I have the following scenario in zend framework:
Data
Table of students
Table of classes, which contain many students each.
Table of assignments, each of which is assigned to a class and given a password
I want students to be able to access an assignment given that assignment's id and shared password, but for the application to note which student signed in to the assignment. Zend_Auth however expects one table to contain both the username and the password, but in my situation the username is in the students table, and the password is in the assignments table.
Can anyone suggest a good way of handling the student login where they can all share one password. A way to authenticate with just a username and no password would work, as then I could do the password check in a separate conditional.
I think your best bet would really be to just write your own adapter. Something like this would most likely work:
class MyAuthAdapter implements Zend_Auth_Adapter_Interface
{
protected $_username;
protected $_password;
protected $_assignment_id;
/**
* Sets username, password, and assignemnt ID for authentication
*
* #return void
*/
public function __construct($username,$password,$assignment_id)
{
$this->_username = $username;
$this->_password = $password;
$this->_assignment_id = $assignment_id;
}
/**
* Performs an authentication attempt
*
* #throws Zend_Auth_Adapter_Exception If authentication cannot
* be performed
* #return Zend_Auth_Result
*/
public function authenticate()
{
// logic here to check everything out and erturn a new Zend_Auth_Result
}
}
Shared passwords are a really bad idea. If you share the password, then another student need only learn an id -- typically not a highly secured piece of information -- to access the resource as the other student. A better solution would be to use a role to control access to assignments and put the students who need access to the assignment in the role. This way each student can still have access to the assignment and retain their own id/password pair. See the Zend documentation for information on roles and how to use them.
Related
Currently Artemis the has ActiveMQSecurityManager4. It gives a lot of control when using the following method:
/**
* Determine whether the given user is valid and whether they have
* the correct role for the given destination address.
*
* This method is called instead of
* {#link ActiveMQSecurityManager#validateUserAndRole(String, String, Set, CheckType)}.
*
* #param user the user
* #param password the user's password
* #param roles the user's roles
* #param checkType which permission to validate
* #param address the address for which to perform authorization
* #param remotingConnection the user's connection
* #param securityDomain the name of the JAAS security domain to use (can be null)
* #return the name of the validated user or null if the user isn't validated
*/
String validateUserAndRole(String user,
String password,
Set<Role> roles,
CheckType checkType,
String address,
RemotingConnection remotingConnection,
String securityDomain);
When a client connects and tries to create a subscription is there a way to know what is his ClientID/Subscription Name? (CheckType=CREATE_DURABLE_QUEUE over address="org.activemq.premium.news" )
I want to have control who is allowed to subscribe a given address (TOPIC) and guarantee that a subscription belongs to the initial (authenticated) subscriber.
EDIT 1:
The caller method has the queue (clientID+subs name) but I don't think It can be extended.
/**
* The ActiveMQ Artemis SecurityStore implementation
*/
public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryChangeListener {
...
#Override
public void check(final SimpleString address,
final SimpleString queue, //exactly what I was looking for
final CheckType checkType,
final SecurityAuth session) throws Exception {
...
EDIT 2:
Scenario
I have Bob (user:bob, pass: bob) and Alice (user:Alice, pass:Alice) and each one will create their connection to the broker to subscribe let's say address="org.activemq.premium.news". So far I can block one of them from reaching the address, which is not bad. Now I want both to subscribe (each one will have a queue) but I want to make sure the Bob's subscription is named "bob" and Alice's subscription is named "alice". I don't want that if Alice subscribes first it uses "bob" as subscription name. Also not sure if the spec guaranties that after the initial subscription from Bob, if he is not connected Alice cannot use his subscription name to consume his messages - i.e. subscription queue is bound to that user.
I think what you want to do was already addressed via ARTEMIS-592. You just need to concatenate the address and queue name with a . character in your related security-setting in broker.xml. Be sure to put the users which should be isolated in different groups.
To be clear, you don't need to implement a security manager or plugin or anything like that. You should be able to take care of everything you need just with configuration.
My initial requirement is now possible due to https://issues.apache.org/jira/browse/ARTEMIS-2886 changes.
I have a concept question when it comes to roles. Im not very familiar with database design or access control. Let's say i have 4 collections.
Users
Companies
Equipment
Locations
A user can register.
A user will be added to a company.
User gets access to all equipment and locations with the company ID.
What would be a good way to verify that a registered user belongs to a company? I'm thinking manual verification, as not everybody in the company should have access. But any clever thoughts are appreciated.
Collections equipment and locations holds documents belonging to different companies. These collections can get pretty big. Is it wise to have an "Equipment collection" for each company?
Should i create a group for each company and add user to the correct group?
What is the best way to link collections/documents to user/company?
Any other thoughts?
Thank you.
Have you tried using : https://github.com/alanning/meteor-roles
I have used that to verify roles in meteor. There would be an entry in "Companies" Collection thus you can have a Company ID. With the usage of meteor roles , I think it would be easy to do your task. In Example.
User Collection would have :
_id:
Name:
Role : [ //owner , employee ]
Company ID:
it is up to you if you would make roles and company ids an array to handle multiple companies for a single user record thus making it alot more flexible in the long run.
Next would be make a helper in your user collection to easily track the roles. IE.
isAdmin(companyId) {
if(isValidRolesData(this.roles,'default-group'))
return this.roles['default-group'].indexOf(`${companyId}-admin`) > -1;
},
/**
* Check if a user is Staff
*
* #param {any} facilityid
* #returns
*/
isStaff(companyId) {
if(isValidRolesData(this.roles,'default-group'))
return this.roles['default-group'].indexOf(`${companyId}-staff`) > -1;
},
/**
* Check if a user is Receptionist
*
* #param {any} facilityid
* #returns
*/
isReceptionist(companyId) {
if(isValidRolesData(this.roles,'default-group'))
return this.roles['default-group'].indexOf(`${companyId}-receptionist`) > -1;
},
With that kind of flow I guess you can achieve the exact thing you needed :)
I use Doctrine and MongoDB ODM modules at my zf2 application. ZfcUser is used for authorization.
Is there a way to use two collections, say users and clients to authenticate via zfcuser+doctrine? I am curious, if there is a way to combine two mongo collections into one to use combined for authentication?
You do not need to merge the users into one collection as you can have multiple 'authentication adapters' (see ZfcUser\Authentication\Adapter\Db for an example)
These are defined within global config file: zfcuser.global.php
Each of my adapters are run in order of priority until one returns a successful authentication result.
For example; I have the following configuration for Users and Candidates entities.
/**
* Authentication Adapters
*
* Specify the adapters that will be used to try and authenticate the user
*
* Default value: array containing 'ZfcUser\Authentication\Adapter\Db' with priority 100
* Accepted values: array containing services that implement 'ZfcUser\Authentication\Adapter\ChainableAdapter'
*/
'auth_adapters' => array(
50 => 'JobboardCandidate\Authentication\Adapter\CandidateDatabaseAdapter',
75 => 'JobboardUser\Authentication\Adapter\UserDatabaseAdapter',
//100 => 'ZfcUser\Authentication\Adapter\Db', [this is the default]
),
As I understand from your question you want to get one collection with two different document types so that you can use this collection for authentication.
If you use doctrine Inheritance mapping you can have two different classes and resolve them in one collection.
In this case your Client class would extend your User class. If you would use the findAll method in your UserRepository you would get both the clients and the users in one Collection
This will help you achieve what you want:
<?php
namespace MyProject\Model;
/**
* #Document
* #InheritanceType("SINGLE_COLLECTION")
* #DiscriminatorField(name="discriminator", type="string")
* #DiscriminatorMap({"user" = "User", "client" = "Client"})
*/
class User
{
// ...
}
/**
* #Document
*/
class Client extends User
{
// ...
}
And then
$userRepository->findAll();
Read more on inheritance mapping here in the Doctrine documentation
I need little help :). Here is the situation. I am using symfony2 + FOSUserBundle, I made my forms custom, so far so good. I have User registration with user information in the custom registration form (like first name, last name, birth date etc). Now I decided that it will be more practical to make the user info to be stored in mongodb as document (as I probably will add more information to users later). I built the user info form, and successfully embedded it to the user form. Now the problem is that I cannot set Document object inside Entity object - symfony tells me that the object must be an Entity.
/**
* Acme\UserBundle\Entity\User
*
* #ORM\Table(name="user")
* #ORM\Entity
*/
class User extends BaseUser
{
/**
* #Assert\Type(type="Acme\UserBundle\Document\UserInfo")
*/
protected $userinfo;
I want to ask, what is the proper way to do this ? Sure I can get the needed information form the request as an array and fill in the user info object ... but it looks ugly and wrong :) so how it must be done ? Thanks.
I assume you extends the entity class
FOS\UserBundle\Entity\User
there is a document class provided by the bundle
FOS\UserBundle\Document\User
You could extends this one
i'm doing a registration system for my site and want to prevent duplicate registrations with the same email address.
the declaration of the user class looks like this:
/**
* #Document
*/
class User extends BaseEntity
{
private
/**
* #Id
*/
$id,
/**
* #String #Index(unique=true)
*/
$email
;
}
but whenever i save a user with the same email, no exception is raised and i get a duplicate.
i found somewhere that i need to do $documentManager->flush(array('safe'=>true)); but that doesn't help.
How can I achieve what i need? Thanks
I had a similar problem. The index is not being created by Doctrine as you can see by typing the following in the mongo console:
db.system.indexes.find()
I had to create my index directly in mongo per these instructions. After that duplicates won't be created.
However Symfony2/Doctrine doesn't seem to throw any exceptions, the insert just fails silently. Mongodb DOES alert you of the failed insert if you do it directly in the console.
--edit: An exception is thrown when array('safe'=>true) is used as a parameter to flush() as per the original post.