jonathonwalz/shibboleth-bundle
最新稳定版本:v1.1.1
Composer 安装命令:
composer require jonathonwalz/shibboleth-bundle
包简介
Symfony2 authentication provider for Shibboleth
README 文档
README
This bundle adds a shibboleth authentication provider for your Symfony2 project.
Requirements
- [PHP][@php] 5.3.3 and up.
- [Symfony 2.1][@symfony]
Installation
ShibbolethBundle is composer-friendly.
1. Add ShibbolethBundle in your composer.json
"require": { ... "kuleuven/shibboleth-bundle": "dev-master" ... }, "repositories": [ { "type": "vcs", "url": "git@github.com:rmoreas/ShibbolethBundle.git" } ],
Now tell composer to download the bundle by running the command:
php composer.phar update kuleuven/shibboleth-bundle
Composer will install the bundle to your project's vendor/kuleuven directory..
2. Enable the bundle
Instantiate the bundle in your kernel:
// app/AppKernel.php <?php // ... public function registerBundles() { $bundles = array( // ... new KULeuven\ShibbolethBundle\ShibbolethBundle(), ); }
Configuration
1. Enable lazy shibboleth autentication in Apache
Add following lines to the .htaccess file in your projects web folder
# web/.htaccess AuthType shibboleth ShibRequireSession Off ShibUseHeaders On require shibboleth
2. Setup authentication firewall
# app/config/security.yml security: firewalls: secured_area: pattern: ^/secured shibboleth: ~ logout: path: /secured/logout target: / success_handler: security.logout.handler.shibboleth
3. Shibboleth configuration
Possible configuration parameters are:
# app/config/config.yml shibboleth: handler_path: /Shibboleth.sso secured_handler: true session_initiator_path: /Login username_attribute: Shib-Person-uid use_headers: true
The above listed configuration values are the default values. To use the defaults, simply use the following line in your config:
# app/config/config.yml shibboleth: ~
Available Shibboleth attributes
By default, the bundle exposes several Shibboleth attributes through the user token, ShibbolethUserToken. The token provides specific accessors for most of the attributes, as well as the generic accessors getAttribute, getArrayAttribute and hasAttributeValue. Each attribute is internally identified by an alias, which serves as argument to the aforementioned methods. The following table lists the Shibboleth attributes available (when provided) through the user token:
| Attribute | Alias |
|---|---|
| Shib-Person-uid | uid |
| Shib-Person-commonName | cn |
| Shib-Person-surname | sn |
| Shib-Person-givenName | givenName |
| Shib-Person-mail | |
| Shib-Person-ou | ou |
| Shib-Person-telephoneNumber | telephoneNumber |
| Shib-Person-facsimileTelephoneNumber | facsimileTelephoneNumber |
| Shib-Person-mobile | mobile |
| Shib-Person-postalAddress | postalAddress |
| Shib-EP-UnscopedAffiliation | affiliation |
| Shib-EP-Scopedaffiliation | scopedAffiliation |
| Shib-EP-OrgunitDN | orgUnitDN |
| Shib-EP-OrgDN | orgDN |
| Shib-logoutURL | logoutURL |
| Shib-Identity-Provider | identityProvider |
| Shib-Origin-Site | originSite |
| Shib-Authentication-Instant | authenticationInstant |
| Shib-KUL-employeeType | employeeType |
| Shib-KUL-studentType | studentType |
| Shib-KUL-primouNumber | primouNumber |
| Shib-KUL-ouNumber | ouNumber |
| Shib-KUL-dipl | dipl |
| Shib-KUL-opl | opl |
| Shib-KUL-campus | campus |
If for some reason you want to pass additional attributes (for example custom attributes), you can configure them this way:
# app/config/config.yml shibboleth: # ... attribute_definitions: foo: # the attribute alias header: shib-acme-foo # the attribute name bar: header: shib-acme-bar multivalue: true # attribute contains multiple values (default is false, i.e. attribute is scalar)
The key containing the configuration of each attribute will be its alias. That means the value(s) of the shib-acme-foo and shib-acme-bar attributes can be retrieved with:
$foo = $token->getAttribute('foo'); $bars = $token->getArrayAttribute('bar'); // returns an array containing the multiple values
User Provider
This bundle doesn't include any User Provider, but you can implement your own.
If you store users in a database, they can be created on the fly when a users logs on for the first time on your application. Your UserProvider needs to implement the KULeuven\ShibbolethBundle\Security\ShibbolethUserProviderInterface interface.
Example
This example uses Propel ORM to store users.
<?php namespace YourProjectNamespace\Security; use YourProjectNamespace\Model\User; use YourProjectNamespace\Model\UserQuery; use KULeuven\ShibbolethBundle\Security\ShibbolethUserProviderInterface; use KULeuven\ShibbolethBundle\Security\ShibbolethUserToken; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\User\UserProviderInterface; use Symfony\Component\Security\Core\User\UserInterface; use Symfony\Component\Security\Core\Exception\UsernameNotFoundException; use Symfony\Component\Security\Core\Exception\UnsupportedUserException; class UserProvider implements ShibbolethUserProviderInterface { public function loadUserByUsername($username) { $user = UserQuery::create()->findOneByUsername($username); if($user){ return $user; } else{ throw new UsernameNotFoundException("User ".$username. " not found."); } } public function createUser(ShibbolethUserToken $token){ // Create user object using shibboleth attributes stored in the token. // $user = new User(); $user->setUid($token->getUsername()); $user->setSurname($token->getSurname()); $user->setGivenName($token->getGivenName()); $user->setMail($token->getMail()); // If you like, you can also add default roles to the user based on shibboleth attributes. E.g.: if ($token->isStudent()) $user->addRole('ROLE_STUDENT'); elseif ($token->isStaff()) $user->addRole('ROLE_STAFF'); else $user->addRole('ROLE_GUEST'); $user->save(); return $user; } public function refreshUser(UserInterface $user) { if (!$user instanceof User) { throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user))); } return $this->loadUserByUsername($user->getUsername()); } public function supportsClass($class) { return $class === 'YourProjectNamespace\Model\User'; } }
jonathonwalz/shibboleth-bundle 适用场景与选型建议
jonathonwalz/shibboleth-bundle 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1.09k 次下载、GitHub Stars 达 1, 最近一次更新时间为 2015 年 02 月 26 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「Authentication」 「shibboleth」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 jonathonwalz/shibboleth-bundle 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 jonathonwalz/shibboleth-bundle 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 jonathonwalz/shibboleth-bundle 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Automatically logs-in users if they are already authenticated by a remote source. (e.g. environment variable REMOTE_USER)
GraphQL authentication for your headless Craft CMS applications.
Provide a way to secure accesses to all routes of an symfony application.
Laravel middleware to restrict a site or specific routes using HTTP basic authentication
It's a barebone security class written on PHP
Email Toolkit Plugin for CakePHP
统计信息
- 总下载量: 1.09k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 1
- 点击次数: 14
- 依赖项目数: 1
- 推荐数: 0
其他信息
- 授权协议: LGPL-3.0
- 更新时间: 2015-02-26