When and how do I design with my security model?

Question

I'm not sure how to proceed. I have an idea for a web application(s) but I'm not sure which part to do first. If my application has an authorization and authentication need, do I create that first and then the rest of the program or do I do the other (to me more fun) stuff first and then plug in the user authentication later?

I'm not sure how I plug it in at all. Do I just have a IsRole function (homegrown function) at the top of every page or just above my page module?

if user is in the role
 they can see this
end if

I am using php and codeigniter. I know there are several user modules out there I'm just not sure when to plug them in.

Also, not all use the same methods. One app is an Intranet app, so I will use ad and ldap. One is personal that will use Facebook and CodeIgniter (I guess facebook becomes the security monitor, but again, I don't know how or when to put that in my code):

if you're a facebook user
  you can play this game
end if

Thank you for any help.

Answer 1

You probably want to start with the program so you can test it out, make sure it works correctly. Then afterwards, design the Authentication system or use someone else's.

To implement the Authentication system, probably the best way is yes, a isRole() function that simply returns true or false whether the user is currently that role. It is simple, straight forward, and if you need multiple isRole() functions like isAdmin(), isMod(), isLogged(), etc, it is very easy to implement.

Another solution would be to make a checkPermissions($permission), where the User has a set of IDs that represent permissions, and then that checks for the specific ID. There are many many ways to design an Authentication System.

Expanded

Let's say you have a list of IDs. (Add = 1, Edit = 2, Delete=3). You could store these variables in a string and save it somewhere. (The $_SESSION Varaible?) Later on, when you want to see a permission, you just grab the string, and explode it by a delimiter. Then simply check if the permission is in the resulting array. Example:

// User Permissions are in a string, delimited by '|'
$string = "1|2";

$permissions = explode("|", $string);

// This will return false;
$check_permission = "3";

// This will return true;
$check_permissions = "1";

if(in_array($check_permissions, $permissions))
{
    return true;
}
else
{
    return false;
}

---

For where to place the security, probably the best and most straight forward solution is to put it at the top of the script.

  if(is_logged()){
   echo "Logged In";
  }
  else{
   die("Denied");
  }

Answer 2

I would try to centralize this as much as possible, otherwise it could turn out to be spaghetti code real quick. You don't want to have to put code in every page, instead put it in the header file that gets included (you may want to look at the MVC design pattern for ideas there).

The method: validateAccess($user, $page)

Then your unit tests: test(validateAccess('joe', 'game1'); test(validateAccess('joe', 'game2'); test(validateAccess('jill', 'game1');

validateAccess() could call: validateLDAPAccess() validateDBAccess () ...

For that the strategy pattern would work well.

Answer 3

My advice, FWIW, is to think about it now and do it later. Decide what kind of security restrictions you're likely to need. If the most restrictions boil down to something simple like "If the user isn't logged in, he can't see any of the pages", don't bother to implement it now at all. When you get closer to deployment you can add the check at the top of every page.

If, however, you need to make a lot of fine-grained decisions about who can see and do what based on whether they're signed in and who they are, then invent a simple predicate system ( isAdmin, isSignedIn, etc. as above) and mock it all out.