Next: Editor

BMC/UUP-SITE - Secure

Authentication can either be triggered by user or by code. Existance of an authenticated logon session can be enforced by deriver your controller from one of the secure controllers (page or service). It's also possible to trigger logon from code.

Enable authentication support

Support for authentication can be installed using uup-site.sh. This will install the bmc/uup-auth package and create an config/auth.inc file if missing.

uup-site.sh --auth

Configure

To enable authentication, uncomment auth related settings in config/defaults.site:

PHP
       ...
/**
 * The authentication options. Enables session and suggests config->tools->auth.
 */
'auth'  => array(
        'start'  => '/uup-site2/',              // Start page after successful logon
        'logon'  => '/uup-site2/auth/logon',    // The logon page
        'logoff' => '/uup-site2/auth/logoff',   // The logoff page
        'config' => __DIR__ . '/auth.inc',      // Config file for authenticators
        'sso'    => true                        // Enable SSO login
)
        ...
/**
* The toolbox plugins to expose. Themes can choose whether to show them or not.
*/
'tools' => array(
        'home'      => false,    // Enable home navigation icon.
        'auth'      => true,     // Enable authentication box.
        'search'    => false,    // Enable Google search box.
        'translate' => false,    // Enable Google translate box.
        'edit'      => false     // Enable online page/site editor.
),
        ...

Then edit the file config/auth.inc to configure logon methods. Both authenticators and access restrictors can be setup.

Secure page

The simplest way to protect your page controller is to derive from the secure page class:

<?php

use UUP\Site\Page\Web\Security\SecurePage;

class MyPage extends SecurePage
{

        public function __construct()
        {
                parent::__construct("Page requiring logon session");
        }

        public function printContent()
        {
                include("protected.inc");
        }

}

Secure service

Web services can also be protected analog to the page case. The difference is that you probably will overload the onException() method to return a protocol specific error message.

<?php

use UUP\Site\Page\Service\SecureService;

class MyService extends SecureService
{

        private $_handler;

        public function __construct($config = null)
        {
                parent::__construct($config);
                $this->_handler = new ServiceApi($this->params);
        }

        public function onException($exception)
        {
                $this->_handler->sendError($exception);
        }

        public function render()
        {
                $this->_handler->process();
                $this->_handler->sendSuccess("OK");
        }

}

Conditional logon

Sometimes you like to enforce autthentication based on request. This can be handled by the authorize() method available inside all controller classes:

PHP
if ($this->params->hasParam("store")) {
        $this->authorize();
        $this->save($data);
}

Calling authorize() will redirect to browser to logon page if authenticated session is missing and controller is derived from the standard page class. If the controller is derived from the standard service class then an unauthorized exception is thrown instead if request is not authenticated.

Conditional content

Page content can be conditional hidden/shown depending on logon status. This is handled by the runtime class with support from the theme.

Your code can then decorate content with HTML attributes like auth="false" or auth="true" to let the web browser decide whether to display the content or not. Notice that the page content should only hint, the backend (i.e. an API) should do proper access control.

Example