Kevin Schroeder has a new post to his blog today showing how you can use the Zend_Amf component in your Flex+PHP application to authenticate users with the same authentication structure the rest of the application uses.

I forget why, but a few days ago I started doing some digging around with authentication in Zend_Amf_Server. I had figured that I would add an adapter to the Zend_Amf_Server::setAuth() method and that would be it. But I was wrong.

Zend_Auth is used to validate the login information that's passed along and the Zend_Acl checks to see if they have access. To make this work for a connection from Flex, you need to make an authentication adapter and add it (as well as a basic ACL) into your Zend_Amf_Server call.

In this new post to his blog talks about authentication strategies in Zend Framework applications with the combination of Zend_Acl and Zend_Auth.

I'm going to talk more about ACLs than Auth. Auth is simple, it's the ACL that will trip you up. Since both concepts are coupled together when you're making a login system, I feel it's appropriate to at least touch on Auth. What I want to cover is the ways we can create the ACL object to suit needs based on the scale of the project. I'm going to assume that readers have a passing familiarity with using the Auth and Acl objects and may have even implemented them into projects.

He talks about two things you'd need to consider - scalability (how to define your ACLS: hardcoded, in the navigation object and defined in a database) and working with ACLs in multiple projects.

Rob Allen has a new post to his blog today about the update he's made to his Zend_Auth tutorial, introducing the authentication component of the Zend Framework.

After too many months of neglect, I have completely rewritten my Zend_Auth tutorial so that it is compatible with Zend Framework 1.10! As an experiment, I have written it directly in HTML, rather than PDF as before and cover the login form along with the login controller code required to authenticate a user using a database table. For good measure, I've included logging out and a view helper to show how to access the logged in user's details.

The tutorial walks you through the creation of a users table, an auth controller/form and the code needed to validate the user against in information in the table (as well as how to log them out). You can also download the code as a zip file.

On his blog today Chris Hartjes has a new post about testing your Zend Framework application's functionality that lives behind a Zend_Auth authentication.

The initial problem though was how do I simulate logging in a user so I can see this page, which was protected by authentication using Zend_Auth. So I started my scouring the internet for answers.

I found quite a few examples on how to test a controller, using the $this->dispatch('/path/to/action') method but found that I wasn't getting redirected properly to the post-login page. I was passing proper credentials in and everything. Then finally after deciding to go back to basics and read up on just how to test Zend_Auth. After some swearing a few face-palms, I realized what I had been doing wrong.

He includes the ultimately successful code for the test that uses a "loginUser" method to handle the authentication and ensure that the user is correctly logged in.

On the Zend Developer Zone there's a new tutorial for those using the Zend Framework (and more specifically the Zend_Auth component) on a way that you can prevent identity theft in validating your users.

As I am building my applications, I always try to improve the code I write in some way. Today I thought about the security issues of any PHP application that uses an authenticating system. [...] There is one particular issue that bugged me for some time. The Identity theft - Broken account and session management issue. Why can one so easily still my session id cookie and suddenly gain access to my account in one particular web application?

He shares a class he's developed as a guideline to help your application automatically test to ensure that the information being given by the user is valid. It checks a security level and validates against the user agent and remote IP of the user to ensure they match. These two criteria might not always be the best choices, but it gives you a push in the right direction.

Code is also included to show how to integrate it into your Zend Framework application by loading it into your base controller and using the "hasIdentity" and "hasSecureIdentity" methods to check the user's credentials.

The next ZendCast in the user authentication with the Zend Framework's Zend_Auth has been posted to the ZendCasts.com site today. In this new screencast, they look at how to integrate it with Doctrine to automatically validate users against the information in your databases (following up on this first part of the series).

Here's the second part of my Doctrine / Zend_Auth example. In 15 minutes, we create a logout, login and protected area that's reliant on the ZC_Auth_Adapter adapter we created in last week's video. Notice how there's no code in the IndexController exposing the authentication implementation,

You can grab the code to follow along or build it as he goes. You'll need a copy of Doctrine up and working to keep up, though.

New from the ZendCasts.com site today there's this new screencast looking at the integration of the Zend_Auth_Adapter component of the Zend Framework and the Doctrine ORM library to split out the authentication from the persistence layer.

I've been using Doctrine a lot in my own work, and recently found myself itching to have tighter integration between Zend and Doctrine when it comes to user logins. Luckily, Zend provides a very simple interface with regards to Zend_Auth. This way, it's easy to decouple your persistence layer (in my case Doctrine) from the authentication layer.

He also recommends checking out Palo Verede's look at the same topic. You can watch the screencast here and grab the code for it here.

In a new tutorial posted on his blog today Giorgio Sironi looks at the Zend_Auth component of the Zend Framework and how to create a simple login authentication method with it.

Zend_Auth is the component of the Zend Framework which provides a standard authentication mechanism for web applications users. It has few dependencies (on Zend_Loader and on Zend_Session for default persistence of the authentication) and, as other framework components, will let you concentrate on the user experience instead of worrying about boilerplate code.

He talks about how Zend_Auth handles properties internally and how it can make it easier to build out those redundant bits of so many applications you've worked with. He also includes a custom adapter that can directly use PDO to connect to the database and grab the login information it needs (to remove a dependency on Zend_Db).

Christian Stocker has posted an adapter he's created to hook the Zend_Auth component of the Zend Framework into Twitter's authentication system.

From time to time I write some little scripts for my own needs or just to test out new stuff. And I realised, that I blog about it way too little. So here I start with my latest addition: Zend_Auth_Adapter_Twitter. [...] I came up with a Zend_Auth Adapter for Twitter. The integration was pretty easy, but the code is very basic and rough. Nevertheless, it does the job and alongside the Openid Adapter I can offer a federated login for many people already.

You can grab the code and an example of it in action from their SVN server (as well as this library) or just check out the live demo.

Adam Jensen has written up a new article today on how you can use the Zend_Auth component of the Zend Framework to authenticate your users in a few different ways based on a strategy selected.

For this example, we're going to allow our users to authenticate in one of multiple ways: e.g., against a database table, against an LDAP server, or by OpenID [1]. Zend_Auth already provides the necessary authentication adapters, so what we'll be concerned with here is how to implement all three systems without ending up in an FSUC situation.

He defines the code for the basic controller and a simple view that allows the user to select how they want to log in - email/password, username/password or OpenID. The model does all of the heavy lifting by letting the controller set the authentication type (strategy) and pulling in the correct Zend_Form instance along with its validation rules. Code is also included for the model and each of these.