REST APIs made easy with Symfony2

Samuel Gordalina

May 17, 2013

23k

REST APIs made easy with Symfony2

Samuel Gordalina
https://twitter.com/sgordalina
https://github.com/gordalina
https://gordalina.com

Symfony2 Application for this presentation
https://github.com/gordalina/sample-twitter-api-symfony2

REST is an architecture style for designing networked applications which has gained much traction lately, mainly due to its simplicity and for only requiring HTTP as the communication protocol.

This talk will leverage the extensibility and configurability of Symfony2 to easily create a reusable and testable REST API in minutes. Watch as we cover some real world examples and fill the gap where the abstraction layer falls short in providing the implementation for specific requirements.

We will dive into how data can be serialized & deserialized with little effort as possible whilst supporting different formats, namely JSON & XML. Authentication and Authorization will be visited in order to exemplify the security aspects of a real world API.

Sam will talk about how to document the API without effort and have that documentation generated automatically for end user consumption. Also we will fiddle with a web sandbox for instant access to the API.

Overall, Sam will talk about the different components that are necessary to build an API with ease.

Samuel Gordalina

May 17, 2013

Tweet

More Decks by Samuel Gordalina

See All by Samuel Gordalina

Object Calisthenics - A fresh look on OO Programming

Other Decks in Programming

See All in Programming

#phperkaigi【実録】「PHP_CodeSniffer」で始める快適コードレビューライフ/codereviewlife

Honoの3+1のルーターとそこにつながるPRがプロジェクトにもたらしたもの

Réinventer le composant Console de Symfony

Compose で手に入れた UI の Unit test

実録レガシー Rails アプリ改善ジャーニー / Legacy Rails app improvement journey

Taming a Large Android Project

Babylon.js書籍出版の裏側。ツイートから始まった奇跡の1年を振り返る

積もってく会議メモをどうにかしたかった

Amplify Boostup #2 monorepo 運用による複数プロジェクト開発

prototype大全 / YAPC::Kyoto 2023

NOT A HOTEL AIコンシェルジュ「Kevin」の開発秘話

Elevate User Experience with Background Isolate

Featured

See All Featured

Atom: Resistance is Futile

Robots, Beer and Maslow

Teambox: Starting and Learning

Six Lessons from altMBA

Streamline your AJAX requests with AmplifyJS and jQuery

A designer walks into a library…

pauljervisheath

WebSockets: Embracing the real-time Web

Documentation Writing (for coders)

Practical Orchestrator

Building a Scalable Design System with Sketch

Transcript

REST APIs made
easy with Symfony2
Samuel Gordalina
@sgordalina

View Slide
View Slide
REST
Roy Fielding’s PHD - 2000

View Slide
REST
http://example.com/sgordalina

View Slide
REST
http://example.com/sgordalina
http://example.com/sgordalina/tweets

View Slide
REST
http://example.com/sgordalina
http://example.com/sgordalina/tweets
http://example.com/sgordalina/tweets/42

View Slide
What is needed
•symfony/framework-standard-edition
•friendsofsymfony/rest-bundle
•jms/serializer-bundle
•nelmio/api-doc-bundle

View Slide
CRUD

View Slide
Create
HTTP POST

View Slide
Request
POST /sgordalina/tweets HTTP/1.1
Host: example.com
Content-Type: application/json
{
"body": "the quick brown fox jumped"
}

View Slide
Response
HTTP/1.1 201 Created
Location: http://example.com/sgordalina/tweets/1
Content-Type: application/json
{
"tweet": {
"id": 1,
"body": "the quick brown fox jumped"
}
}

View Slide
// src/Twitter/ApiBundle/Controller/TweetController.php
use FOS\RestBundle\View\View;
public function postAction(Request $request)
{
$tweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($tweet instanceof Tweet === false) {
return View::create(array('errors' => $tweet), 400);
}
$em = $this->getEntityManager();
$em->persist($tweet);
$em->flush();
$url = $this->generateUrl(
'tweet_get',
array('id' => $tweet->getId()),
true
);
$response = new Response();
$response->setStatusCode(201);
$response->headers->set('Location', $url);
return $response;
}

View Slide
// src/Twitter/ApiBundle/Controller/TweetController.php
use FOS\RestBundle\View\View;
public function postAction(Request $request)
{
$tweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($tweet instanceof Tweet === false) {
return View::create(array('errors' => $tweet), 400);
}
$em = $this->getEntityManager();
$em->persist($tweet);
$em->flush();
$url = $this->generateUrl(
'tweet_get',
array('id' => $tweet->getId()),
true
);
$response = new Response();
$response->setStatusCode(201);
$response->headers->set('Location', $url);
return $response;
}

View Slide
// src/Twitter/ApiBundle/Controller/TweetController.php
use FOS\RestBundle\View\View;
public function postAction(Request $request)
{
$tweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($tweet instanceof Tweet === false) {
return View::create(array('errors' => $tweet), 400);
}
$em = $this->getEntityManager();
$em->persist($tweet);
$em->flush();
$url = $this->generateUrl(
'tweet_get',
array('id' => $tweet->getId()),
true
);
$response = new Response();
$response->setStatusCode(201);
$response->headers->set('Location', $url);
return $response;
}

View Slide
// src/Twitter/ApiBundle/Controller/TweetController.php
use FOS\RestBundle\View\View;
public function postAction(Request $request)
{
$tweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($tweet instanceof Tweet === false) {
return View::create(array('errors' => $tweet), 400);
}
$em = $this->getEntityManager();
$em->persist($tweet);
$em->flush();
$url = $this->generateUrl(
'tweet_get',
array('id' => $tweet->getId()),
true
);
$response = new Response();
$response->setStatusCode(201);
$response->headers->set('Location', $url);
return $response;
}

View Slide
// src/Twitter/ApiBundle/Controller/TweetController.php
use FOS\RestBundle\View\View;
public function postAction(Request $request)
{
$tweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($tweet instanceof Tweet === false) {
return View::create(array('errors' => $tweet), 400);
}
$em = $this->getEntityManager();
$em->persist($tweet);
$em->flush();
$url = $this->generateUrl(
'tweet_get',
array('id' => $tweet->getId()),
true
);
$response = new Response();
$response->setStatusCode(201);
$response->headers->set('Location', $url);
return $response;
}

View Slide
// src/Twitter/ApiBundle/Controller/TweetController.php
use FOS\RestBundle\View\View;
public function postAction(Request $request)
{
$tweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($tweet instanceof Tweet === false) {
return View::create(array('errors' => $tweet), 400);
}
$em = $this->getEntityManager();
$em->persist($tweet);
$em->flush();
$url = $this->generateUrl(
'tweet_get',
array('id' => $tweet->getId()),
true
);
$response = new Response();
$response->setStatusCode(201);
$response->headers->set('Location', $url);
return $response;
}

View Slide
// src/Twitter/ApiBundle/Controller/TweetController.php
use FOS\RestBundle\View\View;
public function postAction(Request $request)
{
$tweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($tweet instanceof Tweet === false) {
return View::create(array('errors' => $tweet), 400);
}
$em = $this->getEntityManager();
$em->persist($tweet);
$em->flush();
$url = $this->generateUrl(
'tweet_get',
array('id' => $tweet->getId()),
true
);
$response = new Response();
$response->setStatusCode(201);
$response->headers->set('Location', $url);
return $response;
}

View Slide
# src/Twitter/ApiBundle/Resources/config/routing.yml
tweet_post:
pattern: /tweets
defaults: { _controller:
TwitterApiBundle:Tweet:post, _format: json }
methods: POST

View Slide
Read
HTTP GET

View Slide
Request
GET /sgordalina/tweets/1 HTTP/1.1
Host: example.com

View Slide
Response
HTTP/1.1 200 OK
Content-Type: application/json
{
"tweet": {
"id": 1,
"body": "the quick brown fox jumped"
}
}

View Slide
Implementation
public function getAction(Tweet $tweet)
{
return array('tweet' => $tweet);
}

View Slide
Update
HTTP PUT

View Slide
Request
PUT /sgordalina/tweets/1 HTTP/1.1
Host: example.com
Content-Type: application/json
{
"body": "the quick brown fox died"
}

View Slide
Response
HTTP/1.1 200 OK
Content-Type: application/json
{
"tweet": {
"id": 1,
"body": "the quick brown fox died"
}
}

View Slide
// TweetController.php
public function putAction(
Tweet $tweet,
Request $request
) {
$newTweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($newTweet instanceof Tweet === false) {
return View::create(array(
'errors' => $newTweet
), 400);
}
$tweet->merge($newTweet);
$this->getEntityManager()->flush();
return array('tweet' => $tweet);
}

View Slide
// TweetController.php
public function putAction(
Tweet $tweet,
Request $request
) {
$newTweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($newTweet instanceof Tweet === false) {
return View::create(array(
'errors' => $newTweet
), 400);
}
$tweet->merge($newTweet);
$this->getEntityManager()->flush();
return array('tweet' => $tweet);
}

View Slide
// TweetController.php
public function putAction(
Tweet $tweet,
Request $request
) {
$newTweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($newTweet instanceof Tweet === false) {
return View::create(array(
'errors' => $newTweet
), 400);
}
$tweet->merge($newTweet);
$this->getEntityManager()->flush();
return array('tweet' => $tweet);
}

View Slide
// TweetController.php
public function putAction(
Tweet $tweet,
Request $request
) {
$newTweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($newTweet instanceof Tweet === false) {
return View::create(array(
'errors' => $newTweet
), 400);
}
$tweet->merge($newTweet);
$this->getEntityManager()->flush();
return array('tweet' => $tweet);
}

View Slide
// TweetController.php
public function putAction(
Tweet $tweet,
Request $request
) {
$newTweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($newTweet instanceof Tweet === false) {
return View::create(array(
'errors' => $newTweet
), 400);
}
$tweet->merge($newTweet);
$this->getEntityManager()->flush();
return array('tweet' => $tweet);
}

View Slide
// TweetController.php
public function putAction(
Tweet $tweet,
Request $request
) {
$newTweet = $this->deserialize(
'Twitter\DomainBundle\Entity\Tweet',
$request
);
if ($newTweet instanceof Tweet === false) {
return View::create(array(
'errors' => $newTweet
), 400);
}
$tweet->merge($newTweet);
$this->getEntityManager()->flush();
return array('tweet' => $tweet);
}

View Slide
Delete
HTTP DELETE

View Slide
Request
DELETE /sgordalina/tweets/1 HTTP/1.1
Host: example.com

View Slide
Response
HTTP/1.1 204 No Content

View Slide
use FOS\RestBundle\Controller\Annotations\View as
RestView;
/**
* Delete a Tweet
*
* @RestView(statusCode=204)
*/
public function deleteAction(Tweet $tweet)
{
$em = $this->getDoctrine()->getManager();
$em->remove($tweet);
$em->flush();
}

View Slide
use FOS\RestBundle\Controller\Annotations\View as
RestView;
/**
* Delete a Tweet
*
* @RestView(statusCode=204)
*/
public function deleteAction(Tweet $tweet)
{
$em = $this->getDoctrine()->getManager();
$em->remove($tweet);
$em->flush();
}

View Slide
use FOS\RestBundle\Controller\Annotations\View as
RestView;
/**
* Delete a Tweet
*
* @RestView(statusCode=204)
*/
public function deleteAction(Tweet $tweet)
{
$em = $this->getDoctrine()->getManager();
$em->remove($tweet);
$em->flush();
}

View Slide
Serialization
Because everyone loves JSON

View Slide
use Symfony\Component\Validator\Constraints as Assert;
use JMS\Serializer\Annotation as Serializer;
/**
* @Serializer\ExclusionPolicy("all")
*/
class Tweet
{
/**
* @Serializer\Expose
* @Serializer\Type("integer")
*/
private $id;
/**
* @Assert\NotBlank()
* @Serializer\Expose
* @Serializer\Type("string")
*/
private $body;
}

View Slide
use Symfony\Component\Validator\Constraints as Assert;
use JMS\Serializer\Annotation as Serializer;
/**
* @Serializer\ExclusionPolicy("all")
*/
class Tweet
{
/**
* @Serializer\Expose
* @Serializer\Type("integer")
*/
private $id;
/**
* @Assert\NotBlank()
* @Serializer\Expose
* @Serializer\Type("string")
*/
private $body;
}

View Slide
use Symfony\Component\Validator\Constraints as Assert;
use JMS\Serializer\Annotation as Serializer;
/**
* @Serializer\ExclusionPolicy("all")
*/
class Tweet
{
/**
* @Serializer\Expose
* @Serializer\Type("integer")
*/
private $id;
/**
* @Assert\NotBlank()
* @Serializer\Expose
* @Serializer\Type("string")
*/
private $body;
}

View Slide
use Symfony\Component\Validator\Constraints as Assert;
use JMS\Serializer\Annotation as Serializer;
/**
* @Serializer\ExclusionPolicy("all")
*/
class Tweet
{
/**
* @Serializer\Expose
* @Serializer\Type("integer")
*/
private $id;
/**
* @Assert\NotBlank()
* @Serializer\Expose
* @Serializer\Type("string")
*/
private $body;
}

View Slide
Serialization
Because someone still uses XML

View Slide
use Symfony\Component\Validator\Constraints as Assert;
use JMS\Serializer\Annotation as Serializer;
/**
* @Serializer\ExclusionPolicy("all")
* @Serializer\XmlRoot("tweet")
*/
class Tweet
{
/**
* @var integer
*
* @Serializer\Expose
* @Serializer\Type("integer")
* @Serializer\XmlAttribute
*/
private $id;
/**
* @Assert\NotBlank()
* @Serializer\Expose
* @Serializer\Type("string")
* @Serializer\Value
*/
private $body;
}

View Slide
use Symfony\Component\Validator\Constraints as Assert;
use JMS\Serializer\Annotation as Serializer;
/**
* @Serializer\ExclusionPolicy("all")
* @Serializer\XmlRoot("tweet")
*/
class Tweet
{
/**
* @var integer
*
* @Serializer\Expose
* @Serializer\Type("integer")
* @Serializer\XmlAttribute
*/
private $id;
/**
* @Assert\NotBlank()
* @Serializer\Expose
* @Serializer\Type("string")
* @Serializer\Value
*/
private $body;
}

View Slide
use Symfony\Component\Validator\Constraints as Assert;
use JMS\Serializer\Annotation as Serializer;
/**
* @Serializer\ExclusionPolicy("all")
* @Serializer\XmlRoot("tweet")
*/
class Tweet
{
/**
* @var integer
*
* @Serializer\Expose
* @Serializer\Type("integer")
* @Serializer\XmlAttribute
*/
private $id;
/**
* @Assert\NotBlank()
* @Serializer\Expose
* @Serializer\Type("string")
* @Serializer\Value
*/
private $body;
}

View Slide
use Symfony\Component\Validator\Constraints as Assert;
use JMS\Serializer\Annotation as Serializer;
/**
* @Serializer\ExclusionPolicy("all")
* @Serializer\XmlRoot("tweet")
*/
class Tweet
{
/**
* @var integer
*
* @Serializer\Expose
* @Serializer\Type("integer")
* @Serializer\XmlAttribute
*/
private $id;
/**
* @Assert\NotBlank()
* @Serializer\Expose
* @Serializer\Type("string")
* @Serializer\Value
*/
private $body;
}

View Slide
Output

View Slide
Deserialization
With zero effort *

View Slide
protected function deserialize(
$class,
Request $request,
$format = 'json'
) {
$serializer = $this->get('serializer');
$validator = $this->get('validator');
try {
$entity = $serializer->deserialize(
$request->getContent(),
$class,
$format
);
} catch (RuntimeException $e) {
throw new HttpException(400, $e->getMessage());
}
if (count($errors = $validator->validate($entity))) {
return $errors;
}
return $entity;
}

View Slide
protected function deserialize(
$class,
Request $request,
$format = 'json'
) {
$serializer = $this->get('serializer');
$validator = $this->get('validator');
try {
$entity = $serializer->deserialize(
$request->getContent(),
$class,
$format
);
} catch (RuntimeException $e) {
throw new HttpException(400, $e->getMessage());
}
if (count($errors = $validator->validate($entity))) {
return $errors;
}
return $entity;
}

View Slide
protected function deserialize(
$class,
Request $request,
$format = 'json'
) {
$serializer = $this->get('serializer');
$validator = $this->get('validator');
try {
$entity = $serializer->deserialize(
$request->getContent(),
$class,
$format
);
} catch (RuntimeException $e) {
throw new HttpException(400, $e->getMessage());
}
if (count($errors = $validator->validate($entity))) {
return $errors;
}
return $entity;
}

View Slide
protected function deserialize(
$class,
Request $request,
$format = 'json'
) {
$serializer = $this->get('serializer');
$validator = $this->get('validator');
try {
$entity = $serializer->deserialize(
$request->getContent(),
$class,
$format
);
} catch (RuntimeException $e) {
throw new HttpException(400, $e->getMessage());
}
if (count($errors = $validator->validate($entity))) {
return $errors;
}
return $entity;
}

View Slide
protected function deserialize(
$class,
Request $request,
$format = 'json'
) {
$serializer = $this->get('serializer');
$validator = $this->get('validator');
try {
$entity = $serializer->deserialize(
$request->getContent(),
$class,
$format
);
} catch (RuntimeException $e) {
throw new HttpException(400, $e->getMessage());
}
if (count($errors = $validator->validate($entity))) {
return $errors;
}
return $entity;
}

View Slide
protected function deserialize(
$class,
Request $request,
$format = 'json'
) {
$serializer = $this->get('serializer');
$validator = $this->get('validator');
try {
$entity = $serializer->deserialize(
$request->getContent(),
$class,
$format
);
} catch (RuntimeException $e) {
throw new HttpException(400, $e->getMessage());
}
if (count($errors = $validator->validate($entity))) {
return $errors;
}
return $entity;
}

View Slide
Errors
Consumers will thank you

View Slide
Verbosity Matters

View Slide
View Slide
Resource Linking
The web is built on links

View Slide
LINK & UNLINK
On HTTP 1.0

View Slide
Request
LINK /sgordalina/following HTTP/1.1
Host: example.com
Link: ; rel=”friend”

View Slide
Response
HTTP 204 No Content

View Slide
public function followAction(Request $request)
{
if (false === $request->attributes->has('link')) {
throw new HttpException(400, 'Link not provided');
}
$me = $this->getUser();
foreach ($request->attributes->get('link') as $user) {
if (false === $user instanceof User) {
throw new HttpException(404, 'User not found');
}
if (false === $me->isFollowing($user)) {
$me->followUser($user);
}
}
$this->getDoctrine()
->getManager()
->flush();
}

View Slide
public function followAction(Request $request)
{
if (false === $request->attributes->has('link')) {
throw new HttpException(400, 'Link not provided');
}
$me = $this->getUser();
foreach ($request->attributes->get('link') as $user) {
if (false === $user instanceof User) {
throw new HttpException(404, 'User not found');
}
if (false === $me->isFollowing($user)) {
$me->followUser($user);
}
}
$this->getDoctrine()
->getManager()
->flush();
}

View Slide
public function followAction(Request $request)
{
if (false === $request->attributes->has('link')) {
throw new HttpException(400, 'Link not provided');
}
$me = $this->getUser();
foreach ($request->attributes->get('link') as $user) {
if (false === $user instanceof User) {
throw new HttpException(404, 'User not found');
}
if (false === $me->isFollowing($user)) {
$me->followUser($user);
}
}
$this->getDoctrine()
->getManager()
->flush();
}

View Slide
public function followAction(Request $request)
{
if (false === $request->attributes->has('link')) {
throw new HttpException(400, 'Link not provided');
}
$me = $this->getUser();
foreach ($request->attributes->get('link') as $user) {
if (false === $user instanceof User) {
throw new HttpException(404, 'User not found');
}
if (false === $me->isFollowing($user)) {
$me->followUser($user);
}
}
$this->getDoctrine()
->getManager()
->flush();
}

View Slide
public function followAction(Request $request)
{
if (false === $request->attributes->has('link')) {
throw new HttpException(400, 'Link not provided');
}
$me = $this->getUser();
foreach ($request->attributes->get('link') as $user) {
if (false === $user instanceof User) {
throw new HttpException(404, 'User not found');
}
if (false === $me->isFollowing($user)) {
$me->followUser($user);
}
}
$this->getDoctrine()
->getManager()
->flush();
}

View Slide
public function followAction(Request $request)
{
if (false === $request->attributes->has('link')) {
throw new HttpException(400, 'Link not provided');
}
$me = $this->getUser();
foreach ($request->attributes->get('link') as $user) {
if (false === $user instanceof User) {
throw new HttpException(404, 'User not found');
}
if (false === $me->isFollowing($user)) {
$me->followUser($user);
}
}
$this->getDoctrine()
->getManager()
->flush();
}

View Slide
public function followAction(Request $request)
{
if (false === $request->attributes->has('link')) {
throw new HttpException(400, 'Link not provided');
}
$me = $this->getUser();
foreach ($request->attributes->get('link') as $user) {
if (false === $user instanceof User) {
throw new HttpException(404, 'User not found');
}
if (false === $me->isFollowing($user)) {
$me->followUser($user);
}
}
$this->getDoctrine()
->getManager()
->flush();
}

View Slide
API Versioning
Developer’s aspirin

View Slide
API Versioning
•URL Versioning
•HTTP Header
•HATEOAS

View Slide
URL Versioning
•http://example.com/v1/sgordalina/tweets
•http://v1.example.com/sgordalina/tweets

View Slide
HTTP Header

View Slide
HTTP Header
GET /sgordalina/tweets/1 HTTP/1.1
Host: example.com
API-Version: 1.0

View Slide
HATEOAS
GET /sgordalina/tweets/1 HTTP/1.1
Host: example.com
Accept: application/vnd.example.tweet-v1+json

View Slide
Authentication

View Slide
Authentication
•HTTP Basic
•WS-Security
•Secret API Key
•OAuth

View Slide
HTTP Basic
Natively supported by Symfony2

View Slide
HTTP Basic
# app/config/security.yml
security:
providers:
in_memory:
memory:
users:
admin: { password: password }
firewalls:
rest_api:
pattern: /api/.*
stateless: true
http_basic:
provider: in_memory

View Slide
Secret API Key
A common implementation

View Slide
Secret API Key
POST /sgordalina/tweets HTTP/1.1
Host: example.com
Api-Secret-Key: kUYbs72gf83034
{
"body": "the quick brown fox jumped over the espresso"
}

View Slide
WS-Security
Web Services Security

View Slide
WS-Security
•Authentication is sent as an header
•Credentials are hashed in a digest with a
nonce and creation time
•Example cookbook on Symfony 2
documentation (custom authentication
provider)

View Slide
OAuth
Standardized third party authentication

View Slide
OAuth
•Delegate authentication to other services
•HWIOAuthBundle
•Supports many providers
•Integrates with FOSUserBundle

View Slide
Authorization

View Slide
Authorization
•Role based authorization
•ACL based authorization

View Slide
Roles
# app/config/security.yml
security:
providers:
in_memory:
memory:
users:
admin:
password: password
roles: [ 'ROLE_ADMIN' ]
writer:
password: password
roles: [ 'ROLE_WRITER' ]
reader:
password: password
roles: [ 'ROLE_READER' ]
role_hierarchy:
ROLE_READER: ~
ROLE_WRITER: ROLE_READER
ROLE_ADMIN: ROLE_WRITER

View Slide
Roles
use JMS\SecurityExtraBundle\Annotation\PreAuthorize;
/**
* @PreAuthorize("hasRole('ROLE_WRITER')")
*/
public function postBlogPostAction()
{
// application specific logic
}

View Slide
Roles
public function postBlogPostAction()
{
if (false === $this->get('security.context')-
>isGranted('ROLE_ADMIN')) {
throw new HttpException(403, 'Forbidden');
}
// application specific logic
}

View Slide
ACL
public function postBlogPostAction()
{
$blogPost = // application specific logic
$aclProvider = $this->get('security.acl.provider');
$objectIdentity =
ObjectIdentity::fromDomainObject($blogPost);
$userSecurityIdentity =
UserSecurityIdentity::fromAccount($this->getUser);
$acl = $aclProvider->createAcl($objectIdentity);
$acl->insertObjectAce($userSecurityIdentity,
MaskBuilder::MASK_OWNER);
$aclProvider->updateAcl($acl);
}

View Slide
ACL
public function postBlogPostAction()
{
$blogPost = // application specific logic
$aclProvider = $this->get('security.acl.provider');
$objectIdentity =
ObjectIdentity::fromDomainObject($blogPost);
$userSecurityIdentity =
UserSecurityIdentity::fromAccount($this->getUser);
$acl = $aclProvider->createAcl($objectIdentity);
$acl->insertObjectAce($userSecurityIdentity,
MaskBuilder::MASK_OWNER);
$aclProvider->updateAcl($acl);
}

View Slide
ACL
public function postBlogPostAction()
{
$blogPost = // application specific logic
$aclProvider = $this->get('security.acl.provider');
$objectIdentity =
ObjectIdentity::fromDomainObject($blogPost);
$userSecurityIdentity =
UserSecurityIdentity::fromAccount($this->getUser);
$acl = $aclProvider->createAcl($objectIdentity);
$acl->insertObjectAce($userSecurityIdentity,
MaskBuilder::MASK_OWNER);
$aclProvider->updateAcl($acl);
}

View Slide
ACL
public function postBlogPostAction()
{
$blogPost = // application specific logic
$aclProvider = $this->get('security.acl.provider');
$objectIdentity =
ObjectIdentity::fromDomainObject($blogPost);
$userSecurityIdentity =
UserSecurityIdentity::fromAccount($this->getUser);
$acl = $aclProvider->createAcl($objectIdentity);
$acl->insertObjectAce($userSecurityIdentity,
MaskBuilder::MASK_OWNER);
$aclProvider->updateAcl($acl);
}

View Slide
ACL
use JMS\SecurityExtraBundle\Annotation\PreAuthorize;
/**
* @PreAuthorize("hasPermission(#blogPost, 'VIEW')")
*/
public function getBlogPostAction(Post $blogPost)
{
// application specific logic
}

View Slide
ACL
public function getBlogPostAction(Post $blogPost)
{
if (false === $this->get('security.context')-
>isGranted('VIEW', $blogPost)) {
throw new HttpException(403, 'Forbidden');
}
// application specific logic
}

View Slide
Documentation
It is painful

View Slide
Nelmio ApiDocBundle

View Slide
Inline Documentation
use Nelmio\ApiDocBundle\Annotation\ApiDoc;
/**
* Get a Tweet
*
* **Response Format**
*
* {
* "tweet": {
* "id": 1,
* "body": "the quick brown fox died",
* }
* }
*
* @ApiDoc(
* section="Tweets",
* resource=true,
* statusCodes={
* 200="OK"
* }
* )
*/
public function getAction(Tweet $tweet)
{
return array('tweet' => $tweet);
}

View Slide
Inline Documentation
/**
* Get a Tweet
*
* **Response Format**
*
* {
* "tweet": {
* "id": 1,
* "body": "the quick brown fox died",
* }
* }
*
* @ApiDoc(
* section="Tweets",
* resource=true,
* statusCodes={
* 200="OK"
* }
* )
*/

View Slide
Inline Documentation
/**
* Get a Tweet
*
* **Response Format**
*
* {
* "tweet": {
* "id": 1,
* "body": "the quick brown fox died",
* }
* }
*
* @ApiDoc(
* section="Tweets",
* resource=true,
* statusCodes={
* 200="OK"
* }
* )
*/

View Slide
Inline Documentation
/**
* Get a Tweet
*
* **Response Format**
*
* {
* "tweet": {
* "id": 1,
* "body": "the quick brown fox died",
* }
* }
*
* @ApiDoc(
* section="Tweets",
* resource=true,
* statusCodes={
* 200="OK"
* }
* )
*/

View Slide
Documentation

View Slide
Sandbox

View Slide
Additional Resources
• LinkRequest Listener
• https://gist.github.com/gordalina/5597794
• WSS Authentication Provider
• http://symfony.com/doc/current/cookbook/security/
custom_authentication_provider.html
• Bundles
• https://github.com/FriendsOfSymfony/FOSRestBundle
• https://github.com/nelmio/NelmioApiDocBundle
• https://github.com/schmittjoh/JMSSerializerBundle

View Slide
Thank you!
Samuel Gordalina
@sgordalina
#phpday 2013

View Slide