« Two must haves for those ‘rigorous’ developers out there. - PureMVC + Lazily [late] Instantiated Components »

Securing AMFPHP 1.9 via Authentication

3 June 2008
Written by: Joshua Posted under AMFPHP

With the loss of the methodTable in AMFPHP 1.9, comes a loss of the easily defined ‘roles.’

Background

Roles, for those of you who aren’t familiar, allow you to ‘protect’ who can invoke your AMFPHP services. For example, you probably wouldn’t want the following function accessible to everyone


public function SetEmployeeSalary($amount)

Users are ‘authenticated’ in AMFPHP via a call to


Authenticate::login($username,$roles);

Where $roles is a comma delimited set of roles for the user. If you open up \core\shared\util\Authenticate.php you’ll find the login method


function login($name, $roles) {
if(!session_id())
{
session_start();
}
$_SESSION['amfphp_username'] = $name;
$_SESSION['amfphp_roles'] = $roles;
}

Authentication in AMFPHP 1.9

To utilize authentication in 1.9, create a function with the following signature in your service (class).


public function beforeFilter($function_called)

A quick peek in /core/shared/app/BasicActions.php and you’ll see that, should your service (class) define this function, AMFPHP will call it before invoking your function. If beforeFilter returns true, the function is invoked, otherwise a security error is thrown.

Here’s the simple approach I’ve taken..


public function beforeFilter($function_called)
{
$memberName = $function_called."Roles";
return (@$this->$memberName) ? Authenticate::isUserInRole($this->$memberName) : true;
}

So to secure any function, I simply define a member variable with the roles required.


var $SetEmployeeSalaryRoles = "admin,hr";
public function SetEmployeeSalary($amount)

My beforeFilter function looks to see if functionNameRoles exists, if it does, than the user must have a role found in functionNameRoles. If functionNameRoles does not exist, no authentication is required.


8 Responses to ' Securing AMFPHP 1.9 via Authentication '

Subscribe to comments with RSS or TrackBack to ' Securing AMFPHP 1.9 via Authentication '.

  1. Omid said,

    on June 11th, 2008 at 3:39 pm

    Very useful
    TNX

  2. The Flash Blog » AMFPHP Security Basics said,

    on August 5th, 2008 at 10:53 pm

    […] thrown. It is inside this function that you can do some type of authentication. Joshua Ostrom has a nice blog post that goes into more details on […]

  3. Segurança Flash + PHP + AMFPHP | Webcore Blog said,

    on August 14th, 2008 at 6:31 pm

    […] básicas; Tutorial de integração em vídeo; Autenticação; as3corelib - biblioteca com classes […]

  4. Ben Throop said,

    on September 3rd, 2008 at 5:05 pm

    Good post. Do you know if it’s possible to return different values when beforeFilter fails? I want one failing state to return a message that says “This happened” and the other failing state to return a message that says “That happened”. The problem is that AMFPHP is the one sending the fault and it always comes back as:

    faultCode String AMFPHP_AUTHENTICATE_ERROR
    faultDetail String /amfphp/core/shared/app/BasicActions.php on line 121
    faultString String Method access blocked by beforeFilter in PublisherService class

    Any ideas?

  5. Joshua said,

    on September 8th, 2008 at 7:22 am

    Ben,
    Take a look at line 120 of AMFPHP’s core/shared/app/BasicActions.php. Here’s the code

    if ($allow === ‘__amfphp_error’ || $allow === false) {
    $ex = new MessageException(E_USER_ERROR, “Method access blocked by beforeFilter in ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);
    MessageException::throwException($amfbody, $ex);
    return false;
    }

    You could do something along the lines of

    if ($allow !== true)
    {

    if($allow === ‘__amfphp_error’ || $allow === false)
    $ex = new MessageException(E_USER_ERROR, “Method access blocked by beforeFilter in ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);
    else
    $ex = new MessageException(E_USER_ERROR, $allow . ” ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);

    MessageException::throwException($amfbody, $ex);
    return false;
    }

    Where you return the error string (instead of false) from your before filter. If you *do* return false from your before filter, the legacy AMFPHP error is thrown.

    Hope that helps!!

  6. cooljackd said,

    on September 12th, 2008 at 9:59 pm

    hi how would you call the service from flash to validate the Authentication.

  7. Joshua said,

    on September 18th, 2008 at 10:43 pm

    cooljack

    Make a call to a php script that validates the login credentials. If successful you could call

    Authenticate::login($usrer,$roles);

    and to destroy the session (logout)

    Authenticate::logout();

    Let me know if you need further assistance.

  8. steve said,

    on November 8th, 2008 at 10:47 pm

    what about the json.php file? How do you secure that? So someone can’t run www.mysite/json.php/PHPclass.function/var1/var2/var3 ???

Leave a reply

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word