Yii Framework Security

Application Security with Yii Framework

Authentication and Authorization

Ilko Kacharov | [email protected]

1. Very good documentation and many examples2. Yii community is growing rapidly, has many free extensions3. Easy approach to develop modules and components4. Model, Controller, Module code generation tool may be used with custom code templates.5. Abstract(static) component/module access Yii::app()->getComponent('db'); Yii::app()->getModule('ocstats');

6. It gives great power with strong code controlling, 100% true OOP framework, push-pull MVC7. It is super fast because of the usage of autoloading functions8. Easy configuration in php array, application may be started with different configs.9. Easy to extend / customize, simple code structure

10. Yii Authentication API for multi-channel login, easy to extend, SOAP support11. User Access Control using different schemes like RBAC, ACL12. Web services and console applications can be build as easy as web apps.13. Easy form creation and form validation (client and server side), built-in ajax support14. Easy to setup database connections and database migrations. Query builder or plain queries15. Easy to use CRUD functions (create,read,update,delete) Article::model()->findByPk()

16. Many ready to use web widgets and tools like menus, action tables, calendars, etc.17. Integration with twitter bootstrap css layouts and js widgets (http://yii-booster.clevertech.biz/)

18. Multiple plain PHP layouts, templates and partial templates.19. Automatic javascript/css registering and including in the main layout from anywhere20. Friendly with third-party code21. Internationalisation and translations module by module in php arrays, string extraction tool22. Error handling and logging

Advantages of the framework

RPS (requests per second) means how many requests an application written in a framework can process per second and APC stands for Alternative PHP Cache, a caching component used for increase of application performance (in comparison to the same metering with this extension turned off).http://www.yiiframework.com/performance/

Performance

Core Application ComponentsYii predefines a set of core application components to provide features common among Web applications. For example, the request component is used to resolve user requests and provide information such as URL, cookies. By configuring the properties of these core components, we can change the default behaviors of Yii in nearly every aspect.

Below we list the core components that are pre-declared by CWebApplication.

assetManager: CAssetManager - manages the publishing of private asset files.authManager: CAuthManager - manages role-based access control (RBAC).cache: CCache - provides data caching functionality. clientScript: CClientScript - manages client scripts (javascripts and CSS).coreMessages: CPhpMessageSource - provides translated core messages used by Yii framework.db: CDbConnection - provides the database connection. errorHandler: CErrorHandler - handles uncaught PHP errors and exceptions.messages: CPhpMessageSource - provides translated messaged used by Yii application.request: CHttpRequest - provides information related with user requests.securityManager: CSecurityManager - provides security-related services, such as hashing, encryption.session: CHttpSession - provides session-related functionalities.statePersister: CStatePersister - provides global state persistence method.urlManager: CUrlManager - provides URL parsing and creation functionality.user: CWebUser - represents the identity information of the current user.themeManager: CThemeManager - manages themes.

and others...

Application life cycle

The following diagram shows a typical workflow of an Yii application when it is handling a user request:

1. Pre-initializes the application with CApplication::preinit();2. Set up class autoloader and error handling;3. Register core application components;4. Load application configuration;5. Initialize the application with CApplication::init() - Register application behaviors; - Load static application components;6. Raise onBeginRequest event;7. Process the user request: - Resolve the user request; - Create controller; - Run controller;http://www.hooto.com/media/image/view/?id=919&style=full

The following diagram shows the static structure of an Yii app:

Authentication

Authentication is the mechanism whereby systems may securely identify their users.

Authentication systems provide an answers to the questions:

Who is the user?

Is the user really who he/she represents himself to be?

Authorization

Authorization verifies what you have the permissions you need to access an object.

It is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the

system.

● Is user X authorized to access resource R?● Is user X authorized to perform operation P?● Is user X authorized to perform operation P on resource R?

Access Control Lists

An access control list (ACL) is a list of permissions attached to an object.

An ACL specifies which users or system processes are granted access to objects, as well as what

operations are allowed on given objects

Role-Based Access Control

Role-based access control (RBAC) is an approach to restricting system access to authorized users.

Three primary rules are defined for RBAC:1. Role assignment: A subject can exercise a permission only if the

subject has selected or been assigned a role.2. Role authorization: A subject's active role must be authorized for the

subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.

3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role.

Role-Based Access Control

When defining an RBAC model, the following conventions are useful:● Subject = A person or automated agent● Role = Job function or title which defines an authority level● Permissions = An approval of a mode of access to a resource● Session = A mapping involving S, R and/or P● Subject Assignment● Permission Assignment● Partially ordered Role Hierarchy

Steps to secure an Yii Application

1. Defining Identity Class2. Login and Logout3. Cookie-based Login4. Access Control Filter5. Handling Authorization Result6. Role-Based Access Control7. Configuring Authorization

Manager8. Defining Authorization Hierarchy9. Using Business Rules

Authenticate method in Yii Application

public function authenticate() { $record=User::model()->findByAttributes(array('username'=>$this->username)); if($record===null) $this->errorCode=self::ERROR_USERNAME_INVALID; else if($record->password!==crypt($this->password,$record->password)) $this->errorCode=self::ERROR_PASSWORD_INVALID; else { $this->_id=$record->id; $this->setState('title', $record->title); $this->errorCode=self::ERROR_NONE; } return !$this->errorCode; }

API, documentation and community

The Definitive Guide to Yii

http://www.yiiframework.com/doc/guide/

GitHub https://github.com/yiisoft/yii/commits/master

Forum http://www.yiiframework.com/forum/

Total Posts: 173,083Total Members: 61,015Active users at time of visit: 320International treads: 20 Languages (incl. BG)

IRC Channel http://www.yiiframework.com/chat/Active users at time of visit: 90

Yii Books http://www.seesawlabs.com/yii-bookhttp://yii.larryullman.com/toc.phphttp://yiicookbook.org/http://packtlib.packtpub.com/library/9781847199584

IDE integrations Integrations with code completion, templates testing and debugging:NetBeansEclipsePhpStormNusphere phpEd

Links

Official website http://www.yiiframework.com/

Definitive Guide to Yii En/Ru http://yiiframework.ru/

Yii API and Class Reference http://www.yiiframework.com/doc/api/

Extensions Library (over 1k) http://www.yiiframework.com/extensions/

Yii General Forum (60k users) http://www.yiiframework.com/forum/

Yii Cheat sheet (quick reference) http://static.yiiframework.com/files/yii-1.0-cheatsheet.pdf

Yii Related Sites http://www.yiiframework.com/wiki/98/yii-related-sites/

References

D.R. Kuhn (1998). "Role Based Access Control on MLS Systems Without Kernel Changes" (PDF). Third ACM Workshop on Role Based Access Control. pp. 25–32.

A.C. O'Connor and R.J. Loomis (December 2010) (PDF). Economic Analysis of Role-Based Access Control. Research Triangle Institute.

John Mitchell. "Access Control and Operating System Security"

Michael Clarkson. "Access Control"

Yii is an open source project released under the terms of the BSD License.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:● Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.● Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.● Neither the name of Yii Software LLC nor the names of its contributors may be used to endorse or promote products derived from this

software without specific prior written permission.

Requirement: PHP 5.1.0 or aboveClevertech are currently actively developing their next major version 2.0. Yii 2.0 will be rebuilt on top of PHP 5.3.0+ and is aimed to become a state-of-the-art of the new generation of PHP framework. They advise: "If you have a new project to develop on Yii, do not wait for 2.0 as it will still take considerable time to reach the production quality."

Installation:Installation of Yii mainly involves the following three steps:

1. Download Yii Framework from yiiframework.com or github repo (newest)2. Unpack the Yii release file to any directory. (ex. /opt/yii/)3. Link your application with the framework source

License and requirements