Geek Answers Handbook

PHP: Access Control Engine Architecture

I have a PHP application that has an access control mechanism based on a navigation identifier for individual pages. Thus, the user can have access to pages 1, 4, 5, for example. The navigation identifier is not static, new pages (and therefore new identifiers) can be generated by the administrator. And I have some kind of service oriented architecture. Thus, I have services that are called from the JSON client, but also from the server side by PHP classes (controllers) directly. I have a problem, I need an access control mechanism for services. And I would like it to be separated from the services themselves.

Services return business objects. All of this BO has some kind of β€œconnection” with an object that has a navigation identifier. for example, service returns images: Image.page β†’ Page.navID or service returns dimensions (nn): Dimension β†’ DimImageConnector β†’ Image.page β†’ Page.navID.

I cannot imagine a clean access control solution. Finding a navigation identifier in business objects does not seem to be a very good and easy solution.

It would be nice to have some input for my access control architecture.

Thanks!

BTW: I use the annotation structure, so one of the possibilities is to provide some access information directly using the service method.

+4
source share
2 answers

My idea is a bit complicated to implement, but I think it solves the problem. You have one problem with your request, and it does not share services as such.

Imagine this idea. You have a base class of service with an IsCallable method return if the current user can call the service.

From this service class that you inherit, NonAuthenticatedService and AuthenticatedService. After that, you need to create a factory service to retrieve the services and call them.

Here I leave a graphic representation of my stiffnesses. Sorry for the graphics, this is just Power Point, because I'm not a fan of CASE Tools. :)

Sample hierarchy

Hope I can help!

+1
source

If the changes and permissions of nav-ids are based on nav identifiers, you will have to reassign all navigation identifiers when they change.

Probably the easiest method would be to have a table that matches the users on the pages (rather than nav-ids). You can change what you have or create a new table. Then enter another table that maps the pages to their current identifier. To check if a user has access, you join two tables.

Then all you have to do is update the map whenever the nav-ids changes.

I would recommend exploring a method by which nav identifiers will not change. Alternatively, add a static identifier that will be used with the nav identifier. That way, you can just reference static identifiers and let nav-ids change as much as they want.

0
source

More articles:


All Articles