How would i globally secure all my controllers (except for my Login controller) to ensure my application is secure at all points (no hidden backdoor to ajax calls, etc). I thought that I might put it in my bootstrap file, but this doesn't feel right? I'm trying to avoid adding any code to each controller.
Suggestions?
The way I did it in one implementation was to create a file called Auth.php in my application path. Then I opened up every controller I wanted to be protected and added the line
to the init() method before calling parent::init().
As for the Auth.php file itself, it basically uses Zend_Auth to authenticate. On success I would save the identity of the user for later use in the application
On failure I would redirect to the login page and pass some params so that the login page knows where to send me once I'm logged in.
This is not an elegant solution but it's reliable and relatively quick and easy to implement.
You should write ACL plugin for that and register it in front controller. If you implement such functionality as a plugin you will have flexibility to use it in your next application - without need to extend each controller from your custom controller.
Resources:
1. Front Controller Plugins in Zend Framework - how plugins work in ZF
2. Zend_Acl / Zend_Auth example scenario - one of many possible implementations of ACL plugin.
3. Google - and lot of another resources
Well, you need to have an entry point to your system :)
This can be achieved by extending Zend_Controller_Action, let's say:
And now each of your controllers only needs to extend MyController and you're secure.
edit: this is a complement of @singles response.
You must understand there are 2 different things. Auth and Acl. Auth tells you who is the user, and you can for example redirect user having no Auth to you login controller, and set an auth identity after login. then the Acl system take yes/no decisions based on the Auth data (could be the user id or is role, stored in the Auth storage.
On nice solution is to have 2 controllers plugins (registered in the good order on the bootstrap, Auth then Acl). If you do not use Controller plugins you'll have to call the Acl check in each controller, when needed. If you always need it, then use plugins.
Implement the
preDispatch()
in you Auth plugin to set for example an anonymous identity if you have no identity return from Zend_Auth. This is a code snippet of a real one:And for the Acl controller plugin the task is as well in
preDispatch()
. You can launch an acl check for each requested url (so for each user request, even ajax). Here's a partial snippet, so this just an example of how you could handle things:and in this system the last important part is the LoginController where in case of succesful login you should initate the identity record: