Within our Agavi-based application (Agavi 0.11.3/PHP 5.2.6), we have two ways to access secured routes.
* Client first POSTs to a login endpoint, providing username and password. The action behind this route relies on a model that uses a subclass of AgaviRbacSecurityUser to store authentication state and roles. The client then may access secured endpoints by supplying a cookie associated with the user's session. * Client accesses the secured endpoint directly with a previously-issued remote key. The connection takes place over SSL and the key is submitted via an Authorization Basic HTTP header. A modification to index.php checks for this HTTPS/password situation, and if it is the case, then an API context is instantiated. An Agavi global filter class calls the login method on the user class to complete the authentication. These approaches work well for the most part, but we've run into an issue for which we haven't been able to come up with a good resolution. Some of our routes have different semantics based on the role of the caller. We have been enforcing this by creating subactions for each role and then using the source attribute on routing XML elements to determine which variety of subaction should be called. <route name="some.secured.route.name" pattern="^1$" source="user[credentials][Great and Powerful Oz]" module="Foo" action="Bar.GreatAndPowerfulOz" /> When the route is accessed by the first approach described above, things are fine. In the second case, any route that uses a user source does not match. This is because the global filter authentication executes after the route has been determined, and the sources are determined as part of the context initialization. The best idea that we've been able to come up with so far is to move the authentication code into a custom subclass of AgaviWebRouting. Any thoughts on a Better Way (tm) to do this? Thanks bunches! -- P.J. Hinton Senior Software Engineer Compendium Blogware [email protected]
_______________________________________________ users mailing list [email protected] http://lists.agavi.org/mailman/listinfo/users
