Application Security with Yii Framework Authentication and AuthorizationIlko Kacharov | email@example.com
PerformanceRPS (requests per second) means how many requests anapplication written in a framework can process per second andAPC stands for Alternative PHP Cache, a caching component usedfor increase of application performance (in comparison to thesame metering with this extension turned off).http://www.yiiframework.com/performance/
Application life cycle The following diagram shows a typical workﬂow ofThe following diagram shows the static structure of an Yii an Yii application when it is handling a userapp: request: 1. Pre-initializes the application with CApplication::preinit(); 2. Set up class autoloader and error handling; 3. Register core application components; 4. Load application conﬁguration; 5. Initialize the application with CApplication::init() - Register application behaviors; - Load static application components; 6. Raise onBeginRequest event; 7. Process the user request: - Resolve the user request; - Create controller; - Run controller; http://www.hooto.com/media/image/view/?id=919&style=full
Authentication Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions: Who is the user?Is the user really who he/she represents himself to be?
AuthorizationAuthorization verifies what you have the permissions you need to access an object. It is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system.● Is user X authorized to access resource R?● Is user X authorized to perform operation P?● Is user X authorized to perform operation P on resource R?
Access Control ListsAn access control list (ACL) is a list of permissions attached to an object.An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects
Role-Based Access Control Role-based access control (RBAC) is an approach to restricting system access to authorized users.Three primary rules are defined for RBAC:1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.2. Role authorization: A subjects active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subjects active role.
Role-Based Access ControlWhen defining an RBAC model, the following conventions are useful: ● Subject = A person or automated agent ● Role = Job function or title which defines an authority level ● Permissions = An approval of a mode of access to a resource ● Session = A mapping involving S, R and/or P ● Subject Assignment ● Permission Assignment ● Partially ordered Role Hierarchy
Steps to secure an Yii Application1. Defining Identity Class2. Login and Logout3. Cookie-based Login4. Access Control Filter5. Handling Authorization Result6. Role-Based Access Control7. Configuring Authorization Manager8. Defining Authorization Hierarchy9. Using Business Rules
API, documentation and communityThe Definitive http://www.yiiframework.com/doc/guide/Guide to YiiGitHub https://github.com/yiisoft/yii/commits/masterForum http://www.yiiframework.com/forum/ Total Posts: 173,083 Total Members: 61,015 Active users at time of visit: 320 International treads: 20 Languages (incl. BG)IRC Channel http://www.yiiframework.com/chat/ Active users at time of visit: 90Yii Books http://www.seesawlabs.com/yii-book http://yii.larryullman.com/toc.php http://yiicookbook.org/ http://packtlib.packtpub.com/library/9781847199584IDE integrations Integrations with code completion, templates testing and debugging: NetBeans Eclipse PhpStorm Nusphere phpEd
Links Official website http://www.yiiframework.com/ Definitive Guide to Yii En/Ru http://yiiframework.ru/ Yii API and Class Reference http://www.yiiframework.com/doc/api/ Extensions Library (over 1k) http://www.yiiframework.com/extensions/ Yii General Forum (60k users) http://www.yiiframework.com/forum/Yii Cheat sheet (quick reference) http://static.yiiframework.com/files/yii-1.0-cheatsheet.pdf Yii Related Sites http://www.yiiframework.com/wiki/98/yii-related-sites/
ReferencesD.R. Kuhn (1998). "Role Based Access Control on MLS Systems Without Kernel Changes" (PDF). Third ACM Workshop on Role Based Access Control. pp. 25–32.A.C. OConnor and R.J. Loomis (December 2010) (PDF). Economic Analysis of Role-Based Access Control. Research Triangle Institute. John Mitchell. "Access Control and Operating System Security" Michael Clarkson. "Access Control"
License and requirementsYii is an open source project released under the terms of the BSD License.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: ● Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. ● Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. ● Neither the name of Yii Software LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.Requirement: PHP 5.1.0 or aboveClevertech are currently actively developing their next major version 2.0. Yii 2.0 will be rebuilt on top of PHP 5.3.0+ and is aimedto become a state-of-the-art of the new generation of PHP framework.They advise:"If you have a new project to develop on Yii, do not wait for 2.0 as it will still take considerable time to reach the productionquality."Installation:Installation of Yii mainly involves the following three steps: 1. Download Yii Framework from yiiframework.com or github repo (newest) 2. Unpack the Yii release ﬁle to any directory. (ex. /opt/yii/) 3. Link your application with the framework source