Download the PHP package webiny/security without Composer

On this page you can find all versions of the php package webiny/security. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package security

Security Component

The security component is a layer that takes care of the authentication and authorization processes for you.

Install the component

The best way to install the component is using Composer.

For additional versions of the package, visit the Packagist page.

About

Before we go into details, is important that you are familiar with the terms of authorization, authentication and access control, if you are not, please read the following articles:

If you what to know more:

Usage

NOTE: There are 2 ways of accessing your firewalls.

The long way:

And the short way:

The usage of the component is fairly simple:

First you process the user login:

Then you can play around with the authorization methods:

If you wish to logout the user:

Example configuration

This is an example configuration. The next few topics will describe every part of the configuration.

Components

The security layer is actually a set of several components that work and communicate together. The next few sections will go through the components and explain what they do.

Tokens (Security.Tokens)

Tokens are used to encrypt user data and save it into the session or cookie. Using tokens, once the user is authorized, we can do all future authorizations over the token, no need to use any authentication providers, check the database and things like that. Tokens save a lot of processing time.

Every token has two configuration parameters:

Example token definition:

The built-in token driver is using the Crypt component, which is probably satisfying for the most cases. You can also have multiple tokens defined, with different drivers or security key, but you can only use one token per firewall.

By default, you don't need to define a Token, an internal token is automatically set for you. In case of the default token, you just need to define the TokenKey under your firewall:

Encoders (Security.Encoders)

Encoders are services that are responsible for two things, creating a password hash from the provided string and verifying if the submitted password matches the given hash. Encoders do the similar thing like tokens, but tokens do encryption of user data, which can be decrypted, while encoders create hashes, which is not a reversible process, so you cannot get the original string.

The encoder component comes with a default Crypt driver, that uses the built in Crypt component, for hashing and verifying passwords.

The driver requires that you have Crypt service defined. Just provide the name of the service under Params and your encoder is ready.

Example encoder configuration:

To create a custom encoder driver, you need to create a class that implements \Webiny\Component\Security\Encoder\EncoderDriverInterface.

The component also comes with a Plain driver, which doesn't encode passwords, it keeps them in their plain format. You can also set Encoder: false under the Firewall. That will use the Plain driver.

By default you don't need to define an Encoder, an internal encoder is automatically defined for you.

User Providers (Security.UserProviders)

User providers are like a databases from where the Security component queries the users. Each provider consists of 2 parts, a user provider, and the user class itself. The provider part is responsible for loading users based on submitted login credentials, while the user object is responsible for verifying the submitted credentials against the loaded object from the provider.

There are four built-in user providers:

Memory provider

The Memory provider gives you the option to define users directly inside your configuration file, and it looks like this:

As you see, you can have multiple memory providers defined. Which one you wish to use, depends on how you define your firewall. You can use both of them, but we'll see more about that later.

NOTE: Make sure that you set Encoder to false on firewalls that are using Memory or some other provider that contains passwords in raw format, that is, where passwords are not encrypted. (NOTE: do not ever do that for production code).

OAuth2 provider

The OAuth2 provider depends on the OAuth2 component and it must be wrapped together with the authentication provider, described in the later topics. Basically, this provider gives you the option to do user authentication using any OAuth2 server, like Facebook, Google, LinkedIn, and many more.

To configure the OAuth2 user provider you just need to set the path to the built-in driver:

TwitterOAuth provider

Unfortunately Twitter doesn't support the version 2 of OAuth protocol, just version 1, so we created a special TwitterOAuth provider. Its configuration is very similar to the OAuth2 user provider.

Entity provider

This provider uses the Entity component which is tied to your database.

Entity parameter points your entity class. Username defines the field name in the collection that holds the username. Password same as the username, just points to the password field. Role points either to the collection field holding the users role, or will be used as the role name, if the field doesn't exist.

Custom user providers

To implement a custom user provider you need to create a class that implements \Webiny\Component\Security\User\UserProviderInterface. And you need to create a user class that extends \Webiny\Component\Security\User\AbstractUser. And that's it, all other details are described inside the interface and the abstract class.

Combining multiple user providers

Each firewall can use one or more user providers. You can combine them how it best fits your needs. We will discuss that in the later topics.

Authentication providers (Security.AuthenticationProviders)

Authentication providers are ways of authenticating users.

This is an example configuration for an authentication provider:

The configuration must have two parameters, the Driver param that defines which class to use to process the authentication, and an optional Params that forwards the different parameters to the driver constructor.

Additional parameters might be required for some other auth providers.

There are also four built-in auth providers:

Http auth provider

This is the basic Http authentication. Driver: \Webiny\Component\Security\Authentication\Providers\Http\Http

Form auth provider

Use this provider when you have a HTML login form for authenticating your users. Driver: \Webiny\Component\Security\Authentication\Providers\Form\Form.

Your HTML form must have these fields:

OAuth2 auth provider

This provider uses the OAuth2 protocol and the OAuth2 component. The supported OAuth2 servers are defined the by the OAuth2 component. Driver: \Webiny\Component\Security\Authentication\Providers\OAuth2\OAuth2

This provider requires a bit more configuration, so here is an example:

Notice the two attributes inside the params section, the Server attribute points to the defined OAuth2 configuration, while Rolesparam defines which roles will be assigned to users that are authenticated by this provider.

TwitterOAuth auth provider

This auth provider is very similar to the OAuth2 auth provider, just this one is designed to work with Twitter OAuth server.

Here is an example configuration:

Firewall (Security.Firewalls)

Firewall is the central component that controls the authentication layer.

You can have multiple sets of firewall. Each firewall consists of following parameters:

Access control

Access control is the central part that handles the authorization. Inside access control you define a set of rules, where each rule consist of a Path and a list of Roles that are required for accessing that path.

If a rule is not matched, the built-in, ROLE_ANONYMOUS, will be returned as the required role to access that path.

Voters

Access control also has internal mechanism called Voters. These are like a jury that can either vote

There are two built-in voters, the AuthenticationVoter that votes based on if user is authenticated or not, and there is a RoleVoter that votes based on if user has the necessary role to access the current area.

The logic behind voters is created so you can extend it and add your own voters. For example you can create a voter that either allows or denies access based on users IP address, like a black-list filter.

To create a custom voter you need to create a class that implements \Webiny\Component\Security\Authorization\Voters\VoterInterface. After that, you need to create a service and tag it with Security.Voter tag.

Decision strategy

Decision strategy is the property that defines how the system will make its ruling, either to allow or deny access, based on the votes for the voters.

There are three different strategies that can be applied:

Role hierarchy (Security.RoleHierarchy)

This component is mostly self-explanatory, it defines the list of available roles and their hierarchy.

Here is an example:

ROLE_USER will have access to all areas that require ROLE_USER, ROLE_EDITOR or ROLE_ANONYMOUS. ROLE_ADMIN will have access to all areas that require ROLE_ADMIN, ROLE_USER, ROLE_EDITOR or ROLE_ANONYMOUS.

Events

The component fires several events that you can subscribe to:

All these events pass an instance of \Webiny\Component\Security\SecurityEvent.

There are also some, user provider specific, events: OAuth2 user provider event:

TwitterOAuth user provider event:

Each of those two events, returns a different class, for OAuth2 it's Webiny\Component\Security\User\Providers\OAuth2\OAuth2Event and for Twitter it's Webiny\Component\Security\User\Providers\TwitterOAuth. Both classes have two methods, one returns an object, containing different user information we manged to get from the OAuth(2) server. The other method returns an instance of the OAuth class, either TwitterOAuth or OAuth2, giving you direct access to the API and the access key.

Using provider short codes

If you only need one instance of user or authentication provider, you can use short codes. With short codes you don't need to define the Driver parameter, and in cases of authentication provider, you don't need to define the auth provider under Security.AuthenticationProviders.

For example, this config can we written in a shorter version:

short version:

The key is that the name of the UserProvider or AuthenticationProvider matches the internal driver name. This is valid only for the internal providers, for custom provider you always need to define the Driver.

Resources

To run unit tests, you need to use the following command:

$ cd path/to/Webiny/Component/Security/
$ composer.phar install
$ phpunit

All versions of security with dependencies

PHP Build Version
Package Version
Requires php Version ^7
webiny/http Version ~1.6
webiny/crypt Version ~1.6
webiny/oauth2 Version ~1.6
webiny/config Version ~1.6
webiny/std-lib Version ~1.6
webiny/event-manager Version ~1.6
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package webiny/security contains the following files

Loading the files please wait ....