Symfony, Joomla, and user authorization
- June 9th, 2008
- Posted in Coding . Work
- Write comment
I’ve been having this migraine of a headache lately. Its the result of trying to get a symfony-based web service that requires authentication to hook up with a Joomla web site. I’ve tried using COil’s suggestions, but it still didn’t quite work.
UPDATE 6/10/08: I think I’ve nailed a solution down.
The service originally was designed with its own user table and handled its own authentication. As we developed the application we decided to use Joomla to ease our development load. The problem popped up when the client not surprisingly desired that the Joomla site allow access to the symfony service with a Single Sign On. cURL doesn’t quite fit for this, or at least I haven’t had much luck crow baring it into place. It created it’s own session cookie jar within the app that I couldn’t effectively pass along to service.
Right now the plan is to use Joomla’s user authentication mechanisms and its use of database session tracking. When a user authenticates in Joomla I’ll be able to pass a user id to the service that will then connect to the Joomla database and check if the user id is a valid session. If the row exists, the user was correctly authenticated.
Symfony allows me to connect to two databases simultaneously. So I have the service database and a slimmed down model of the Joomla database interface. For the Joomla interface I only used the session table, the users table, and the user_types table in my schema.yml.
I will run everything over SSL and I should be in decent shape.
UPDATE 6/10/08:
I’ve created the connections between my application database and the joomla database in the databases.yml. That worked out pretty easy.
After logging into the Joomla site, I use the current userid and send that along in the query string to my symfony application. Somthing like this:
http://example.com/symfony?uid=42
This symfony application resides on the same server so I could have just used a relative path above. Symfony then makes a query to the joomla database jos_sessions table with the userid of 42. If the entry exists, then the user must be logged in and its okay to continue.
There is the potential of a cross session query where two users are logged in at the same time and they happen to guess the other’s userid. They could then access the symfony data rather easily. To avoid this I’m considering passing the current joomla session id to the symfony application. The symfony app can then verify the session id (which is also stored in the jos_sessions table) along with the uid.
Both symfony and the joomla site are set up to clean up the session on browser exit.
Hi Chris
It’s nice to see that someone is writing about this subject, although your site is the only one with anything of any substance.
I wondered, have you considered authenticating symfony users using the Joomla api? I feel this would give a more robust result, and would also probably be easier to implement, than querying the Joomla database directly. In particular, I think the Joomla JAuthentication and JUser classes will be the ones to look at.
http://api.joomla.org/Joomla-Framework/User/JAuthentication.html
http://api.joomla.org/Joomla-Framework/User/JUser.html
I’d be interested to hear your views
Cheers
Hal
I really should revisit this. My work to come up with a solution used Joomla 1.0. The newer 1.5 likely has some advanced features that would allow for easier authentication.