Comments on: Securing AMFPHP 1.9 via Authentication http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/ RIA, embedded programming, what else! Fri, 09 Jul 2010 15:43:56 +0000 hourly 1 http://wordpress.org/?v=3.0 By: merdj http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-475 merdj Tue, 15 Jun 2010 18:06:16 +0000 http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-475 Hello Josh, if it is ok with you, kindly post a working sample of this authentication thing? I could hardly, and sorry for that. I am just beginning with AMFPHP. thanks for caring. Hello Josh,

if it is ok with you, kindly post a working sample of this authentication thing? I could hardly, and sorry for that. I am just beginning with AMFPHP.

thanks for caring.

]]> By: Joshua http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-470 Joshua Wed, 09 Jun 2010 14:54:54 +0000 http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-470 Enrique, You'd want to create a login function. The normal workflow would be to pass a username/password from Flex to your login function. This function would validate the username / password. (Database lookup, LDAP, etc). *If* it's a valid username/password, you'd then call Authenticate::login($username,$roles) which provides the needed authentication for the subsequent AMFPHP calls. AMFPHP stores the authentication info in session vars so normal session rules apply. Josh Enrique,
You’d want to create a login function. The normal workflow would be to pass a username/password from Flex to your login function. This function would validate the username / password. (Database lookup, LDAP, etc).

*If* it’s a valid username/password, you’d then call Authenticate::login($username,$roles) which provides the needed authentication for the subsequent AMFPHP calls.

AMFPHP stores the authentication info in session vars so normal session rules apply.

Josh

]]> By: Enrique http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-467 Enrique Mon, 24 May 2010 20:00:35 +0000 http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-467 I'm having troubles understanding it too... Can you post a full example? (I mean, the AS3 and PHP side). Where and when must we call Authenticate::login($username,$roles);? And what happens if the user doesn't have cookies enabled? Thanks!! I’m having troubles understanding it too…
Can you post a full example? (I mean, the AS3 and PHP side).

Where and when must we call Authenticate::login($username,$roles);?

And what happens if the user doesn’t have cookies enabled?

Thanks!!

]]> By: Decidirse entre Zend AMF, AMFPHP, WebORB, … | Blog de Daniel Zegarra http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-463 Decidirse entre Zend AMF, AMFPHP, WebORB, … | Blog de Daniel Zegarra Fri, 21 May 2010 12:14:03 +0000 http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-463 [...] y Zend AMF lo hace como objetos) y basaba casi toda la implementacion de seguridad en el metodo beforeFilter de cada clase/servicio. [...] [...] y Zend AMF lo hace como objetos) y basaba casi toda la implementacion de seguridad en el metodo beforeFilter de cada clase/servicio. [...]

]]> By: kevin http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-242 kevin Thu, 15 Jan 2009 07:01:26 +0000 http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-242 Hi, I'm having a bit of trouble understanding how to implement this and was hoping you could point me in the right direction.. I defined a class as follows but when I call the getData method from Flex, it returns fine without any authentication occuring: memberName) ? Authenticate::isUserInRole($this->$memberName) : true; } var $SecuredClassRoles = "admin"; var $GetDataRoles = "admin"; public function SecuredClass() { } public function GetData() { return "You Got In"; } } ?> Also, I noticed you posted on Wade's site asking whether this is the 'best' way to implement auth - did he give you an answer or have you an updated opinion? cheers! Hi,

I’m having a bit of trouble understanding how to implement this and was hoping you could point me in the right direction..

I defined a class as follows but when I call the getData method from Flex, it returns fine without any authentication occuring:

memberName) ? Authenticate::isUserInRole($this->$memberName) : true;
}

var $SecuredClassRoles = “admin”;
var $GetDataRoles = “admin”;

public function SecuredClass() {

}

public function GetData() {

return “You Got In”;

}

}

?>

Also, I noticed you posted on Wade’s site asking whether this is the ‘best’ way to implement auth – did he give you an answer or have you an updated opinion?

cheers!

]]> By: steve http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-226 steve Sun, 09 Nov 2008 03:47:45 +0000 http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-226 what about the json.php file? How do you secure that? So someone can't run www.mysite/json.php/PHPclass.function/var1/var2/var3 ??? what about the json.php file? How do you secure that? So someone can’t run http://www.mysite/json.php/PHPclass.function/var1/var2/var3 ???

]]> By: Joshua http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-205 Joshua Fri, 19 Sep 2008 03:43:49 +0000 http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-205 cooljack Make a call to a php script that validates the login credentials. If successful you could call Authenticate::login($usrer,$roles); and to destroy the session (logout) Authenticate::logout(); Let me know if you need further assistance. cooljack

Make a call to a php script that validates the login credentials. If successful you could call

Authenticate::login($usrer,$roles);

and to destroy the session (logout)

Authenticate::logout();

Let me know if you need further assistance.

]]> By: cooljackd http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-203 cooljackd Sat, 13 Sep 2008 02:59:56 +0000 http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-203 hi how would you call the service from flash to validate the Authentication. hi how would you call the service from flash to validate the Authentication.

]]> By: Joshua http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-200 Joshua Mon, 08 Sep 2008 12:22:49 +0000 http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-200 Ben, Take a look at line 120 of AMFPHP's core/shared/app/BasicActions.php. Here's the code if ($allow === '__amfphp_error' || $allow === false) { $ex = new MessageException(E_USER_ERROR, "Method access blocked by beforeFilter in " . $className . " class", __FILE__, __LINE__, "AMFPHP_AUTHENTICATE_ERROR"); MessageException::throwException($amfbody, $ex); return false; } You could do something along the lines of if ($allow !== true) { if($allow === '__amfphp_error' || $allow === false) $ex = new MessageException(E_USER_ERROR, "Method access blocked by beforeFilter in " . $className . " class", __FILE__, __LINE__, "AMFPHP_AUTHENTICATE_ERROR"); else $ex = new MessageException(E_USER_ERROR, $allow . " " . $className . " class", __FILE__, __LINE__, "AMFPHP_AUTHENTICATE_ERROR"); MessageException::throwException($amfbody, $ex); return false; } Where you return the error string (instead of false) from your before filter. If you *do* return false from your before filter, the legacy AMFPHP error is thrown. Hope that helps!! Ben,
Take a look at line 120 of AMFPHP’s core/shared/app/BasicActions.php. Here’s the code

if ($allow === ‘__amfphp_error’ || $allow === false) {
$ex = new MessageException(E_USER_ERROR, “Method access blocked by beforeFilter in ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);
MessageException::throwException($amfbody, $ex);
return false;
}

You could do something along the lines of

if ($allow !== true)
{

if($allow === ‘__amfphp_error’ || $allow === false)
$ex = new MessageException(E_USER_ERROR, “Method access blocked by beforeFilter in ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);
else
$ex = new MessageException(E_USER_ERROR, $allow . ” ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);

MessageException::throwException($amfbody, $ex);
return false;
}

Where you return the error string (instead of false) from your before filter. If you *do* return false from your before filter, the legacy AMFPHP error is thrown.

Hope that helps!!

]]> By: Ben Throop http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-198 Ben Throop Wed, 03 Sep 2008 22:05:32 +0000 http://www.joshuaostrom.com/2008/06/03/securing-amfphp-19-via-authentication/#comment-198 Good post. Do you know if it's possible to return different values when beforeFilter fails? I want one failing state to return a message that says "This happened" and the other failing state to return a message that says "That happened". The problem is that AMFPHP is the one sending the fault and it always comes back as: faultCode String AMFPHP_AUTHENTICATE_ERROR faultDetail String /amfphp/core/shared/app/BasicActions.php on line 121 faultString String Method access blocked by beforeFilter in PublisherService class Any ideas? Good post. Do you know if it’s possible to return different values when beforeFilter fails? I want one failing state to return a message that says “This happened” and the other failing state to return a message that says “That happened”. The problem is that AMFPHP is the one sending the fault and it always comes back as:

faultCode String AMFPHP_AUTHENTICATE_ERROR
faultDetail String /amfphp/core/shared/app/BasicActions.php on line 121
faultString String Method access blocked by beforeFilter in PublisherService class

Any ideas?

]]>