SlideShare a Scribd company logo

Yii Framework Security

Ilko Kacharov
Ilko Kacharov

The document discusses authentication and authorization in the Yii framework, including its core application components like authentication manager and access control, as well as authorization approaches like role-based access control and access control lists. Yii provides tools for user authentication, defining user roles and permissions, and controlling access to application functions and data.

Technology
1 of 16
Download to read offline
Application Security with Yii Framework Authentication and Authorization Ilko Kacharov | kachar136@gmail.com
Advantages of the framework 1. Very good documentation and many examples 2. Yii community is growing rapidly, has many free extensions 3. Easy approach to develop modules and components 4. Model, Controller, Module code generation tool may be used with custom code templates. 5. Abstract(static) component/module access Yii::app()->getComponent('db'); Yii::app()->getModule('ocstats'); 6. It gives great power with strong code controlling, 100% true OOP framework, push-pull MVC 7. It is super fast because of the usage of autoloading functions 8. Easy configuration in php array, application may be started with different configs. 9. Easy to extend / customize, simple code structure 10. Yii Authentication API for multi-channel login, easy to extend, SOAP support 11. User Access Control using different schemes like RBAC, ACL 12. Web services and console applications can be build as easy as web apps. 13. Easy form creation and form validation (client and server side), built-in ajax support 14. Easy to setup database connections and database migrations. Query builder or plain queries 15. Easy to use CRUD functions (create,read,update,delete) Article::model()->findByPk() 16. Many ready to use web widgets and tools like menus, action tables, calendars, etc. 17. Integration with twitter bootstrap css layouts and js widgets (http://yii-booster.clevertech.biz/) 18. Multiple plain PHP layouts, templates and partial templates. 19. Automatic javascript/css registering and including in the main layout from anywhere 20. Friendly with third-party code 21. Internationalisation and translations module by module in php arrays, string extraction tool 22. Error handling and logging
Performance RPS (requests per second) means how many requests an application written in a framework can process per second and APC stands for Alternative PHP Cache, a caching component used for increase of application performance (in comparison to the same metering with this extension turned off). http://www.yiiframework.com/performance/
Core Application Components Yii predefines a set of core application components to provide features common among Web applications. For example, the request component is used to resolve user requests and provide information such as URL, cookies. By configuring the properties of these core components, we can change the default behaviors of Yii in nearly every aspect. Below we list the core components that are pre-declared by CWebApplication. assetManager: CAssetManager - manages the publishing of private asset files. authManager: CAuthManager - manages role-based access control (RBAC). cache: CCache - provides data caching functionality. clientScript: CClientScript - manages client scripts (javascripts and CSS). coreMessages: CPhpMessageSource - provides translated core messages used by Yii framework. db: CDbConnection - provides the database connection. errorHandler: CErrorHandler - handles uncaught PHP errors and exceptions. messages: CPhpMessageSource - provides translated messaged used by Yii application. request: CHttpRequest - provides information related with user requests. securityManager: CSecurityManager - provides security-related services, such as hashing, encryption. session: CHttpSession - provides session-related functionalities. statePersister: CStatePersister - provides global state persistence method. urlManager: CUrlManager - provides URL parsing and creation functionality. user: CWebUser - represents the identity information of the current user. themeManager: CThemeManager - manages themes. and others...
Application life cycle The following diagram shows a typical workflow of The following diagram shows the static structure of an Yii an Yii application when it is handling a user app: request: 1. Pre-initializes the application with CApplication::preinit(); 2. Set up class autoloader and error handling; 3. Register core application components; 4. Load application configuration; 5. Initialize the application with CApplication::init() - Register application behaviors; - Load static application components; 6. Raise onBeginRequest event; 7. Process the user request: - Resolve the user request; - Create controller; - Run controller; http://www.hooto.com/media/image/view/?id=919&style=full
Authentication Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions: Who is the user? Is the user really who he/she represents himself to be?
Authorization Authorization verifies what you have the permissions you need to access an object. It is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. ● Is user X authorized to access resource R? ● Is user X authorized to perform operation P? ● Is user X authorized to perform operation P on resource R?
Access Control Lists An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects
Role-Based Access Control Role-based access control (RBAC) is an approach to restricting system access to authorized users. Three primary rules are defined for RBAC: 1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role. 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role.
Role-Based Access Control When defining an RBAC model, the following conventions are useful: ● Subject = A person or automated agent ● Role = Job function or title which defines an authority level ● Permissions = An approval of a mode of access to a resource ● Session = A mapping involving S, R and/or P ● Subject Assignment ● Permission Assignment ● Partially ordered Role Hierarchy
Steps to secure an Yii Application 1. Defining Identity Class 2. Login and Logout 3. Cookie-based Login 4. Access Control Filter 5. Handling Authorization Result 6. Role-Based Access Control 7. Configuring Authorization Manager 8. Defining Authorization Hierarchy 9. Using Business Rules
Authenticate method in Yii Application public function authenticate() { $record=User::model()->findByAttributes(array('username'=>$this->username)); if($record===null) $this->errorCode=self::ERROR_USERNAME_INVALID; else if($record->password!==crypt($this->password,$record->password)) $this->errorCode=self::ERROR_PASSWORD_INVALID; else { $this->_id=$record->id; $this->setState('title', $record->title); $this->errorCode=self::ERROR_NONE; } return !$this->errorCode; }
API, documentation and community The Definitive http://www.yiiframework.com/doc/guide/ Guide to Yii GitHub https://github.com/yiisoft/yii/commits/master Forum http://www.yiiframework.com/forum/ Total Posts: 173,083 Total Members: 61,015 Active users at time of visit: 320 International treads: 20 Languages (incl. BG) IRC Channel http://www.yiiframework.com/chat/ Active users at time of visit: 90 Yii Books http://www.seesawlabs.com/yii-book http://yii.larryullman.com/toc.php http://yiicookbook.org/ http://packtlib.packtpub.com/library/9781847199584 IDE integrations Integrations with code completion, templates testing and debugging: NetBeans Eclipse PhpStorm Nusphere phpEd
Links Official website http://www.yiiframework.com/ Definitive Guide to Yii En/Ru http://yiiframework.ru/ Yii API and Class Reference http://www.yiiframework.com/doc/api/ Extensions Library (over 1k) http://www.yiiframework.com/extensions/ Yii General Forum (60k users) http://www.yiiframework.com/forum/ Yii Cheat sheet (quick reference) http://static.yiiframework.com/files/yii-1.0-cheatsheet.pdf Yii Related Sites http://www.yiiframework.com/wiki/98/yii-related-sites/
References D.R. Kuhn (1998). "Role Based Access Control on MLS Systems Without Kernel Changes" (PDF). Third ACM Workshop on Role Based Access Control. pp. 25–32. A.C. O'Connor and R.J. Loomis (December 2010) (PDF). Economic Analysis of Role-Based Access Control. Research Triangle Institute. John Mitchell. "Access Control and Operating System Security" Michael Clarkson. "Access Control"
License and requirements Yii is an open source project released under the terms of the BSD License. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: ● Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. ● Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. ● Neither the name of Yii Software LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. Requirement: PHP 5.1.0 or above Clevertech are currently actively developing their next major version 2.0. Yii 2.0 will be rebuilt on top of PHP 5.3.0+ and is aimed to become a state-of-the-art of the new generation of PHP framework. They advise: "If you have a new project to develop on Yii, do not wait for 2.0 as it will still take considerable time to reach the production quality." Installation: Installation of Yii mainly involves the following three steps: 1. Download Yii Framework from yiiframework.com or github repo (newest) 2. Unpack the Yii release file to any directory. (ex. /opt/yii/) 3. Link your application with the framework source

Recommended

Introduction to php
Introduction to phpIntroduction to php
Introduction to phpshanmukhareddy dasi
 
Yii2
Yii2Yii2
Yii2Rajat Gupta
 
Local Apache NiFi Processor Debug
Local Apache NiFi Processor DebugLocal Apache NiFi Processor Debug
Local Apache NiFi Processor DebugDeon Huang
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
JavaScript JQUERY AJAX
JavaScript JQUERY AJAXJavaScript JQUERY AJAX
JavaScript JQUERY AJAXMakarand Bhatambarekar
 
Node ppt
Node pptNode ppt
Node pptTamil Selvan R S
 
Introduction to APIs (Application Programming Interface)
Introduction to APIs (Application Programming Interface) Introduction to APIs (Application Programming Interface)
Introduction to APIs (Application Programming Interface) Vibhawa Nirmal
 

Recommended

Introduction to php
Introduction to phpIntroduction to php
Introduction to phpshanmukhareddy dasi
 
Yii2
Yii2Yii2
Yii2Rajat Gupta
 
Local Apache NiFi Processor Debug
Local Apache NiFi Processor DebugLocal Apache NiFi Processor Debug
Local Apache NiFi Processor DebugDeon Huang
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
JavaScript JQUERY AJAX
JavaScript JQUERY AJAXJavaScript JQUERY AJAX
JavaScript JQUERY AJAXMakarand Bhatambarekar
 
Node ppt
Node pptNode ppt
Node pptTamil Selvan R S
 
Introduction to APIs (Application Programming Interface)
Introduction to APIs (Application Programming Interface) Introduction to APIs (Application Programming Interface)
Introduction to APIs (Application Programming Interface) Vibhawa Nirmal
 
Node.js Express
Node.js ExpressNode.js Express
Node.js ExpressEyal Vardi
 
Enforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHubEnforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHubSmartBear
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
SmartChat WhatsApp-clone using AWS Amplify AppSync
SmartChat WhatsApp-clone using AWS Amplify AppSyncSmartChat WhatsApp-clone using AWS Amplify AppSync
SmartChat WhatsApp-clone using AWS Amplify AppSyncThanh Nguyen
 
JavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptJavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptLaurence Svekis ✔
 
Clean Code: Chapter 3 Function
Clean Code: Chapter 3 FunctionClean Code: Chapter 3 Function
Clean Code: Chapter 3 FunctionKent Huang
 
Chat application in java using swing and socket programming.
Chat application in java using swing and socket programming.Chat application in java using swing and socket programming.
Chat application in java using swing and socket programming.Kuldeep Jain
 
What is an API
What is an APIWhat is an API
What is an APIElliott Richmond
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
Rest API
Rest APIRest API
Rest APIRohana K Amarakoon
 
Spring Boot
Spring BootSpring Boot
Spring BootAdolfo Sanz De Diego
 
JDBC - JPA - Spring Data
JDBC - JPA - Spring DataJDBC - JPA - Spring Data
JDBC - JPA - Spring DataArturs Drozdovs
 
JSON: The Basics
JSON: The BasicsJSON: The Basics
JSON: The BasicsJeff Fox
 
Hibernate
Hibernate Hibernate
Hibernate Sunil OS
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web ServicesHalil Burak Cetinkaya
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Kotlin Coroutines - the new async
Kotlin Coroutines - the new asyncKotlin Coroutines - the new async
Kotlin Coroutines - the new asyncBartłomiej Osmałek
 
MySQL Database with phpMyAdmin
MySQL Database with phpMyAdminMySQL Database with phpMyAdmin
MySQL Database with phpMyAdminKarwan Mustafa Kareem
 
Nuxtjs cheat-sheet
Nuxtjs cheat-sheetNuxtjs cheat-sheet
Nuxtjs cheat-sheetValeriaCastillo71
 
Hibernate I
Hibernate IHibernate I
Hibernate IPeople Strategists
 
Introduction to YII framework
Introduction to YII frameworkIntroduction to YII framework
Introduction to YII frameworkNaincy Gupta
 
Open Source Software Concepts
Open Source Software ConceptsOpen Source Software Concepts
Open Source Software ConceptsJITENDRA LENKA
 

More Related Content

What's hot

Node.js Express
Node.js ExpressNode.js Express
Node.js ExpressEyal Vardi
 
Enforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHubEnforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHubSmartBear
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
SmartChat WhatsApp-clone using AWS Amplify AppSync
SmartChat WhatsApp-clone using AWS Amplify AppSyncSmartChat WhatsApp-clone using AWS Amplify AppSync
SmartChat WhatsApp-clone using AWS Amplify AppSyncThanh Nguyen
 
JavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptJavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptLaurence Svekis ✔
 
Clean Code: Chapter 3 Function
Clean Code: Chapter 3 FunctionClean Code: Chapter 3 Function
Clean Code: Chapter 3 FunctionKent Huang
 
Chat application in java using swing and socket programming.
Chat application in java using swing and socket programming.Chat application in java using swing and socket programming.
Chat application in java using swing and socket programming.Kuldeep Jain
 
JDBC - JPA - Spring Data
JDBC - JPA - Spring DataJDBC - JPA - Spring Data
JDBC - JPA - Spring DataArturs Drozdovs
 
JSON: The Basics
JSON: The BasicsJSON: The Basics
JSON: The BasicsJeff Fox
 
Hibernate
Hibernate Hibernate
Hibernate Sunil OS
 

What's hot (20)

Node.js Express
Node.js ExpressNode.js Express
Node.js Express
 
Enforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHubEnforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHub
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
SmartChat WhatsApp-clone using AWS Amplify AppSync
SmartChat WhatsApp-clone using AWS Amplify AppSyncSmartChat WhatsApp-clone using AWS Amplify AppSync
SmartChat WhatsApp-clone using AWS Amplify AppSync
 
JavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptJavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScript
 
Clean Code: Chapter 3 Function
Clean Code: Chapter 3 FunctionClean Code: Chapter 3 Function
Clean Code: Chapter 3 Function
 
Chat application in java using swing and socket programming.
Chat application in java using swing and socket programming.Chat application in java using swing and socket programming.
Chat application in java using swing and socket programming.
 
What is an API
What is an APIWhat is an API
What is an API
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
Rest API
Rest APIRest API
Rest API
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
JDBC - JPA - Spring Data
JDBC - JPA - Spring DataJDBC - JPA - Spring Data
JDBC - JPA - Spring Data
 
JSON: The Basics
JSON: The BasicsJSON: The Basics
JSON: The Basics
 
Hibernate
Hibernate Hibernate
Hibernate
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Kotlin Coroutines - the new async
Kotlin Coroutines - the new asyncKotlin Coroutines - the new async
Kotlin Coroutines - the new async
 
MySQL Database with phpMyAdmin
MySQL Database with phpMyAdminMySQL Database with phpMyAdmin
MySQL Database with phpMyAdmin
 
Nuxtjs cheat-sheet
Nuxtjs cheat-sheetNuxtjs cheat-sheet
Nuxtjs cheat-sheet
 
Hibernate I
Hibernate IHibernate I
Hibernate I
 

Viewers also liked

Introduction to YII framework
Introduction to YII frameworkIntroduction to YII framework
Introduction to YII frameworkNaincy Gupta
 
Open Source Software Concepts
Open Source Software ConceptsOpen Source Software Concepts
Open Source Software ConceptsJITENDRA LENKA
 
Collapse of angolan banking system copy
Collapse of angolan banking system copyCollapse of angolan banking system copy
Collapse of angolan banking system copyEduardo Cambinda
 
Network Security July 1
Network Security July 1Network Security July 1
Network Security July 1Jd Mercado
 
Informatics Practices Chapter 2 Open Source Software Concepts Class 12th
Informatics Practices Chapter 2 Open Source Software Concepts Class 12th Informatics Practices Chapter 2 Open Source Software Concepts Class 12th
Informatics Practices Chapter 2 Open Source Software Concepts Class 12thHarsh Mathur
 
heliodisplay
heliodisplayheliodisplay
heliodisplayRashid VM
 
What's behind facebook
What's behind facebookWhat's behind facebook
What's behind facebookAjen 陳
 
Cybersquatting
CybersquattingCybersquatting
Cybersquattinglizzielith
 
Z force touch screen technology
Z force touch screen technologyZ force touch screen technology
Z force touch screen technologylokesh naidu
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Neonode's zForce Air Technology
Neonode's zForce Air TechnologyNeonode's zForce Air Technology
Neonode's zForce Air TechnologyAshish Kumar
 

Viewers also liked (20)

Introduction to YII framework
Introduction to YII frameworkIntroduction to YII framework
Introduction to YII framework
 
Open Source Software Concepts
Open Source Software ConceptsOpen Source Software Concepts
Open Source Software Concepts
 
Collapse of angolan banking system copy
Collapse of angolan banking system copyCollapse of angolan banking system copy
Collapse of angolan banking system copy
 
Network Security July 1
Network Security July 1Network Security July 1
Network Security July 1
 
Cyberpunk
CyberpunkCyberpunk
Cyberpunk
 
Informatics Practices Chapter 2 Open Source Software Concepts Class 12th
Informatics Practices Chapter 2 Open Source Software Concepts Class 12th Informatics Practices Chapter 2 Open Source Software Concepts Class 12th
Informatics Practices Chapter 2 Open Source Software Concepts Class 12th
 
CyberPunk
CyberPunkCyberPunk
CyberPunk
 
Yii framework
Yii frameworkYii framework
Yii framework
 
Intrusion in computing
Intrusion in computingIntrusion in computing
Intrusion in computing
 
Heliodisplay
HeliodisplayHeliodisplay
Heliodisplay
 
Spoof Text
Spoof TextSpoof Text
Spoof Text
 
AirBar Sensor
AirBar SensorAirBar Sensor
AirBar Sensor
 
heliodisplay
heliodisplayheliodisplay
heliodisplay
 
What's behind facebook
What's behind facebookWhat's behind facebook
What's behind facebook
 
Heliodisplay
HeliodisplayHeliodisplay
Heliodisplay
 
Cybersquatting
CybersquattingCybersquatting
Cybersquatting
 
Z force touch screen technology
Z force touch screen technologyZ force touch screen technology
Z force touch screen technology
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Neonode's zForce Air Technology
Neonode's zForce Air TechnologyNeonode's zForce Air Technology
Neonode's zForce Air Technology
 
Netbeans IDE & Platform
Netbeans IDE & PlatformNetbeans IDE & Platform
Netbeans IDE & Platform
 

Similar to Yii Framework Security

Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Abdelmonaim Remani
 
Get things done with Yii - quickly build webapplications
Get things done with Yii - quickly build webapplicationsGet things done with Yii - quickly build webapplications
Get things done with Yii - quickly build webapplicationsGiuliano Iacobelli
 
Opendelight reference-guide
Opendelight reference-guideOpendelight reference-guide
Opendelight reference-guideAshwini Rath
 
Introduction To CodeIgniter
Introduction To CodeIgniterIntroduction To CodeIgniter
Introduction To CodeIgniterschwebbie
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigilityChristian Varela
 
Asp interview Question and Answer
Asp interview Question and Answer Asp interview Question and Answer
Asp interview Question and Answer home
 
Code igniter - A brief introduction
Code igniter - A brief introductionCode igniter - A brief introduction
Code igniter - A brief introductionCommit University
 
PHP Frameworks and CodeIgniter
PHP Frameworks and CodeIgniterPHP Frameworks and CodeIgniter
PHP Frameworks and CodeIgniterKHALID C
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudRevelation Technologies
 
Hibernate interview questions
Hibernate interview questionsHibernate interview questions
Hibernate interview questionsvenkata52
 
IRJET- Lightweight MVC Framework in PHP
IRJET- Lightweight MVC Framework in PHPIRJET- Lightweight MVC Framework in PHP
IRJET- Lightweight MVC Framework in PHPIRJET Journal
 
Introduction Yii Framework
Introduction Yii FrameworkIntroduction Yii Framework
Introduction Yii FrameworkTuan Nguyen
 
Enterprise Level Application Architecture with Web APIs using Entity Framewor...
Enterprise Level Application Architecture with Web APIs using Entity Framewor...Enterprise Level Application Architecture with Web APIs using Entity Framewor...
Enterprise Level Application Architecture with Web APIs using Entity Framewor...Akhil Mittal
 

Similar to Yii Framework Security (20)

Yii php framework_honey
Yii php framework_honeyYii php framework_honey
Yii php framework_honey
 
Fwdtechseminars
FwdtechseminarsFwdtechseminars
Fwdtechseminars
 
Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Building enterprise web applications with spring 3
Building enterprise web applications with spring 3
 
Introduce Yii
Introduce YiiIntroduce Yii
Introduce Yii
 
Get things done with Yii - quickly build webapplications
Get things done with Yii - quickly build webapplicationsGet things done with Yii - quickly build webapplications
Get things done with Yii - quickly build webapplications
 
P H P Framework
P H P FrameworkP H P Framework
P H P Framework
 
Opendelight reference-guide
Opendelight reference-guideOpendelight reference-guide
Opendelight reference-guide
 
Introduction To CodeIgniter
Introduction To CodeIgniterIntroduction To CodeIgniter
Introduction To CodeIgniter
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigility
 
Asp interview Question and Answer
Asp interview Question and Answer Asp interview Question and Answer
Asp interview Question and Answer
 
Code igniter - A brief introduction
Code igniter - A brief introductionCode igniter - A brief introduction
Code igniter - A brief introduction
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
PHP Frameworks and CodeIgniter
PHP Frameworks and CodeIgniterPHP Frameworks and CodeIgniter
PHP Frameworks and CodeIgniter
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
 
Asp
AspAsp
Asp
 
Hibernate interview questions
Hibernate interview questionsHibernate interview questions
Hibernate interview questions
 
IRJET- Lightweight MVC Framework in PHP
IRJET- Lightweight MVC Framework in PHPIRJET- Lightweight MVC Framework in PHP
IRJET- Lightweight MVC Framework in PHP
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The Basics
 
Introduction Yii Framework
Introduction Yii FrameworkIntroduction Yii Framework
Introduction Yii Framework
 
Enterprise Level Application Architecture with Web APIs using Entity Framewor...
Enterprise Level Application Architecture with Web APIs using Entity Framewor...Enterprise Level Application Architecture with Web APIs using Entity Framewor...
Enterprise Level Application Architecture with Web APIs using Entity Framewor...
 

Recently uploaded

2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 

Recently uploaded (20)

2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 

Yii Framework Security

  • 1. Application Security with Yii Framework Authentication and Authorization Ilko Kacharov | kachar136@gmail.com
  • 2. Advantages of the framework 1. Very good documentation and many examples 2. Yii community is growing rapidly, has many free extensions 3. Easy approach to develop modules and components 4. Model, Controller, Module code generation tool may be used with custom code templates. 5. Abstract(static) component/module access Yii::app()->getComponent('db'); Yii::app()->getModule('ocstats'); 6. It gives great power with strong code controlling, 100% true OOP framework, push-pull MVC 7. It is super fast because of the usage of autoloading functions 8. Easy configuration in php array, application may be started with different configs. 9. Easy to extend / customize, simple code structure 10. Yii Authentication API for multi-channel login, easy to extend, SOAP support 11. User Access Control using different schemes like RBAC, ACL 12. Web services and console applications can be build as easy as web apps. 13. Easy form creation and form validation (client and server side), built-in ajax support 14. Easy to setup database connections and database migrations. Query builder or plain queries 15. Easy to use CRUD functions (create,read,update,delete) Article::model()->findByPk() 16. Many ready to use web widgets and tools like menus, action tables, calendars, etc. 17. Integration with twitter bootstrap css layouts and js widgets (http://yii-booster.clevertech.biz/) 18. Multiple plain PHP layouts, templates and partial templates. 19. Automatic javascript/css registering and including in the main layout from anywhere 20. Friendly with third-party code 21. Internationalisation and translations module by module in php arrays, string extraction tool 22. Error handling and logging
  • 3. Performance RPS (requests per second) means how many requests an application written in a framework can process per second and APC stands for Alternative PHP Cache, a caching component used for increase of application performance (in comparison to the same metering with this extension turned off). http://www.yiiframework.com/performance/
  • 4. Core Application Components Yii predefines a set of core application components to provide features common among Web applications. For example, the request component is used to resolve user requests and provide information such as URL, cookies. By configuring the properties of these core components, we can change the default behaviors of Yii in nearly every aspect. Below we list the core components that are pre-declared by CWebApplication. assetManager: CAssetManager - manages the publishing of private asset files. authManager: CAuthManager - manages role-based access control (RBAC). cache: CCache - provides data caching functionality. clientScript: CClientScript - manages client scripts (javascripts and CSS). coreMessages: CPhpMessageSource - provides translated core messages used by Yii framework. db: CDbConnection - provides the database connection. errorHandler: CErrorHandler - handles uncaught PHP errors and exceptions. messages: CPhpMessageSource - provides translated messaged used by Yii application. request: CHttpRequest - provides information related with user requests. securityManager: CSecurityManager - provides security-related services, such as hashing, encryption. session: CHttpSession - provides session-related functionalities. statePersister: CStatePersister - provides global state persistence method. urlManager: CUrlManager - provides URL parsing and creation functionality. user: CWebUser - represents the identity information of the current user. themeManager: CThemeManager - manages themes. and others...
  • 5. Application life cycle The following diagram shows a typical workflow of The following diagram shows the static structure of an Yii an Yii application when it is handling a user app: request: 1. Pre-initializes the application with CApplication::preinit(); 2. Set up class autoloader and error handling; 3. Register core application components; 4. Load application configuration; 5. Initialize the application with CApplication::init() - Register application behaviors; - Load static application components; 6. Raise onBeginRequest event; 7. Process the user request: - Resolve the user request; - Create controller; - Run controller; http://www.hooto.com/media/image/view/?id=919&style=full
  • 6. Authentication Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions: Who is the user? Is the user really who he/she represents himself to be?
  • 7. Authorization Authorization verifies what you have the permissions you need to access an object. It is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. ● Is user X authorized to access resource R? ● Is user X authorized to perform operation P? ● Is user X authorized to perform operation P on resource R?
  • 8. Access Control Lists An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects
  • 9. Role-Based Access Control Role-based access control (RBAC) is an approach to restricting system access to authorized users. Three primary rules are defined for RBAC: 1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role. 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role.
  • 10. Role-Based Access Control When defining an RBAC model, the following conventions are useful: ● Subject = A person or automated agent ● Role = Job function or title which defines an authority level ● Permissions = An approval of a mode of access to a resource ● Session = A mapping involving S, R and/or P ● Subject Assignment ● Permission Assignment ● Partially ordered Role Hierarchy
  • 11. Steps to secure an Yii Application 1. Defining Identity Class 2. Login and Logout 3. Cookie-based Login 4. Access Control Filter 5. Handling Authorization Result 6. Role-Based Access Control 7. Configuring Authorization Manager 8. Defining Authorization Hierarchy 9. Using Business Rules
  • 12. Authenticate method in Yii Application public function authenticate() { $record=User::model()->findByAttributes(array('username'=>$this->username)); if($record===null) $this->errorCode=self::ERROR_USERNAME_INVALID; else if($record->password!==crypt($this->password,$record->password)) $this->errorCode=self::ERROR_PASSWORD_INVALID; else { $this->_id=$record->id; $this->setState('title', $record->title); $this->errorCode=self::ERROR_NONE; } return !$this->errorCode; }
  • 13. API, documentation and community The Definitive http://www.yiiframework.com/doc/guide/ Guide to Yii GitHub https://github.com/yiisoft/yii/commits/master Forum http://www.yiiframework.com/forum/ Total Posts: 173,083 Total Members: 61,015 Active users at time of visit: 320 International treads: 20 Languages (incl. BG) IRC Channel http://www.yiiframework.com/chat/ Active users at time of visit: 90 Yii Books http://www.seesawlabs.com/yii-book http://yii.larryullman.com/toc.php http://yiicookbook.org/ http://packtlib.packtpub.com/library/9781847199584 IDE integrations Integrations with code completion, templates testing and debugging: NetBeans Eclipse PhpStorm Nusphere phpEd
  • 14. Links Official website http://www.yiiframework.com/ Definitive Guide to Yii En/Ru http://yiiframework.ru/ Yii API and Class Reference http://www.yiiframework.com/doc/api/ Extensions Library (over 1k) http://www.yiiframework.com/extensions/ Yii General Forum (60k users) http://www.yiiframework.com/forum/ Yii Cheat sheet (quick reference) http://static.yiiframework.com/files/yii-1.0-cheatsheet.pdf Yii Related Sites http://www.yiiframework.com/wiki/98/yii-related-sites/
  • 15. References D.R. Kuhn (1998). "Role Based Access Control on MLS Systems Without Kernel Changes" (PDF). Third ACM Workshop on Role Based Access Control. pp. 25–32. A.C. O'Connor and R.J. Loomis (December 2010) (PDF). Economic Analysis of Role-Based Access Control. Research Triangle Institute. John Mitchell. "Access Control and Operating System Security" Michael Clarkson. "Access Control"
  • 16. License and requirements Yii is an open source project released under the terms of the BSD License. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: ● Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. ● Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. ● Neither the name of Yii Software LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. Requirement: PHP 5.1.0 or above Clevertech are currently actively developing their next major version 2.0. Yii 2.0 will be rebuilt on top of PHP 5.3.0+ and is aimed to become a state-of-the-art of the new generation of PHP framework. They advise: "If you have a new project to develop on Yii, do not wait for 2.0 as it will still take considerable time to reach the production quality." Installation: Installation of Yii mainly involves the following three steps: 1. Download Yii Framework from yiiframework.com or github repo (newest) 2. Unpack the Yii release file to any directory. (ex. /opt/yii/) 3. Link your application with the framework source