Securing AMFPHP 1.9 via Authentication
3 June 2008With the loss of the methodTable in AMFPHP 1.9, comes a loss of the easily defined ‘roles.’
Background
Roles, for those of you who aren’t familiar, allow you to ‘protect’ who can invoke your AMFPHP services. For example, you probably wouldn’t want the following function accessible to everyone
public function SetEmployeeSalary($amount)
Users are ‘authenticated’ in AMFPHP via a call to
Authenticate::login($username,$roles);
Where $roles is a comma delimited set of roles for the user. If you open up \core\shared\util\Authenticate.php you’ll find the login method
function login($name, $roles) {
if(!session_id())
{
session_start();
}
$_SESSION['amfphp_username'] = $name;
$_SESSION['amfphp_roles'] = $roles;
}
Authentication in AMFPHP 1.9
To utilize authentication in 1.9, create a function with the following signature in your service (class).
public function beforeFilter($function_called)
A quick peek in /core/shared/app/BasicActions.php and you’ll see that, should your service (class) define this function, AMFPHP will call it before invoking your function. If beforeFilter returns true, the function is invoked, otherwise a security error is thrown.
Here’s the simple approach I’ve taken..
public function beforeFilter($function_called)
{
$memberName = $function_called."Roles";
return (@$this->$memberName) ? Authenticate::isUserInRole($this->$memberName) : true;
}
So to secure any function, I simply define a member variable with the roles required.
var $SetEmployeeSalaryRoles = "admin,hr";
public function SetEmployeeSalary($amount)
My beforeFilter function looks to see if functionNameRoles exists, if it does, than the user must have a role found in functionNameRoles. If functionNameRoles does not exist, no authentication is required.
on June 11th, 2008 at 3:39 pm
Very useful
TNX
on August 5th, 2008 at 10:53 pm
[…] thrown. It is inside this function that you can do some type of authentication. Joshua Ostrom has a nice blog post that goes into more details on […]
on August 14th, 2008 at 6:31 pm
[…] básicas; Tutorial de integração em vídeo; Autenticação; as3corelib - biblioteca com classes […]
on September 3rd, 2008 at 5:05 pm
Good post. Do you know if it’s possible to return different values when beforeFilter fails? I want one failing state to return a message that says “This happened” and the other failing state to return a message that says “That happened”. The problem is that AMFPHP is the one sending the fault and it always comes back as:
faultCode String AMFPHP_AUTHENTICATE_ERROR
faultDetail String /amfphp/core/shared/app/BasicActions.php on line 121
faultString String Method access blocked by beforeFilter in PublisherService class
Any ideas?
on September 8th, 2008 at 7:22 am
Ben,
Take a look at line 120 of AMFPHP’s core/shared/app/BasicActions.php. Here’s the code
if ($allow === ‘__amfphp_error’ || $allow === false) {
$ex = new MessageException(E_USER_ERROR, “Method access blocked by beforeFilter in ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);
MessageException::throwException($amfbody, $ex);
return false;
}
You could do something along the lines of
if ($allow !== true)
{
if($allow === ‘__amfphp_error’ || $allow === false)
$ex = new MessageException(E_USER_ERROR, “Method access blocked by beforeFilter in ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);
else
$ex = new MessageException(E_USER_ERROR, $allow . ” ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);
MessageException::throwException($amfbody, $ex);
return false;
}
Where you return the error string (instead of false) from your before filter. If you *do* return false from your before filter, the legacy AMFPHP error is thrown.
Hope that helps!!
on September 12th, 2008 at 9:59 pm
hi how would you call the service from flash to validate the Authentication.
on September 18th, 2008 at 10:43 pm
cooljack
Make a call to a php script that validates the login credentials. If successful you could call
Authenticate::login($usrer,$roles);
and to destroy the session (logout)
Authenticate::logout();
Let me know if you need further assistance.
on November 8th, 2008 at 10:47 pm
what about the json.php file? How do you secure that? So someone can’t run www.mysite/json.php/PHPclass.function/var1/var2/var3 ???
on January 15th, 2009 at 2:01 am
Hi,
I’m having a bit of trouble understanding how to implement this and was hoping you could point me in the right direction..
I defined a class as follows but when I call the getData method from Flex, it returns fine without any authentication occuring:
memberName) ? Authenticate::isUserInRole($this->$memberName) : true;
}
var $SecuredClassRoles = “admin”;
var $GetDataRoles = “admin”;
public function SecuredClass() {
}
public function GetData() {
return “You Got In”;
}
}
?>
Also, I noticed you posted on Wade’s site asking whether this is the ‘best’ way to implement auth - did he give you an answer or have you an updated opinion?
cheers!