Chapter 8: Authentication and Authorization in Zend Framework 3
✅ Introduction
Authentication and authorization are crucial for any secure web application. In Zend Framework 3, authentication is typically handled with the Zend\Authentication component, while authorization (permissions and roles) can be managed with custom logic or libraries like Zend\Permissions\Acl.
✅ Key Concepts
- Authentication: Verifies user identity (login process).
- Authorization: Controls what authenticated users can do.
- Zend\Authentication\Adapter\DbTable: Used for verifying users against a database.
- Zend\Permissions\Acl: Provides a flexible access control list system.
✅ Setting up Authentication
First, configure the database table for users:
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL UNIQUE,
password VARCHAR(255) NOT NULL,
role VARCHAR(20) DEFAULT 'user'
);
🔹 Hashing Passwords
$passwordHash = password_hash('mypassword', PASSWORD_BCRYPT);
✅ Implementing Login with Zend\Authentication
use Zend\Authentication\AuthenticationService;
use Zend\Authentication\Adapter\DbTable\CallbackCheckAdapter as AuthAdapter;
$adapter = new AuthAdapter(
$dbAdapter,
'users',
'username',
'password',
function ($hash, $password) {
return password_verify($password, $hash);
}
);
$adapter->setIdentity($username);
$adapter->setCredential($password);
$authService = new AuthenticationService();
$result = $authService->authenticate($adapter);
if ($result->isValid()) {
$storage = $authService->getStorage();
$storage->write($adapter->getResultRowObject(null, 'password'));
echo "Login successful!";
} else {
echo "Invalid credentials!";
}
✅ Checking Authentication Status
if ($authService->hasIdentity()) {
$user = $authService->getIdentity();
echo "Logged in as: " . $user->username;
}
✅ Logging Out
$authService->clearIdentity();
✅ Implementing Authorization with ACL
use Zend\Permissions\Acl\Acl;
$acl = new Acl();
// Add roles
$acl->addRole('guest');
$acl->addRole('user', 'guest');
$acl->addRole('admin', 'user');
// Add resources
$acl->addResource('blog');
$acl->addResource('admin');
// Allow/deny rules
$acl->allow('guest', 'blog', 'view');
$acl->allow('user', 'blog', ['view', 'comment']);
$acl->allow('admin');
$acl->deny('user', 'admin');
// Checking access
if ($acl->isAllowed('user', 'blog', 'comment')) {
echo "User can comment!";
}
✅ Best Practices
- Always hash passwords with BCRYPT or Argon2.
- Never store plain text passwords.
- Restrict sensitive routes with middleware or controller guards.
- Use role-based or permission-based access depending on project needs.
✅ Exercise
- Create a login form using
UserFormwith fields: username and password. - Integrate Zend\Authentication for login/logout functionality.
- Add ACL rules for roles: guest, user, admin.
- Restrict admin dashboard route to only admin users.
