Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
Symfony2
Message from discussion Help : Use a TRUE web services (external from interface app) as a user provider ?!

View parsed - Show only message text

Received: by 10.236.127.170 with SMTP id d30mr8209590yhi.23.1352500312401;
        Fri, 09 Nov 2012 14:31:52 -0800 (PST)
X-BeenThere: symfony2@googlegroups.com
Received: by 10.236.198.39 with SMTP id u27ls7148157yhn.6.gmail; Fri, 09 Nov
 2012 14:31:47 -0800 (PST)
Received: by 10.236.133.131 with SMTP id q3mr29943yhi.9.1352500307876;
        Fri, 09 Nov 2012 14:31:47 -0800 (PST)
Date: Fri, 9 Nov 2012 14:31:47 -0800 (PST)
From: djoos <david.j...@gmail.com>
To: symfony2@googlegroups.com
Message-Id: <fc900287-04f1-4310-aef3-2a63f2372add@googlegroups.com>
In-Reply-To: <702a09fc-eb56-4dec-a1e7-2bc3c7292fec@googlegroups.com>
References: <b458db31-8b99-4535-bf50-17edaa912470@googlegroups.com>
 <7922fa39-5820-4c1e-9e95-bbafabe5f168@googlegroups.com>
 <748bc58d-2d7c-4088-ace9-91fae5a79bca@googlegroups.com>
 <c0d5dcad-1f45-4080-9621-b4e71ed85642@googlegroups.com>
 <702a09fc-eb56-4dec-a1e7-2bc3c7292fec@googlegroups.com>
Subject: Re: Help : Use a TRUE web services (external from interface app) as
 a user provider ?!
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_1320_9686023.1352500307088"

------=_Part_1320_9686023.1352500307088
Content-Type: multipart/alternative; 
	boundary="----=_Part_1321_20451872.1352500307088"

------=_Part_1321_20451872.1352500307088
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Hi Shadowalker,

no worries - thanks for having a glance over the code and for getting back 
to me as well. I probably didn't elaborate our setup enough earlier today...

*"From your code what you're doing seems to be Server 1 and 2 are one and 
only." + "And my first note is this is definetely not what I'm meant by 
TRUE Web services. Your api is calling an " sso service", true ! But this 
service is actually a bundle that you would import in your client api you 
cannot separate them (or I didn't get your code at all)"*
The SSO API client bundle is just a Symfony2 bundle to facilitate firing 
API requests to the completely decoupled SSO itself (the actual SSO 
application runs on a separate server and is not even a Symfony application 
at the moment!). The SSO API bundle uses cURL (requestcore library, a great 
one for these kind of purposes) to fire (REST) calls to the SSO, but all 
the rest in the SSO API client bundle is there to facilitate calls to the 
SSO and make it easy for us to fire the calls from our different Symfony 
applications: the functions you can see in the REST/Request.php class, are 
made available to the Symfony2 application via a service, but are nothing 
else but REST calls (verb/subject/body) used to talk to a pure web service.

So, we've got exactly the setup you mentioned:
*"Server 1 holds theClient API"* - yep, Symfony2 application X, using the 
SSO API bundle to facilitate communication (cURL) with the SSO application
*"Server 2 holds the service"* - the SSO application itself

"As for a run throught he code, unfortunately the project I'm working on is 
a clodes source (at least for now) I can only talk freely about the 
architecture.
Not the content per say."
No problem, I actually meant to run through our code, so to give you a 
better understanding of how we tackled this (imo exactly the same) issue.

Have a great weekend!

Kind regards,
David

On Friday, 9 November 2012 20:02:31 UTC, Shadowalker wrote:
>
> Me agazin,
> Just took a look at the links you provided.
> And my first note is this is definetely not what I'm meant by TRUE Web 
> services.
> Your api is calling an " sso service", true ! But this service is actually 
> a bundle that you would import in your client api you cannot separate them 
> (or I didn't get your code at all)
>
> What I meant by TRUE Web service is :
>
> Server 1 holds theClient API
>
> Server 2 holds the service
>
> Call from Server 1 to Server 2 is done through an HTTP request (using CURL 
> most likely) to identify / verify user credentials and return whether it is 
> valid or not. 
> Then, if valid, I would have to jump through some jind of hoops to make 
> that work with the security layer and create my session in the memcache 
> server so that multiple client API could use it.
>
> From your code what you're doing seems to be Server 1 and 2 are one and 
> only.
> And Client API "imports" the service code in order to use its 
> functionalities.
>
> Please don't hesitate to correct me if there's something I didn't get 
> right.
>
> Regards,
> Shadowalker
>
> On Friday, November 9, 2012 12:25:12 PM UTC+1, djoos wrote:
>>
>> Hi Shadowalker,
>>
>> I'm struggling to write it in a short e-mail :-)
>>
>> > Howvere I do not really get how you would configure the "local user" to 
>> only have an id
>> I only persist the SSO id, but merge local and SSO user via a postload 
>> eventlistener. The LocalUser extends the SSOUser class, implementing the 
>> UserInterface (like in the doc) and a custom SSO userinterface (forcing a 
>> setId-method, that's it). All remote data is then also available to the 
>> LocalUser and works quite well - we are still in development phase for this 
>> application - our former symfony 1 application would actually pull down all 
>> data from the SSO locally, but this time round we wanted to do things a lot 
>> cleaner...
>>
>> > *do the real checking of the existency of user on the Web Service side 
>> (SSO)*
>> This is the authentication provider's task:
>> 1) authentication provider
>> In the authentication provider, we check against the SSO and see whether 
>> we can authenticate username/password. Once we got this working, we could 
>> authenticate - but the user wouldn't actually exist in the Symfony2 app as 
>> we don't store the needed user's details locally - this is where a custom 
>> user provider came into play.
>>
>> > *"and also load users in our Symfony2 application" >> not sure I get 
>> waht you're saying here... : if the authentication is made on WS side then 
>> users are also on the WS and can't be in the SF2 side*
>> 2) user provider
>> In the user provider we look up the SSO user by username/e-mailaddress 
>> via the SSO service (API) and then check whether we have a local user with 
>> this SSO id. If not, we create a new local user, which basically "pulls 
>> down"/persists the remote SSO user to the local application.
>>
>> It's quite difficult not to go off on a tangent as there are a lot of 
>> things to keep in mind/watch out for. I think that at some point I need to 
>> make some time to properly clean up the code and create a blog post and 
>> post it on the Symfony docs...
>>
>> Some helpful bundles we put together:
>> https://github.com/escapestudios/EscapeSSOAPIClientBundle (custom API 
>> service - actual working code is not publicly available, we override the 
>> Request.php temporarily)
>> https://github.com/escapestudios/EscapeSSOAuthenticationBundle (custom 
>> authentication provider)
>> https://github.com/escapestudios/EscapeSSOUserBundle (custom user 
>> provider)
>> ...the project I'm working on hasn't been finished yet, but this user 
>> part of the project is for now in "beta"-stage as far as I'm concerned.
>>
>> Where are you based exactly? Perhaps a chat/run through the code might be 
>> helpful for both you and me (questioning of code/fresh ideas/refactoring)!
>>
>> Kind regards,
>> David
>>
>> On Friday, 9 November 2012 10:38:08 UTC, Shadowalker wrote:
>>>
>>> Hi David,
>>> Thanks for the quick reply.
>>>
>>> As the both links you provided I've already read those in every way 
>>> possible to mankind and there are only examples of a SF2 "service" (not 
>>> really a Web Service)
>>>
>>> Now based on what you're saying the idea you used was basically to do 
>>> the real checking of the existency of user on the Web Service side (SSO) 
>>> which is what I want. Howvere I do not really get how you would configure 
>>> the "local user" to only have an id :
>>>
>>> "and also load users in our Symfony2 application" >> not sure I get waht 
>>> you're saying here... : if the authentication is made on WS side then users 
>>> are also on the WS and can't be in the SF2 side...
>>>
>>> As for the "linking", I don't get how you could do this ... Do you still 
>>> use the UserInterface as in the symfony doc : 
>>>
>>> WebserviceUser implements UserInterface
>>>
>>>
>>> Or do you use another way ?
>>>
>>> Cheers.
>>> On Friday, November 9, 2012 11:25:13 AM UTC+1, djoos wrote:
>>>>
>>>> Hi Shadowalker,
>>>>
>>>> we might have been doing something similar to this a couple of months 
>>>> ago...
>>>>
>>>> Good starting points are...
>>>> Custom authentication provider
>>>>
>>>> http://symfony.com/doc/2.0/cookbook/security/custom_authentication_provider.html
>>>>
>>>> Custom user provider
>>>> http://symfony.com/doc/2.0/cookbook/security/custom_provider.html
>>>>
>>>> In our case, we created a service that lets us easily use the API to 
>>>> our (completely external!) single sign-on, while relying on that SSO to 
>>>> authenticate and also load users in our Symfony2 application. Once found we 
>>>> do create a link between our "local user" (=Symfony2 user - the Symfony2 
>>>> user table doesn't contain any SSO data, except for an SSO user id to link 
>>>> things up) and a "SSO user" (=non-Symfony2 SSO application).
>>>>
>>>> Hope this helps!
>>>>
>>>> Kind regards,
>>>> David
>>>>
>>>> On Friday, 9 November 2012 09:54:35 UTC, Shadowalker wrote:
>>>>>
>>>>> Hi all,
>>>>> I'm trying to find a way to use a real web services (not a "service" 
>>>>> that would reside in the same projects / app / server as my interfaces but 
>>>>> on a completely different environment and acts only as an intermediate 
>>>>> between the interface API and the DB) and I can't find anything even 
>>>>> remotely useful on a specific aspect on the whole authentication & 
>>>>> authorization process :
>>>>> How do you configure the security layer to use a web service as the 
>>>>> user provider ?
>>>>>
>>>>> Thanks for any help / leads you could provide.
>>>>>
>>>>> Cheers,
>>>>> Shadowalker.
>>>>>
>>>>
------=_Part_1321_20451872.1352500307088
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Shadowalker,<br><br>no worries - thanks for having a glance over the cod=
e and for getting back to me as well. I probably didn't elaborate our setup=
 enough earlier today...<br><br><i>"From your code what you're doing seems =
to be Server 1 and 2 are one and only." + "And my first note is this is def=
inetely not what I'm meant by TRUE Web services. Your
 api is calling an " sso service", true ! But this service is actually a
 bundle that you would import in your client api you cannot separate=20
them (or I didn't get your code at all)"</i><br>The SSO API client bundle i=
s just a Symfony2 bundle to facilitate firing API requests to the completel=
y decoupled SSO itself (the actual SSO application runs on a separate serve=
r and is not even a Symfony application at the moment!). The SSO API bundle=
 uses cURL (requestcore library, a great one for these kind of purposes) to=
 fire (REST) calls to the SSO, but all the rest in the SSO API client bundl=
e is there to facilitate calls to the SSO and make it easy for us to fire t=
he calls from our different Symfony applications: the functions you can see=
 in the REST/Request.php class, are made available to the Symfony2 applicat=
ion via a service, but are nothing else but REST calls (verb/subject/body) =
used to talk to a pure web service.<br><br>So, we've got exactly the setup =
you mentioned:<br><i>"Server 1 holds theClient API"</i> - yep, Symfony2 app=
lication X, using the SSO API bundle to facilitate communication (cURL) wit=
h the SSO application<br><i>"Server 2 holds the service"</i> - the SSO appl=
ication itself<br><br>"As for a run throught he code, unfortunately the pro=
ject I'm working on=20
is a clodes source (at least for now) I can only talk freely about the=20
architecture.<br>Not the content per say."<br>No problem, I actually meant =
to run through our code, so to give you a better understanding of how we ta=
ckled this (imo exactly the same) issue.<br><br>Have a great weekend!<br><b=
r>Kind regards,<br>David<br><br>On Friday, 9 November 2012 20:02:31 UTC, Sh=
adowalker  wrote:<blockquote class=3D"gmail_quote" style=3D"margin: 0;margi=
n-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">Me agazin,<br=
>Just took a look at the links you provided.<br>And my first note is this i=
s definetely not what I'm meant by TRUE Web services.<br>Your api is callin=
g an " sso service", true ! But this service is actually a bundle that you =
would import in your client api you cannot separate them (or I didn't get y=
our code at all)<br><br>What I meant by TRUE Web service is :<br><br>Server=
 1 holds theClient API<br><br>Server 2 holds the service<br><br>Call from S=
erver 1 to Server 2 is done through an HTTP request (using CURL most likely=
) to identify / verify user credentials and return whether it is valid or n=
ot. <br>Then, if valid, I would have to jump through some jind of hoops to =
make that work with the security layer and create my session in the memcach=
e server so that multiple client API could use it.<br><br>From your code wh=
at you're doing seems to be Server 1 and 2 are one and only.<br>And Client =
API "imports" the service code in order to use its functionalities.<br><br>=
Please don't hesitate to correct me if there's something I didn't get right=
.<br><br>Regards,<br>Shadowalker<br><br>On Friday, November 9, 2012 12:25:1=
2 PM UTC+1, djoos wrote:<blockquote class=3D"gmail_quote" style=3D"margin:0=
;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Shadowal=
ker,<div><br></div><div>I'm struggling to write it in a short e-mail :-)<br=
></div><div><br></div><div>&gt; Howvere I do not really get how you would c=
onfigure the "local user" to only have an id<br></div><div>I only persist t=
he SSO id, but merge local and SSO user via a postload eventlistener. The L=
ocalUser extends the SSOUser class, implementing the UserInterface (like in=
 the doc) and a custom SSO userinterface (forcing a setId-method, that's it=
). All remote data is then also available to the LocalUser and works quite =
well - we are still in development phase for this application - our former =
symfony 1 application would actually pull down all data from the SSO locall=
y, but this time round we wanted to do things a lot cleaner...</div><div><b=
r></div><div>&gt; <i>do&nbsp;the real checking of the existency of user on =
the Web Service side (SSO)</i></div><div>This is the authentication provide=
r's task:</div><div>1) authentication provider</div><div>In the authenticat=
ion provider, we check against the SSO and see whether we can authenticate =
username/password. Once we got this working, we could authenticate - but th=
e user wouldn't actually exist in the Symfony2 app as we don't store the ne=
eded user's details locally - this is where a custom user provider came int=
o play.</div><div><br></div><div>&gt;&nbsp;<i>"and also load users in our S=
ymfony2 application" &gt;&gt; not sure I get waht you're saying here... : i=
f the authentication is made on WS side then users are also on the WS and c=
an't be in the SF2 side</i></div><div>2) user provider</div><div>In the use=
r provider we look up the SSO user by username/e-mailaddress via the SSO se=
rvice (API) and then check whether we have a local user with this SSO id. I=
f not, we create a new local user, which basically "pulls down"/persists th=
e remote SSO user to the local application.<br></div><div><br></div><div>It=
's quite difficult not to go off on a tangent as there are a lot of things =
to keep in mind/watch out for. I think that at some point I need to make so=
me time to properly clean up the code and create a blog post and post it on=
 the Symfony docs...</div><div><br></div><div>Some helpful bundles we put t=
ogether:</div><div><a href=3D"https://github.com/escapestudios/EscapeSSOAPI=
ClientBundle" target=3D"_blank">https://github.com/<wbr>escapestudios/<wbr>=
EscapeSSOAPIClientBundle</a> (custom API service - actual working code is n=
ot publicly available, we override the Request.php temporarily)<br></div><d=
iv><a href=3D"https://github.com/escapestudios/EscapeSSOAuthenticationBundl=
e" target=3D"_blank">https://github.com/<wbr>escapestudios/<wbr>EscapeSSOAu=
thenticationBundle</a> (custom authentication provider)<br></div><div><a hr=
ef=3D"https://github.com/escapestudios/EscapeSSOUserBundle" target=3D"_blan=
k">https://github.com/<wbr>escapestudios/<wbr>EscapeSSOUserBundle</a> (cust=
om user provider)<br></div><div>...the project I'm working on hasn't been f=
inished yet, but this user part of the project is for now in "beta"-stage a=
s far as I'm concerned.</div><div><br></div><div>Where are you based exactl=
y? Perhaps a&nbsp;chat/run through the code might be helpful for both you a=
nd me (questioning of code/fresh ideas/refactoring)!</div><div><br></div><d=
iv>Kind regards,</div><div>David<br><br>On Friday, 9 November 2012 10:38:08=
 UTC, Shadowalker  wrote:<blockquote class=3D"gmail_quote" style=3D"margin:=
0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi David,<=
br>Thanks for the quick reply.<br><br>As the both links you provided I've a=
lready read those in every way possible to mankind and there are only examp=
les of a SF2 "service" (not really a Web Service)<br><br>Now based on what =
you're saying the idea you used was basically to do the real checking of th=
e existency of user on the Web Service side (SSO) which is what I want. How=
vere I do not really get how you would configure the "local user" to only h=
ave an id :<br><br>"and also load users in our Symfony2 application" &gt;&g=
t; not sure I get waht you're saying here... : if the authentication is mad=
e on WS side then users are also on the WS and can't be in the SF2 side...<=
br><br>As for the "linking", I don't get how you could do this ... Do you s=
till use the UserInterface as in the symfony doc : <br><pre><span>Webservic=
eUser</span> <span>implements</span> <span>UserInterface<br></span></pre><b=
r>Or do you use another way ?<br><br>Cheers.<br>On Friday, November 9, 2012=
 11:25:13 AM UTC+1, djoos wrote:<blockquote class=3D"gmail_quote" style=3D"=
margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi =
Shadowalker,<div><br></div><div>we might have been doing something similar =
to this a couple of months ago...</div><div><br></div><div>Good starting po=
ints are...</div><div>Custom authentication provider</div><div><a href=3D"h=
ttp://symfony.com/doc/2.0/cookbook/security/custom_authentication_provider.=
html" target=3D"_blank">http://symfony.com/doc/2.0/<wbr>cookbook/security/c=
ustom_<wbr>authentication_provider.html</a><br></div><div><br></div><div>Cu=
stom user provider</div><div><a href=3D"http://symfony.com/doc/2.0/cookbook=
/security/custom_provider.html" target=3D"_blank">http://symfony.com/doc/2.=
0/<wbr>cookbook/security/custom_<wbr>provider.html</a><br></div><div><br></=
div><div>In our case, we created a service that lets us easily use the API =
to our (completely external!) single sign-on, while relying on that SSO to =
authenticate and also load users in our Symfony2 application. Once found we=
 do create a link between our "local user" (=3DSymfony2 user - the Symfony2=
 user table doesn't contain any SSO data, except for an SSO user id to link=
 things up) and a "SSO user" (=3Dnon-Symfony2 SSO application).</div><div><=
br></div><div>Hope this helps!</div><div><br></div><div>Kind regards,</div>=
<div>David<br><br>On Friday, 9 November 2012 09:54:35 UTC, Shadowalker  wro=
te:<blockquote class=3D"gmail_quote" style=3D"margin:0;margin-left:0.8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex">Hi all,<br>I'm trying to find a =
way to use a real web services (not a "service" that would reside in the sa=
me projects / app / server as my interfaces but on a completely different e=
nvironment and acts only as an intermediate between the interface API and t=
he DB) and I can't find anything even remotely useful on a specific aspect =
on the whole authentication &amp; authorization process :<br>How do you con=
figure the security layer to use a web service as the user provider ?<br><b=
r>Thanks for any help / leads you could provide.<br><br>Cheers,<br>Shadowal=
ker.<br></blockquote></div></blockquote></blockquote></div></blockquote></b=
lockquote>
------=_Part_1321_20451872.1352500307088--

------=_Part_1320_9686023.1352500307088--

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google