Home  Support Page  The Manual  Use-cases

Authentication layer

Contents

Overview

Being a low-level framework, Phoebius provides a strong and stratified architecture that encourage developers to extend the existent functionality.

The current implementation of MVC does not provide an authorization layer, but at the same time it can be easily extended to conform the requirements of the project.

This document will should how the MVC stack is transparent to be overloaded.

Authentication

Authentication layer is a layer which catches the execution of the application flow and checks whether client has permissions to access the requested page or not. If the permission is granted then the application flow continues, otherwise another action is executed (redirection to an authorization page, or displaying an error with the message that access is denied).

ActionBasedController class provides a set of protected methods, that can be overloaded to change the normal application flow. Among them is ActionBasedController::processAction() which accepts the action taken from the request (by the router) and the method found according the action. Normally, ActionBasedController::processAction() just invokes the method returning the result of its execution

The method can be overloaded in a descendant class to prevent an unauthorized access to the methods of the controller:

AccessCheckController.class.php

abstract class AccessCheckController extends ActionBasedController {

	function showAccessDeied()
	{
		...
	}

	protected function processAction($action, ReflectionMethod $method) {
	
		/* check credentials here */
		if (!isAuthorized($this->getTrace()->getRequest()) {
			return $this->showAccessDenied();
		
			// also possible to redirect a client:
			// a "login" route should be defined in a route table
			//return $this->redirect("login");
		}
	
		return parent::processAction($action, $method);
	}
}

After that, you can use this class as a base for controller that should serve restricted are of a web service (e.g., administration panel). In the following example, action_showIndex won't be executed until AccessCheckController::processAction allow this:

AdminController.class.php

class AdminController extends AccessCheckController {
	function action_showIndex() 
	{
		...
	}
}

Conclusion

You see that Phoebius provides a good interfaces to extend and overload the existing functionality easily. Authorization layer can be added by reusing an existing method of a controller, and letting you to decide, how to implement the actual authorization and session management.

A real-world example

Download a basic application - a simple directory browser - with background AJAX requests and authentication to provide administration features.