssetManager - manages the publishing of private asset files.
authManager: CAuthManager - manages role-based access control (RBAC).
cache: CCache - provides data caching functionality.
clientScript: CClientScript - manages client scripts (javascripts and CSS).
coreMessages: CPhpMessageSource - provides translated core messages used by Yii framework.
db: CDbConnection - provides the database connection.
errorHandler: CErrorHandler - handles uncaught PHP errors and exceptions.
messages: CPhpMessageSource - provides translated messaged used by Yii application.
request: CHttpRequest - provides information related with user requests.
securityManager: CSecurityManager - provides security-related services, such as hashing, encryption.
session: CHttpSession - provides session-related functionalities.
statePersister: CStatePersister - provides global state persistence method.
urlManager: CUrlManager - provides URL parsing and creation functionality.
user: CWebUser - represents the identity information of the current user.
themeManager: CThemeManager - manages themes.
and others...
5. Application life cycle
The following diagram shows a typical workflow of
The following diagram shows the static structure of an Yii an Yii application when it is handling a user
app: request:
1. Pre-initializes the application with CApplication::preinit();
2. Set up class autoloader and error handling;
3. Register core application components;
4. Load application configuration;
5. Initialize the application with CApplication::init()
- Register application behaviors;
- Load static application components;
6. Raise onBeginRequest event;
7. Process the user request:
- Resolve the user request;
- Create controller;
- Run controller;
http://www.hooto.com/media/image/view/?id=919&style=full
6. Authentication
Authentication is the mechanism whereby systems
may securely identify their users.
Authentication systems provide an answers to the questions:
Who is the user?
Is the user really who he/she represents himself to be?
7. Authorization
Authorization verifies what you have the permissions
you need to access an object.
It is the mechanism by which a system determines
what level of access a particular authenticated user
should have to secured resources controlled by the
system.
● Is user X authorized to access resource R?
● Is user X authorized to perform operation P?
● Is user X authorized to perform operation P on resource R?
8. Access Control Lists
An access control list (ACL) is a list of permissions
attached to an object.
An ACL specifies which users or system processes
are granted access to objects, as well as what
operations are allowed on given objects
9. Role-Based Access Control
Role-based access control (RBAC) is an approach to
restricting system access to authorized users.
Three primary rules are defined for RBAC:
1. Role assignment: A subject can exercise a permission only if the
subject has selected or been assigned a role.
2. Role authorization: A subject's active role must be authorized for the
subject. With rule 1 above, this rule ensures that users can take on
only roles for which they are authorized.
3. Permission authorization: A subject can exercise a permission only if
the permission is authorized for the subject's active role.
10. Role-Based Access Control
When defining an RBAC model, the following conventions are useful:
● Subject = A person or automated agent
● Role = Job function or title which defines an authority level
● Permissions = An approval of a mode of access to a resource
● Session = A mapping involving S, R and/or P
● Subject Assignment
● Permission Assignment
● Partially ordered Role Hierarchy
11. Steps to secure an Yii Application
1. Defining Identity Class
2. Login and Logout
3. Cookie-based Login
4. Access Control Filter
5. Handling Authorization Result
6. Role-Based Access Control
7. Configuring Authorization
Manager
8. Defining Authorization Hierarchy
9. Using Business Rules
12. Authenticate method in Yii Application
public function authenticate()
{
$record=User::model()->findByAttributes(array('username'=>$this->username));
if($record===null)
$this->errorCode=self::ERROR_USERNAME_INVALID;
else if($record->password!==crypt($this->password,$record->password))
$this->errorCode=self::ERROR_PASSWORD_INVALID;
else
{
$this->_id=$record->id;
$this->setState('title', $record->title);
$this->errorCode=self::ERROR_NONE;
}
return !$this->errorCode;
}
13. API, documentation and community
The Definitive http://www.yiiframework.com/doc/guide/
Guide to Yii
GitHub https://github.com/yiisoft/yii/commits/master
Forum http://www.yiiframework.com/forum/
Total Posts: 173,083
Total Members: 61,015
Active users at time of visit: 320
International treads: 20 Languages (incl. BG)
IRC Channel http://www.yiiframework.com/chat/
Active users at time of visit: 90
Yii Books http://www.seesawlabs.com/yii-book
http://yii.larryullman.com/toc.php
http://yiicookbook.org/
http://packtlib.packtpub.com/library/9781847199584
IDE integrations Integrations with code completion, templates testing and debugging:
NetBeans
Eclipse
PhpStorm
Nusphere phpEd
14. Links
Official website http://www.yiiframework.com/
Definitive Guide to Yii En/Ru http://yiiframework.ru/
Yii API and Class Reference http://www.yiiframework.com/doc/api/
Extensions Library (over 1k) http://www.yiiframework.com/extensions/
Yii General Forum (60k users) http://www.yiiframework.com/forum/
Yii Cheat sheet (quick reference) http://static.yiiframework.com/files/yii-1.0-cheatsheet.pdf
Yii Related Sites http://www.yiiframework.com/wiki/98/yii-related-sites/
15. References
D.R. Kuhn (1998). "Role Based Access Control on MLS Systems Without Kernel Changes"
(PDF). Third ACM Workshop on Role Based Access Control. pp. 25–32.
A.C. O'Connor and R.J. Loomis (December 2010) (PDF). Economic Analysis of Role-Based
Access Control. Research Triangle Institute.
John Mitchell. "Access Control and Operating System Security"
Michael Clarkson. "Access Control"
16. License and requirements
Yii is an open source project released under the terms of the BSD License.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
● Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
● Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
● Neither the name of Yii Software LLC nor the names of its contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
Requirement: PHP 5.1.0 or above
Clevertech are currently actively developing their next major version 2.0. Yii 2.0 will be rebuilt on top of PHP 5.3.0+ and is aimed
to become a state-of-the-art of the new generation of PHP framework.
They advise:
"If you have a new project to develop on Yii, do not wait for 2.0 as it will still take considerable time to reach the production
quality."
Installation:
Installation of Yii mainly involves the following three steps:
1. Download Yii Framework from yiiframework.com or github repo (newest)
2. Unpack the Yii release file to any directory. (ex. /opt/yii/)
3. Link your application with the framework source