« Two must haves for those ‘rigorous’ developers out there. - PureMVC + Lazily [late] Instantiated Components »

Securing AMFPHP 1.9 via Authentication

3 June 2008
Written by: Joshua Posted under AMFPHP

With the loss of the methodTable in AMFPHP 1.9, comes a loss of the easily defined ‘roles.’

Background

Roles, for those of you who aren’t familiar, allow you to ‘protect’ who can invoke your AMFPHP services. For example, you probably wouldn’t want the following function accessible to everyone


public function SetEmployeeSalary($amount)

Users are ‘authenticated’ in AMFPHP via a call to


Authenticate::login($username,$roles);

Where $roles is a comma delimited set of roles for the user. If you open up \core\shared\util\Authenticate.php you’ll find the login method


function login($name, $roles) {
if(!session_id())
{
session_start();
}
$_SESSION['amfphp_username'] = $name;
$_SESSION['amfphp_roles'] = $roles;
}

Authentication in AMFPHP 1.9

To utilize authentication in 1.9, create a function with the following signature in your service (class).


public function beforeFilter($function_called)

A quick peek in /core/shared/app/BasicActions.php and you’ll see that, should your service (class) define this function, AMFPHP will call it before invoking your function. If beforeFilter returns true, the function is invoked, otherwise a security error is thrown.

Here’s the simple approach I’ve taken..


public function beforeFilter($function_called)
{
$memberName = $function_called."Roles";
return (@$this->$memberName) ? Authenticate::isUserInRole($this->$memberName) : true;
}

So to secure any function, I simply define a member variable with the roles required.


var $SetEmployeeSalaryRoles = "admin,hr";
public function SetEmployeeSalary($amount)

My beforeFilter function looks to see if functionNameRoles exists, if it does, than the user must have a role found in functionNameRoles. If functionNameRoles does not exist, no authentication is required.


3 Responses to ' Securing AMFPHP 1.9 via Authentication '

Subscribe to comments with RSS or TrackBack to ' Securing AMFPHP 1.9 via Authentication '.

  1. Omid said,

    on June 11th, 2008 at 3:39 pm

    Very useful
    TNX

  2. The Flash Blog » AMFPHP Security Basics said,

    on August 5th, 2008 at 10:53 pm

    […] thrown. It is inside this function that you can do some type of authentication. Joshua Ostrom has a nice blog post that goes into more details on […]

  3. Segurança Flash + PHP + AMFPHP | Webcore Blog said,

    on August 14th, 2008 at 6:31 pm

    […] básicas; Tutorial de integração em vídeo; Autenticação; as3corelib - biblioteca com classes […]

Leave a reply

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word