* @link http://www.pradosoft.com/
* @copyright Copyright © 2005-2014 PradoSoft
* @license http://www.pradosoft.com/license/
* @package Prado\Security
*/
namespace Prado\Security;
/**
* Using IUserManager interface
*/
Prado::using('System.Security.IUserManager');
/**
* TAuthManager class
*
* TAuthManager performs user authentication and authorization for a Prado application.
* TAuthManager works together with a {@link IUserManager} module that can be
* specified via the {@link setUserManager UserManager} property.
* If an authorization fails, TAuthManager will try to redirect the client
* browser to a login page that is specified via the {@link setLoginPage LoginPage}.
* To login or logout a user, call {@link login} or {@link logout}, respectively.
*
* The {@link setAuthExpire AuthExpire} property can be used to define the time
* in seconds after which the authentication should expire.
* {@link setAllowAutoLogin AllowAutoLogin} specifies if the login information
* should be stored in a cookie to perform automatic login. Enabling this
* feature will cause that {@link setAuthExpire AuthExpire} has no effect
* since the user will be logged in again on authentication expiration.
*
* To load TAuthManager, configure it in application configuration as follows,
*
*
*
* @author Qiang Xue
* @package Prado\Security
* @since 3.0
*/
class TAuthManager extends TModule
{
/**
* GET variable name for return url
*/
const RETURN_URL_VAR='ReturnUrl';
/**
* @var boolean if the module has been initialized
*/
private $_initialized=false;
/**
* @var IUserManager user manager instance
*/
private $_userManager;
/**
* @var string login page
*/
private $_loginPage;
/**
* @var boolean whether authorization should be skipped
*/
private $_skipAuthorization=false;
/**
* @var string the session var name for storing return URL
*/
private $_returnUrlVarName;
/**
* @var boolean whether to allow auto login (using cookie)
*/
private $_allowAutoLogin=false;
/**
* @var string variable name used to store user session or cookie
*/
private $_userKey;
/**
* @var integer authentication expiration time in seconds. Defaults to zero (no expiration)
*/
private $_authExpire=0;
/**
* Initializes this module.
* This method is required by the IModule interface.
* @param TXmlElement configuration for this module, can be null
* @throws TConfigurationException if user manager does not exist or is not IUserManager
*/
public function init($config)
{
if($this->_userManager===null)
throw new TConfigurationException('authmanager_usermanager_required');
if($this->_returnUrlVarName===null)
$this->_returnUrlVarName=$this->getApplication()->getID().':'.self::RETURN_URL_VAR;
$application=$this->getApplication();
if(is_string($this->_userManager))
{
if(($users=$application->getModule($this->_userManager))===null)
throw new TConfigurationException('authmanager_usermanager_inexistent',$this->_userManager);
if(!($users instanceof IUserManager))
throw new TConfigurationException('authmanager_usermanager_invalid',$this->_userManager);
$this->_userManager=$users;
}
$application->attachEventHandler('OnAuthentication',array($this,'doAuthentication'));
$application->attachEventHandler('OnEndRequest',array($this,'leave'));
$application->attachEventHandler('OnAuthorization',array($this,'doAuthorization'));
$this->_initialized=true;
}
/**
* @return IUserManager user manager instance
*/
public function getUserManager()
{
return $this->_userManager;
}
/**
* @param string|IUserManager the user manager module ID or the user manager object
* @throws TInvalidOperationException if the module has been initialized or the user manager object is not IUserManager
*/
public function setUserManager($provider)
{
if($this->_initialized)
throw new TInvalidOperationException('authmanager_usermanager_unchangeable');
if(!is_string($provider) && !($provider instanceof IUserManager))
throw new TConfigurationException('authmanager_usermanager_invalid',$this->_userManager);
$this->_userManager=$provider;
}
/**
* @return string path of login page should login is required
*/
public function getLoginPage()
{
return $this->_loginPage;
}
/**
* Sets the login page that the client browser will be redirected to if login is needed.
* Login page should be specified in the format of page path.
* @param string path of login page should login is required
* @see TPageService
*/
public function setLoginPage($pagePath)
{
$this->_loginPage=$pagePath;
}
/**
* Performs authentication.
* This is the event handler attached to application's Authentication event.
* Do not call this method directly.
* @param mixed sender of the Authentication event
* @param mixed event parameter
*/
public function doAuthentication($sender,$param)
{
$this->onAuthenticate($param);
$service=$this->getService();
if(($service instanceof TPageService) && $service->getRequestedPagePath()===$this->getLoginPage())
$this->_skipAuthorization=true;
}
/**
* Performs authorization.
* This is the event handler attached to application's Authorization event.
* Do not call this method directly.
* @param mixed sender of the Authorization event
* @param mixed event parameter
*/
public function doAuthorization($sender,$param)
{
if(!$this->_skipAuthorization)
{
$this->onAuthorize($param);
}
}
/**
* Performs login redirect if authorization fails.
* This is the event handler attached to application's EndRequest event.
* Do not call this method directly.
* @param mixed sender of the event
* @param mixed event parameter
*/
public function leave($sender,$param)
{
$application=$this->getApplication();
if($application->getResponse()->getStatusCode()===401)
{
$service=$application->getService();
if($service instanceof TPageService)
{
$returnUrl=$application->getRequest()->getRequestUri();
$this->setReturnUrl($returnUrl);
$url=$service->constructUrl($this->getLoginPage());
$application->getResponse()->redirect($url);
}
}
}
/**
* @return string the name of the session variable storing return URL. It defaults to 'AppID:ReturnUrl'
*/
public function getReturnUrlVarName()
{
return $this->_returnUrlVarName;
}
/**
* @param string the name of the session variable storing return URL.
*/
public function setReturnUrlVarName($value)
{
$this->_returnUrlVarName=$value;
}
/**
* @return string URL that the browser should be redirected to when login succeeds.
*/
public function getReturnUrl()
{
return $this->getSession()->itemAt($this->getReturnUrlVarName());
}
/**
* Sets the URL that the browser should be redirected to when login succeeds.
* @param string the URL to be redirected to.
*/
public function setReturnUrl($value)
{
$this->getSession()->add($this->getReturnUrlVarName(),$value);
}
/**
* @return boolean whether to allow remembering login so that the user logs on automatically next time. Defaults to false.
* @since 3.1.1
*/
public function getAllowAutoLogin()
{
return $this->_allowAutoLogin;
}
/**
* @param boolean whether to allow remembering login so that the user logs on automatically next time. Users have to enable cookie to make use of this feature.
* @since 3.1.1
*/
public function setAllowAutoLogin($value)
{
$this->_allowAutoLogin=TPropertyValue::ensureBoolean($value);
}
/**
* @return integer authentication expiration time in seconds. Defaults to zero (no expiration).
* @since 3.1.3
*/
public function getAuthExpire()
{
return $this->_authExpire;
}
/**
* @param integer authentication expiration time in seconds. Defaults to zero (no expiration).
* @since 3.1.3
*/
public function setAuthExpire($value)
{
$this->_authExpire=TPropertyValue::ensureInteger($value);
}
/**
* Performs the real authentication work.
* An OnAuthenticate event will be raised if there is any handler attached to it.
* If the application already has a non-null user, it will return without further authentication.
* Otherwise, user information will be restored from session data.
* @param mixed parameter to be passed to OnAuthenticate event
* @throws TConfigurationException if session module does not exist.
*/
public function onAuthenticate($param)
{
$application=$this->getApplication();
// restoring user info from session
if(($session=$application->getSession())===null)
throw new TConfigurationException('authmanager_session_required');
$session->open();
$sessionInfo=$session->itemAt($this->getUserKey());
$user=$this->_userManager->getUser(null)->loadFromString($sessionInfo);
// check for authentication expiration
$isAuthExpired = $this->_authExpire>0 && !$user->getIsGuest() &&
($expiretime=$session->itemAt('AuthExpireTime')) && $expiretime