eZ Components - Authentication, Design
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:Author:   Alexandru Stanoi
:Revision: $Revision: $
:Date:     $Date: $


Introduction
============

Description
-----------

The purpose of the Authentication component is to provide support for different
means of identification and authentication of users using different providers and
protocols.


Design
======

Base classes
------------

ezcAuthentication
  Container for authentication filters. Runs all the specified filters in
  sequence to check if all succeed or if any filter fails.

ezcAuthenticationFilter
  Abstract class which is a base class for all authentication filters. It can
  be extended to create new filters.

ezcAuthenticationCredentials
  A structure which holds basic information to authenticate the user.
  Developers can extend this class to include additional credentials.

ezcAuthenticationSession
  Support for storing authentication information in the session.


Authentication filters
----------------------

A list of supported authentication filters (plug-ins). This list can be
extended by developers or by us in future releases:

ezcAuthenticationGroupFilter
  Container filter for 2 or more filters. Depending on configuration, at least
  one filter needs to succeed in order for the group to succeed, or all filters
  need to succeed in order for the group to succeed.

ezcAuthenticationHtpasswdFilter
  Handles authentication using a htpasswd file. Basic filter and not too secure
  as the htpasswd file can be accessible to someone who has access to the
  server. Should not be employed on critical application. It is used mostly as
  an example.

ezcAuthenticationTokenFilter
  Handles authentication based on a server generated code. Similar to the
  Ticket filter, but the code is not saved in a database, but it is generated
  on every request. One use of such a filter is for CAPTCHA tests, or for
  challenge responses to a server code with a user code (usually banks require
  users to use code calculators).

ezcAuthenticationLdapFilter
  Handles authentication using an LDAP directory.

ezcAuthenticationOpenidFilter
  Handles authentication using the OpenID protocol.

ezcAuthenticationTypekeyFilter
  Handles authentication using the TypeKey protocol.


Extended filters
----------------

A list of supported authentication filters (plug-ins). These filters will be
implemented in a tie-in component as they depend on other components:

ezcAuthenticationDatabaseFilter
  Handles authentication using a database, by specifying the database name,
  user and password to use the database, table name, fields to check and
  whether to use encryption for each field or not.

ezcAuthenticationTicketFilter
  Handles authentication using a token (server generated code). It is basically
  a database filter with only one field, and with deletion of the record after
  authentication. One use of such a filter is for sending confirmation emails
  to the user.


Implementation
==============

ezcAuthentication
-----------------

Container for AuthenticationFilters. Contains these methods:

run()
  Runs through all the filters in their sequence. If all filters succeed, then
  it will return true, otherwise returns false, and the $status property of the
  authentication object will contain the statuses of all filters until that
  moment.

addFilter()
  Adds a filter to the list of authentication filters.

Contains these properties:

status
  A list of the error codes until the current moment (for example
  ezcAuthenticationLdapFilter::STATUS_PASSWORD_INCORRECT).


ezcAuthenticationSession
------------------------

Support for storing authentication information in the session. Uses a specified
key in the session to store if the user is authenticated or not. Cases:

Login by starting a new session
  Authentication will accept the new session and initiate authentication using
  the other defined filters.

Login by using an existing session
  Authentication will check if the existing session is within the expiring
  period (defined by the developer of the application using the session
  options). If the session expired, then it will create a new session (new
  session ID) and initiate authentication using the other defined filters. If
  the session did not expire, then it will grant access bypassing the other
  defined filters.

Login by using another session ID than the one stored
  Probably an attack. It will warn about the conflict, generate a new ID and
  initiate the authentication using the other defined filters.


ezcAuthenticationFilter
-----------------------

Abstract class which is a base class for all authentication filters. It can
be extended to create new filters. It contains these abstract methods:

run()
  Executes the filter authentication. Can return different statuses which are
  used by the ezcAuthentication object to decide if the next filter is needed
  to run or if the authentication process failed at the current filter.


ezcAuthenticationDatabaseFilter
-------------------------------

Implemented in a tie-in component as it depends on the DatabaseSchema and
Database components. Works on an instance of ezcDbInstance. Options to specify
include the table name and the user and password fields names.


ezcAuthenticationTicketFilter
-----------------------------

Extends the ezcAuthenticationDatabaseFilter class. Implemented in a tie-in
component as it depends on the Database and DatabaseSchema components.


ezcAuthenticationTokenFilter
----------------------------

The token will be generated by a random function that the developer specifies.
This filter just compares this token with the token entered by the user, using
a specified function.


Examples
========

Htpasswd authentication
-----------------------

The following example shows how to authenticate against an htpasswd file: ::

    // get $user and $password from POST variables
    $credentials = new ezcAuthenticationPasswordCredentials( $user, $password );
    $authentication = new ezcAuthentication( $credentials );

    $authentication->addFilter( new ezcAuthenticationHtpasswdFilter(
        '/home/root/.htpasswd' ) );

    if ( !$authentication->run() )
    {
        // return the status of the authentication,
        // for example ezcAuthenticationHtpasswdFilter::STATUS_PASSWORD_INCORRECT
        $status = $authentication->getStatus();
    
        // use the returned status to provide the user with a friendly error
        // message, such as "The password you entered is incorect. Please try
        // again.", and don't allow the user to see the protected content.
    }
    else
    {
        // allow the user to see the protected content
    }


Database authentication
-----------------------

The following example shows how to authenticate using a database, and using the
session to cache the authentication between requests: ::

    // get $user and $password from POST variables or from session
    $credentials = new ezcAuthenticationPasswordCredentials( $user, $password );
    $authentication = new ezcAuthentication( $credentials );
    $authentication->session = new ezcAuthenticationSession();

    $db = new ezcAuthenticationDatabaseInfo( ezcDbInstance::get(),
        'users', array( 'user', 'password' ) );
    $authentication->addFilter( new ezcAuthenticationDatabaseFilter( $db ) );

    if ( !$authentication->run() )
    {
        // return the status of the authentication,
        // for example ezcAuthenticationDatabaseFilter::STATUS_PASSWORD_INCORRECT
        $status = $authentication->getStatus();
    
        // use the returned status to provide the user with a friendly error
        // message, such as "The password you entered is incorect. Please try
        // again.", and don't allow the user to see the protected content.
    }
    else
    {
        // allow the user to see the protected content
    }



..
   Local Variables:
   mode: rst
   fill-column: 79
   End:
   vim: et syn=rst tw=79 nocin
