KeithCraigo.com My site about RIA development

Build a better Login with Adobe Flex, Zend_Amf, Zend_Auth, and Zend_Acl – On The PHP Side

This is the server setup procedures for my tutorial Build a better Login with Flex, Zend_Amf, Zend_Auth, and Zend_Acl - On The Flex Side. Consult the first part of this tutorial for project requirements.

We previously created a folder under the MAMP installation called frameworks to serve as the home for the Zend library. Now we need to create a new folder to be the home for our applications server code.

Create a folder in the MAMP/htdocs dir named AccessControlExample.

Create a new folder in AccessControlExample dir and name it phplib, phplib will be the home of our applications main files.

In our main AccessControlExample dir, create a new file called index.php, this is known as the bootstrap file, if you need further clarification about the bootstrap file or any of the Zend Framework, please consult the Zend Framework Reference Guide.

Replace the contents of index.php with the following

<?php
// Error Reporting
error_reporting(E_ALL|E_STRICT);

// Turn to off when released to production
ini_set("display_errors","on");

// Modify include_path to include the
Zend library and the utils dir
ini_set("include_path", ini_get("include_path")
.PATH_SEPARATOR."../../frameworks/".
PATH_SEPARATOR."../../utils/");

// Zend Framework Includes
require_once 'Zend/Loader.php';
Zend_Loader::registerAutoload();

require_once 'Zend/Amf/Server.php';

require_once 'ConnectionHelper.php';
require_once 'phplib/LoginVO.php';
require_once 'phplib/LoginManager.php';

$server = new Zend_Amf_Server();
$server->setClass('LoginManager');
$server->setClass("LoginVO");

// Change this to true when released to production
$server->setProduction(false);

//Mapping the ActionScript VO to the PHP VO
//you don't have to add the package name
$server->setClassMap("LoginVO","LoginVO");

echo($server->handle());

Basically this file provides a path to the Zend framework and any custom libraries we build that our application will need to function. We also map our PHP value Objects with our Actionscript value Objects here as well. Transferring data as Objects is much more efficient than making multiple calls for every piece of data.

Create a new PHP class inside the MAMP/utils dir named ConnectionHelper.php with the following code

<?php
class ConnectionHelper
{
public function __construct() {

$this->host='localhost';
$this->dbname='AccessControlExample';
$this->username ='root';
$this->password = 'root';

}
}

Modify this file according to your particular needs.

Close ConnectionHelper.php.

Okay, we now need to create the 3 main php class files our application needs.

1. LoginManager.php - this is the brains of the server side code. This is where we pass our users credentials to in order to authenticate and authorize the user to use our application. Remember Authenticate (Zend_Auth) and Authorize (Zend_Acl) are two different things.
2. LoginVO.php - this is a value object, a very simple structure that describes our users login attributes.
3. AccessPrivsVO.php - this is a value object, a very simple structure that describes our users role privileges.

Inside LoginManager.php paste the following,

<?php

require_once 'ConnectionHelper.php';
require_once 'LoginVO.php';
require_once 'AccessPrivsVO.php';
require_once 'Zend/Auth.php';
require_once 'Zend/Acl.php';

/*
* LoginManager
*
* Verify's the users login credentials and
checks the users role against the ACL for access rights.
*
* @return Access Privileges
*/
class LoginManager {

private $dbAdapter;
private $authAdapter;

/**
* @return mixed
*/
public function __construct() {

// Get a reference to the
singleton instance of Zend_Auth
$this->auth = Zend_Auth::getInstance();

// Create database connection
try {
$conn = new ConnectionHelper();
$this->dbAdapter =
Zend_Db::factory('Mysqli',array('host' => $conn->host,
'dbname' => $conn->dbname,
'username' => $conn->username,
'password' => $conn->password));
}
catch ( Zend_Db_Exception $e){
return "Caught exception: " . get_class($e) .
"\n Message: " . $e->getMessage() . "\n";
}
}

// test

/**
* @return void
*/
public function test() {
return "Success! Test Completed Normally";
}

/**
*
* Authenticates the user
*
* @todo add routine to verify using SSO
*
* @return mixed
*
*/
public function verifyUser(LoginVO $user) {

$userRole='';
// Configure the instance
with constructor parameters...
$authAdapter = new Zend_Auth_Adapter_DbTable(
$this->dbAdapter,
'admin',
'username',
'password');

$usr=htmlspecialchars($user->username);
$pwd=htmlspecialchars($user->password);
if($usr == ''){
$authAdapter
->setIdentity('guest')
->setCredential('guest');
}else{
$authAdapter
->setIdentity($usr)
->setCredential($pwd);
}
$result = $authAdapter->authenticate();

switch ($result->getCode()) {

case Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND:
$userRole = "guest";
break;

case Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID:
$userRole = "guest";
return "FAILURE_CREDENTIAL_INVALID";
break;

case Zend_Auth_Result::FAILURE:
$userRole = 'guest';
break;

case Zend_Auth_Result::FAILURE_IDENTITY_AMBIGUOUS:
$userRole = 'guest';
break;

case Zend_Auth_Result::FAILURE_UNCATEGORIZED:
$userRole = 'guest';
break;

case Zend_Auth_Result::SUCCESS:

$this->sessionid=$this->getSessionID(); //revised 2/22/2009
// We need to return the authenticated
users role, this will be passed into the Zend_Acl
// getResultRowObject returns a stdClass
object so we need to dereference the role in this manner.
$r=$authAdapter->getResultRowObject(array('role'));
$userRole = $r->role;
break;

default:
return "Internal Error! If this problem persist,
please contact your network administrator";
break;
}

// Set up the ACL (Access Control List)
$acl = new Zend_Acl();
// Add groups to the Role registry using Zend_Acl_Role
// Guest does not inherit access controls.
// Order matters here, we go from the most
restricted to the least restricted
$acl->addRole(new Zend_Acl_Role('guest'));
$acl->addRole(new Zend_Acl_Role('manager'), 'guest');
$acl->addRole(new Zend_Acl_Role('admin'), 'manager');

// Administrator does not inherit access controls,
All access is granted
$acl->addRole(new Zend_Acl_Role('Super'));

// setup the resource privs
$acl->add(new Zend_Acl_Resource('viewPublicUI'));
$acl->add(new Zend_Acl_Resource('viewRestrictedUI'));
$acl->add(new Zend_Acl_Resource('viewLogs'));
$acl->add(new Zend_Acl_Resource('createManager'));

// Guest may only view the public interface
$acl->allow('guest', null, 'viewPublicUI');

// manager inherits viewPublicUI privilege from guest,
but also needs additional
// privileges
$acl->allow('manager', null, array('viewRestrictedUI'));

// admin inherits viewRestrictedUI privilege from
// manager, but also needs additional privileges
$acl->allow('admin', null, array('createManager'));

// Super inherits nothing, but is allowed all privileges
$acl->allow('Super');

// userRoleVO to Privs Map
$userRolePrivs = new AccessPrivsVO();
$userRolePrivs->userRole = $userRole;
$userRolePrivs->viewPublicUI =
$acl->isAllowed($userRole, null, 'viewPublicUI') ?
"allowed" : "denied";
$userRolePrivs->viewRestrictedUI =
$acl->isAllowed($userRole, null, 'viewRestrictedUI') ?
"allowed" : "denied";
$userRolePrivs->createManager =
$acl->isAllowed($userRole, null, 'createManager') ?
"allowed" : "denied";
$userRolePrivs->viewLogs =
$acl->isAllowed($userRole, null, 'viewLogs') ?
"allowed" : "denied";

return $userRolePrivs;

}
}

Inside LoginVO.php paste the following,

<?php
class LoginVO
{
//public $_explicitType = 'LoginVO';
public $userName='';
public $password='';
}

The variable $_explicitType is another way you could map the Actionscript VO to the PHP VO.

Inside AccessPrivsVO.php paste the following,

<?php
class AccessPrivsVO
{
public $userRole='';
public $viewPublicUI='';
public $createManager = '';
public $viewRestrictedUI = '';
public $viewLogs = '';

}

You may have noticed I purposely left off the php closing tag ?>, this is to avoid troublesome errors caused by extra white space.

That's it. You now have a robust login system that can be modified to meet your needs using Flex, PHP, Zend_Auth and Zend_Acl. Enjoy!