Authentication using Zend_Amf

Kevin Schroeder writes; I forget why, but a few days ago I started doing some digging around with authentication in Zend_Amf_Server. I had figured that I would add an adapter to the Zend_Amf_Server::setAuth() method and that would be it.

But I was wrong.

AMF allows for multiple request bodies to be sent at the same time. Of those there are several “special” types of commands. One of those commands is logging in. What this means is that you don’t need a method that logs someone in for you. Zend_Amf_Server handles authentication separately from your service classes.

Authentication for Zend_Amf_Server will generally use a combination of Zend_Auth and Zend_Acl components. Zend_Auth is used to provide the credential verification while Zend_Acl is used to validate that the current user user can access the requested service method. It is actually a relatively trivial task to restrict access to non-logged in users using the method that I will describe here.

The first step in the process is to create an authentication adapter. It really doesn’t matter what you’re using. What matters is that the adapter returns an identity object with a property called “role”. The built in ACL handle expects this to be part of the identity object.


class Auth extends Zend_Amf_Auth_Abstract
{
const LOGGEDIN_ROLE = 'loggedin';

public function authenticate()
{
$identity = new stdClass();
$result = Zend_Auth_Result::FAILURE;

// Do a proper login, y'all
if ($this->_username == 'test' && $this->_password == 'test') {
$identity->role = self::LOGGEDIN_ROLE;
$result = Zend_Auth_Result::SUCCESS;
} else {
$identity->role = Zend_Amf_Constants::GUEST_ROLE;
}

return new Zend_Auth_Result($result, $identity);
}
}

The Auth class extends Zend_Amf_Auth_Abstract because Flex seems to require username and passwords as being the only mechanism for passing credentials. The abstract class defines a method that hooks in with the special commands and passes the special credentials to the special adapter. Clearly your authentication mechanism should be better than the one that I put in here, but you’ll get the idea. The most important part is adding the role property to the identity object and passing it to the Zend_Auth_Result object.

Then in your gateway you need to add this adapter as well as create an simple ACL.


$server = new Zend_Amf_Server();
$server->addDirectory(realpath(__DIR__.'/../services'));

$acl = new Zend_Acl();
$acl->addRole(Auth::LOGGEDIN_ROLE);
$acl->allow(Auth::LOGGEDIN_ROLE);
$server->setAcl($acl);

$auth = new Auth();
$server->setAuth($auth);

echo $server->handle();

This adds the new Auth role to the ACL and says that it has access to everything. Since there is no place where I allow guest access (denoted by Zend_Amf_Constants::GUEST_ROLE in the adapter) guest requests will be denied.

With just this little bit of code you now have a mechanism that will provide restricted access to all of your service objects.

via Kevin Schroeder’s blog – Zend Technologies.

SkinnableTextBase focusManager runtime error popup

writes somthing that will save you quite a bit of time if you get caught with this runtime error; When you show a popup in Flex in a mobile environment, defined as the style “interactionMode” being set to InteractionMode.TOUCH in this context, that is based on a component that does not implement the mx.managers.IFocusManagerContainer interface, you will receive a runtime error when the user taps the control that is to receive focus.

via Flex 4 Examples.

Flex mobile in the browser

Flex mobile in the browserSince Flex 4.5, you have had the ability to develop and export your projects as Android, iOS and PlayBook mobile applications that behave as native ones.

You can also export your Flex mobile project as AIR desktop apps. Just open Flash builder, open your project and choose Project >  Export release build. You can then export a “Signed AIR package for installation on desktop”, which means a classic .air file. Yesterday, a customer wanted to know how to run a Flex mobile application in a desktop web browser. Of course, I answered “Why would you do this ?”, and he gave me some good reasons.

His mobile application is connected to a CMS on the backend. Administrators of the application will be able to edit the content of the mobiles apps in a web application. Wouldn’t it be nice to get a live preview in the browser ? When you think of it, a Flex mobile project exports a SWF, so we should be able to run it as a web app. Of course, all the AIR APIs such as the accelerometer, or the SQLite access would be disabled, but we could have a live preview.

And it’s always a challenge for a mobile developer to demonstrate their work. Usually, they just record and publish a video of their app.

We’ll see in this tutorial how to create a Flex mobile project with Flash Builder 4.5.1, and how to publish it as a classic web application. Just follow these steps:

via Flex mobile in the browser | RIAgora.

File uploads with Adobe Flex and Zend AMF

Leonardo França writes; Zend AMF is an implementation done in PHP to work with the communication protocol binary AMF (Action Message Format) and is part of ZendFramework. I had to implement a system to upload files that were a little different than what is typically used in Flash, with this feature had to be integrated into the Zend AMF.
Researching a little on the net, found a solution that was simpler than I thought based on that article with a few adjustments.
Begin with our gateway to be used as endpoint in Adobe Flex.

< ?php require_once 'Zend/Amf/Server.php'; require_once 'Zend/Amf/Exception.php'; require_once 'br/com/leonardofranca/vo/FileVO.php'; require_once 'br/com/leonardofranca/UploadZendAMF.php'; $server = new Zend_Amf_Server(); $server->setProduction(false);

$server->setClass('UploadZendAMF');
$server->setClassMap('FileVO',"br.com.leonardofranca.vo.FileVO");

echo($server->handle());
?>

Read more at; File uploads with Adobe Flex and Zend AMF – Workflow: Flash.

Shine MP3 Encoder on Alchemy

Shine (formely 8hz-MP3) is a simple lightweight C-based MP3 encoder made by LAME developer Gabriel Bouvigne.

Description of Shine on his website:

The goal of this encoder was not quality, but simplicity. I tryed to simplify the encoding process as much as possible. So Shine is then a good starting point when a programmer needs a very simple MP3 encoder

This Alchemy port features:

  • MP3 encoding of mono and stereo WAVs (no time limit)
  • non-blocking encoding for progress status in flash
  • errors automatically sent to flash for easy log/debug

via flash-kikko.

WAVWriter.as

Helper class to write WAV formated audio files. The class expects audio input data in a byte array with samples represented as floats.

The default compressed code is set to PCM. The class resamples and formats the audio samples according to the class properties. The resampling geared for performance and not quality, for best quality use sampling rates that divide/multiple into the desired output samplingRate.

For more information about the WAVE file format see: http://ccrma.stanford.edu/courses/422/projects/WaveFormat/

via WAVWriter.as – ghostcat – AS3 library of generic tools

Flex Builder 4.5.x Test Drive for Mobile Tutorials

Here is a very good multi-part tutorial on the ins and outs of mobile client / server development, that adds some quite useful functionality on Android, Apple IOS and Blackberry mobile devices.

In this Test Drive, you are going to create a Flex mobile application that retrieves, displays, and modifies database records (see Figure 1). A Flex application does not connect directly to a remote database. Instead, you connect it to a data service written in your favorite web language (PHP, ColdFusion, Java, or any other server-side technology). You will build the front-end Flex mobile application; the database and the server-side code to manipulate database records is provided for you as a PHP class, a ColdFusion component, or Java classes.

The Mobile Test Drive application running on a mobile device.

Figure 1. The Mobile Test Drive application running on a mobile device.

via Adobe Developer Connection.

Data paging with Flex and PHP using Flash Builder 4.5.x

Flash Builder 4.5 has a built-in data paging feature that generates ActionScript code to retrieve data from the database incrementally on demand. For example, suppose your database has thousands of records and you want to fetch only 20 rows at a time and display them in a data grid. When you enable paging for an operation and bind the operation result to a DataGrid control, the first 20 records will be retrieved initially and the next page of records is fetched only when the user requests them—that is, when he or she scrolls the vertical scroll bar of the DataGrid control.

Flash Builder 4.5 lets you enable paging for any type of data service operation including operations on a Remoting service, web service, or HTTP service. This article explains how to enable data paging for a PHP-based Remoting service. After you set up the server environment required for the sample application, you’ll use Flash Builder 4.5 to generate ActionScript service classes and build a Flex application that incrementally retrieves data sets from a database table using the PHP class on the server.

via Adobe Developer Connection.

Encrypt session data in PHP

Zimuel writes; As promised in my last post I present an example of strong cryptography in PHP to secure session data.
This is a very simple implementation that can be used to improve the security of PHP applications especially in shared environments where different users have access to the same resources. As you know, the PHP session data are managed by default using temporary files. In shared environment a malicious user that is able to access to these temporary files can easly read the session data because they are stored in plaintext (data in a session file is theserialization of the array $_SESSION).
In theory, the session data should be stored in folders that are accessible only by the owner of the web site, but never say never (btw, you can manage the location of the session data using the session_save_path function or changing the session.save_path in the php.ini).

To secure the session data I used strong cryptography to encrypt the content using the mcrypt extension of PHP. I chosen the simmetric cipher AES (Rijandel-256) to encrypt the session data and the openssl_random_pseudo_bytes() function to generate a random key of 256 bit.
The idea is to use a cookie variable to store the key that will be used to encrypt the session data. In this way the key is stored only in the client (the browser) and only the client is able to decrypt the session data on the server. Each time we encrypt the session data we re-generate the IV vector in a random way using the mcrypt_create_iv() function. It is very important to generate a unique IV in each encryption. This best practice increase the security of the encryption algorithm.
It’s important to note that this implementation is not secure against session hijacking attack. If someone is able to capture the cookie variable of a client and have access to the temporary session files, in the server, he/she will be able to decrypt the session data. Our goal is to protect session data against attacks on shared environments.

The idea to encrypt the session data is not new, for instance Chris Shiflett proposed an implementation in his book “Essential PHP Security” (O’Reilly, 2006). Shiflett used a $_SERVER variable to store the key used to encrypt the session data. Kevin Schroeder, my colleague at Zend Technologies, implemented a very similar session encryption algorithm extending the Zend_Session class of Zend Framework (you can find it here). In my solution, I used some of the best practices related to strong cryptography to implement a secure session handler.

Below the source code of my implementation:

Full class @ Zimuel’s blog.

XML to JSON in PHP

Zimuel writes; Last friday, in occasion of the April Zend Framework Bug-Hunt, I started to look at this bug: ZF-3257. This is an issue related to the Zend_Json class that occurs during the conversion from XML to JSON for some specific XML documents, like this one:

$xml= 'bar';

The result using Zend_Json::fromXml($xml, false) , where false indicated the usage of XML attributes, was:

{"a":{"b":{"@attributes":{"id":"foo"}}}}

As you can see the bar value, of the a element, is not represented in JSON. This issue comes also with other XML documents, and in general when an XML node has a single character data child, any attributes are lost.

For instance, the following code:

$xml = 'bar';
echo Zend_Json::fromXml($xml, false);

Produced the output:

{"a":{"b":"bar"}}

in this case the attribute id and the value foo are lost.
Find a solution @ Zimuel’s blog.