Slide 1

Slide 1 text

REST APIs made easy with Symfony2 Samuel Gordalina @sgordalina

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

REST Roy Fielding’s PHD - 2000

Slide 4

Slide 4 text

REST http://example.com/sgordalina

Slide 5

Slide 5 text

REST http://example.com/sgordalina http://example.com/sgordalina/tweets

Slide 6

Slide 6 text

REST http://example.com/sgordalina http://example.com/sgordalina/tweets http://example.com/sgordalina/tweets/42

Slide 7

Slide 7 text

What is needed •symfony/framework-standard-edition •friendsofsymfony/rest-bundle •jms/serializer-bundle •nelmio/api-doc-bundle

Slide 8

Slide 8 text

CRUD

Slide 9

Slide 9 text

Create HTTP POST

Slide 10

Slide 10 text

Request POST /sgordalina/tweets HTTP/1.1 Host: example.com Content-Type: application/json { "body": "the quick brown fox jumped" }

Slide 11

Slide 11 text

Response HTTP/1.1 201 Created Location: http://example.com/sgordalina/tweets/1 Content-Type: application/json { "tweet": { "id": 1, "body": "the quick brown fox jumped" } }

Slide 12

Slide 12 text

// src/Twitter/ApiBundle/Controller/TweetController.php use FOS\RestBundle\View\View; public function postAction(Request $request) { $tweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($tweet instanceof Tweet === false) { return View::create(array('errors' => $tweet), 400); } $em = $this->getEntityManager(); $em->persist($tweet); $em->flush(); $url = $this->generateUrl( 'tweet_get', array('id' => $tweet->getId()), true ); $response = new Response(); $response->setStatusCode(201); $response->headers->set('Location', $url); return $response; }

Slide 13

Slide 13 text

// src/Twitter/ApiBundle/Controller/TweetController.php use FOS\RestBundle\View\View; public function postAction(Request $request) { $tweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($tweet instanceof Tweet === false) { return View::create(array('errors' => $tweet), 400); } $em = $this->getEntityManager(); $em->persist($tweet); $em->flush(); $url = $this->generateUrl( 'tweet_get', array('id' => $tweet->getId()), true ); $response = new Response(); $response->setStatusCode(201); $response->headers->set('Location', $url); return $response; }

Slide 14

Slide 14 text

// src/Twitter/ApiBundle/Controller/TweetController.php use FOS\RestBundle\View\View; public function postAction(Request $request) { $tweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($tweet instanceof Tweet === false) { return View::create(array('errors' => $tweet), 400); } $em = $this->getEntityManager(); $em->persist($tweet); $em->flush(); $url = $this->generateUrl( 'tweet_get', array('id' => $tweet->getId()), true ); $response = new Response(); $response->setStatusCode(201); $response->headers->set('Location', $url); return $response; }

Slide 15

Slide 15 text

// src/Twitter/ApiBundle/Controller/TweetController.php use FOS\RestBundle\View\View; public function postAction(Request $request) { $tweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($tweet instanceof Tweet === false) { return View::create(array('errors' => $tweet), 400); } $em = $this->getEntityManager(); $em->persist($tweet); $em->flush(); $url = $this->generateUrl( 'tweet_get', array('id' => $tweet->getId()), true ); $response = new Response(); $response->setStatusCode(201); $response->headers->set('Location', $url); return $response; }

Slide 16

Slide 16 text

// src/Twitter/ApiBundle/Controller/TweetController.php use FOS\RestBundle\View\View; public function postAction(Request $request) { $tweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($tweet instanceof Tweet === false) { return View::create(array('errors' => $tweet), 400); } $em = $this->getEntityManager(); $em->persist($tweet); $em->flush(); $url = $this->generateUrl( 'tweet_get', array('id' => $tweet->getId()), true ); $response = new Response(); $response->setStatusCode(201); $response->headers->set('Location', $url); return $response; }

Slide 17

Slide 17 text

// src/Twitter/ApiBundle/Controller/TweetController.php use FOS\RestBundle\View\View; public function postAction(Request $request) { $tweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($tweet instanceof Tweet === false) { return View::create(array('errors' => $tweet), 400); } $em = $this->getEntityManager(); $em->persist($tweet); $em->flush(); $url = $this->generateUrl( 'tweet_get', array('id' => $tweet->getId()), true ); $response = new Response(); $response->setStatusCode(201); $response->headers->set('Location', $url); return $response; }

Slide 18

Slide 18 text

// src/Twitter/ApiBundle/Controller/TweetController.php use FOS\RestBundle\View\View; public function postAction(Request $request) { $tweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($tweet instanceof Tweet === false) { return View::create(array('errors' => $tweet), 400); } $em = $this->getEntityManager(); $em->persist($tweet); $em->flush(); $url = $this->generateUrl( 'tweet_get', array('id' => $tweet->getId()), true ); $response = new Response(); $response->setStatusCode(201); $response->headers->set('Location', $url); return $response; }

Slide 19

Slide 19 text

# src/Twitter/ApiBundle/Resources/config/routing.yml tweet_post: pattern: /tweets defaults: { _controller: TwitterApiBundle:Tweet:post, _format: json } methods: POST

Slide 20

Slide 20 text

Read HTTP GET

Slide 21

Slide 21 text

Request GET /sgordalina/tweets/1 HTTP/1.1 Host: example.com

Slide 22

Slide 22 text

Response HTTP/1.1 200 OK Content-Type: application/json { "tweet": { "id": 1, "body": "the quick brown fox jumped" } }

Slide 23

Slide 23 text

Implementation public function getAction(Tweet $tweet) { return array('tweet' => $tweet); }

Slide 24

Slide 24 text

Update HTTP PUT

Slide 25

Slide 25 text

Request PUT /sgordalina/tweets/1 HTTP/1.1 Host: example.com Content-Type: application/json { "body": "the quick brown fox died" }

Slide 26

Slide 26 text

Response HTTP/1.1 200 OK Content-Type: application/json { "tweet": { "id": 1, "body": "the quick brown fox died" } }

Slide 27

Slide 27 text

// TweetController.php public function putAction( Tweet $tweet, Request $request ) { $newTweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($newTweet instanceof Tweet === false) { return View::create(array( 'errors' => $newTweet ), 400); } $tweet->merge($newTweet); $this->getEntityManager()->flush(); return array('tweet' => $tweet); }

Slide 28

Slide 28 text

// TweetController.php public function putAction( Tweet $tweet, Request $request ) { $newTweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($newTweet instanceof Tweet === false) { return View::create(array( 'errors' => $newTweet ), 400); } $tweet->merge($newTweet); $this->getEntityManager()->flush(); return array('tweet' => $tweet); }

Slide 29

Slide 29 text

// TweetController.php public function putAction( Tweet $tweet, Request $request ) { $newTweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($newTweet instanceof Tweet === false) { return View::create(array( 'errors' => $newTweet ), 400); } $tweet->merge($newTweet); $this->getEntityManager()->flush(); return array('tweet' => $tweet); }

Slide 30

Slide 30 text

// TweetController.php public function putAction( Tweet $tweet, Request $request ) { $newTweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($newTweet instanceof Tweet === false) { return View::create(array( 'errors' => $newTweet ), 400); } $tweet->merge($newTweet); $this->getEntityManager()->flush(); return array('tweet' => $tweet); }

Slide 31

Slide 31 text

// TweetController.php public function putAction( Tweet $tweet, Request $request ) { $newTweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($newTweet instanceof Tweet === false) { return View::create(array( 'errors' => $newTweet ), 400); } $tweet->merge($newTweet); $this->getEntityManager()->flush(); return array('tweet' => $tweet); }

Slide 32

Slide 32 text

// TweetController.php public function putAction( Tweet $tweet, Request $request ) { $newTweet = $this->deserialize( 'Twitter\DomainBundle\Entity\Tweet', $request ); if ($newTweet instanceof Tweet === false) { return View::create(array( 'errors' => $newTweet ), 400); } $tweet->merge($newTweet); $this->getEntityManager()->flush(); return array('tweet' => $tweet); }

Slide 33

Slide 33 text

Delete HTTP DELETE

Slide 34

Slide 34 text

Request DELETE /sgordalina/tweets/1 HTTP/1.1 Host: example.com

Slide 35

Slide 35 text

Response HTTP/1.1 204 No Content

Slide 36

Slide 36 text

use FOS\RestBundle\Controller\Annotations\View as RestView; /** * Delete a Tweet * * @RestView(statusCode=204) */ public function deleteAction(Tweet $tweet) { $em = $this->getDoctrine()->getManager(); $em->remove($tweet); $em->flush(); }

Slide 37

Slide 37 text

use FOS\RestBundle\Controller\Annotations\View as RestView; /** * Delete a Tweet * * @RestView(statusCode=204) */ public function deleteAction(Tweet $tweet) { $em = $this->getDoctrine()->getManager(); $em->remove($tweet); $em->flush(); }

Slide 38

Slide 38 text

use FOS\RestBundle\Controller\Annotations\View as RestView; /** * Delete a Tweet * * @RestView(statusCode=204) */ public function deleteAction(Tweet $tweet) { $em = $this->getDoctrine()->getManager(); $em->remove($tweet); $em->flush(); }

Slide 39

Slide 39 text

Serialization Because everyone loves JSON

Slide 40

Slide 40 text

use Symfony\Component\Validator\Constraints as Assert; use JMS\Serializer\Annotation as Serializer; /** * @Serializer\ExclusionPolicy("all") */ class Tweet { /** * @Serializer\Expose * @Serializer\Type("integer") */ private $id; /** * @Assert\NotBlank() * @Serializer\Expose * @Serializer\Type("string") */ private $body; }

Slide 41

Slide 41 text

use Symfony\Component\Validator\Constraints as Assert; use JMS\Serializer\Annotation as Serializer; /** * @Serializer\ExclusionPolicy("all") */ class Tweet { /** * @Serializer\Expose * @Serializer\Type("integer") */ private $id; /** * @Assert\NotBlank() * @Serializer\Expose * @Serializer\Type("string") */ private $body; }

Slide 42

Slide 42 text

use Symfony\Component\Validator\Constraints as Assert; use JMS\Serializer\Annotation as Serializer; /** * @Serializer\ExclusionPolicy("all") */ class Tweet { /** * @Serializer\Expose * @Serializer\Type("integer") */ private $id; /** * @Assert\NotBlank() * @Serializer\Expose * @Serializer\Type("string") */ private $body; }

Slide 43

Slide 43 text

use Symfony\Component\Validator\Constraints as Assert; use JMS\Serializer\Annotation as Serializer; /** * @Serializer\ExclusionPolicy("all") */ class Tweet { /** * @Serializer\Expose * @Serializer\Type("integer") */ private $id; /** * @Assert\NotBlank() * @Serializer\Expose * @Serializer\Type("string") */ private $body; }

Slide 44

Slide 44 text

Serialization Because someone still uses XML

Slide 45

Slide 45 text

use Symfony\Component\Validator\Constraints as Assert; use JMS\Serializer\Annotation as Serializer; /** * @Serializer\ExclusionPolicy("all") * @Serializer\XmlRoot("tweet") */ class Tweet { /** * @var integer * * @Serializer\Expose * @Serializer\Type("integer") * @Serializer\XmlAttribute */ private $id; /** * @Assert\NotBlank() * @Serializer\Expose * @Serializer\Type("string") * @Serializer\Value */ private $body; }

Slide 46

Slide 46 text

use Symfony\Component\Validator\Constraints as Assert; use JMS\Serializer\Annotation as Serializer; /** * @Serializer\ExclusionPolicy("all") * @Serializer\XmlRoot("tweet") */ class Tweet { /** * @var integer * * @Serializer\Expose * @Serializer\Type("integer") * @Serializer\XmlAttribute */ private $id; /** * @Assert\NotBlank() * @Serializer\Expose * @Serializer\Type("string") * @Serializer\Value */ private $body; }

Slide 47

Slide 47 text

use Symfony\Component\Validator\Constraints as Assert; use JMS\Serializer\Annotation as Serializer; /** * @Serializer\ExclusionPolicy("all") * @Serializer\XmlRoot("tweet") */ class Tweet { /** * @var integer * * @Serializer\Expose * @Serializer\Type("integer") * @Serializer\XmlAttribute */ private $id; /** * @Assert\NotBlank() * @Serializer\Expose * @Serializer\Type("string") * @Serializer\Value */ private $body; }

Slide 48

Slide 48 text

use Symfony\Component\Validator\Constraints as Assert; use JMS\Serializer\Annotation as Serializer; /** * @Serializer\ExclusionPolicy("all") * @Serializer\XmlRoot("tweet") */ class Tweet { /** * @var integer * * @Serializer\Expose * @Serializer\Type("integer") * @Serializer\XmlAttribute */ private $id; /** * @Assert\NotBlank() * @Serializer\Expose * @Serializer\Type("string") * @Serializer\Value */ private $body; }

Slide 49

Slide 49 text

Output

Slide 50

Slide 50 text

Deserialization With zero effort *

Slide 51

Slide 51 text

protected function deserialize( $class, Request $request, $format = 'json' ) { $serializer = $this->get('serializer'); $validator = $this->get('validator'); try { $entity = $serializer->deserialize( $request->getContent(), $class, $format ); } catch (RuntimeException $e) { throw new HttpException(400, $e->getMessage()); } if (count($errors = $validator->validate($entity))) { return $errors; } return $entity; }

Slide 52

Slide 52 text

protected function deserialize( $class, Request $request, $format = 'json' ) { $serializer = $this->get('serializer'); $validator = $this->get('validator'); try { $entity = $serializer->deserialize( $request->getContent(), $class, $format ); } catch (RuntimeException $e) { throw new HttpException(400, $e->getMessage()); } if (count($errors = $validator->validate($entity))) { return $errors; } return $entity; }

Slide 53

Slide 53 text

protected function deserialize( $class, Request $request, $format = 'json' ) { $serializer = $this->get('serializer'); $validator = $this->get('validator'); try { $entity = $serializer->deserialize( $request->getContent(), $class, $format ); } catch (RuntimeException $e) { throw new HttpException(400, $e->getMessage()); } if (count($errors = $validator->validate($entity))) { return $errors; } return $entity; }

Slide 54

Slide 54 text

protected function deserialize( $class, Request $request, $format = 'json' ) { $serializer = $this->get('serializer'); $validator = $this->get('validator'); try { $entity = $serializer->deserialize( $request->getContent(), $class, $format ); } catch (RuntimeException $e) { throw new HttpException(400, $e->getMessage()); } if (count($errors = $validator->validate($entity))) { return $errors; } return $entity; }

Slide 55

Slide 55 text

protected function deserialize( $class, Request $request, $format = 'json' ) { $serializer = $this->get('serializer'); $validator = $this->get('validator'); try { $entity = $serializer->deserialize( $request->getContent(), $class, $format ); } catch (RuntimeException $e) { throw new HttpException(400, $e->getMessage()); } if (count($errors = $validator->validate($entity))) { return $errors; } return $entity; }

Slide 56

Slide 56 text

protected function deserialize( $class, Request $request, $format = 'json' ) { $serializer = $this->get('serializer'); $validator = $this->get('validator'); try { $entity = $serializer->deserialize( $request->getContent(), $class, $format ); } catch (RuntimeException $e) { throw new HttpException(400, $e->getMessage()); } if (count($errors = $validator->validate($entity))) { return $errors; } return $entity; }

Slide 57

Slide 57 text

Errors Consumers will thank you

Slide 58

Slide 58 text

Verbosity Matters

Slide 59

Slide 59 text

No content

Slide 60

Slide 60 text

Resource Linking The web is built on links

Slide 61

Slide 61 text

LINK & UNLINK On HTTP 1.0

Slide 62

Slide 62 text

Request LINK /sgordalina/following HTTP/1.1 Host: example.com Link: ; rel=”friend”

Slide 63

Slide 63 text

Response HTTP 204 No Content

Slide 64

Slide 64 text

public function followAction(Request $request) { if (false === $request->attributes->has('link')) { throw new HttpException(400, 'Link not provided'); } $me = $this->getUser(); foreach ($request->attributes->get('link') as $user) { if (false === $user instanceof User) { throw new HttpException(404, 'User not found'); } if (false === $me->isFollowing($user)) { $me->followUser($user); } } $this->getDoctrine() ->getManager() ->flush(); }

Slide 65

Slide 65 text

public function followAction(Request $request) { if (false === $request->attributes->has('link')) { throw new HttpException(400, 'Link not provided'); } $me = $this->getUser(); foreach ($request->attributes->get('link') as $user) { if (false === $user instanceof User) { throw new HttpException(404, 'User not found'); } if (false === $me->isFollowing($user)) { $me->followUser($user); } } $this->getDoctrine() ->getManager() ->flush(); }

Slide 66

Slide 66 text

public function followAction(Request $request) { if (false === $request->attributes->has('link')) { throw new HttpException(400, 'Link not provided'); } $me = $this->getUser(); foreach ($request->attributes->get('link') as $user) { if (false === $user instanceof User) { throw new HttpException(404, 'User not found'); } if (false === $me->isFollowing($user)) { $me->followUser($user); } } $this->getDoctrine() ->getManager() ->flush(); }

Slide 67

Slide 67 text

public function followAction(Request $request) { if (false === $request->attributes->has('link')) { throw new HttpException(400, 'Link not provided'); } $me = $this->getUser(); foreach ($request->attributes->get('link') as $user) { if (false === $user instanceof User) { throw new HttpException(404, 'User not found'); } if (false === $me->isFollowing($user)) { $me->followUser($user); } } $this->getDoctrine() ->getManager() ->flush(); }

Slide 68

Slide 68 text

public function followAction(Request $request) { if (false === $request->attributes->has('link')) { throw new HttpException(400, 'Link not provided'); } $me = $this->getUser(); foreach ($request->attributes->get('link') as $user) { if (false === $user instanceof User) { throw new HttpException(404, 'User not found'); } if (false === $me->isFollowing($user)) { $me->followUser($user); } } $this->getDoctrine() ->getManager() ->flush(); }

Slide 69

Slide 69 text

public function followAction(Request $request) { if (false === $request->attributes->has('link')) { throw new HttpException(400, 'Link not provided'); } $me = $this->getUser(); foreach ($request->attributes->get('link') as $user) { if (false === $user instanceof User) { throw new HttpException(404, 'User not found'); } if (false === $me->isFollowing($user)) { $me->followUser($user); } } $this->getDoctrine() ->getManager() ->flush(); }

Slide 70

Slide 70 text

public function followAction(Request $request) { if (false === $request->attributes->has('link')) { throw new HttpException(400, 'Link not provided'); } $me = $this->getUser(); foreach ($request->attributes->get('link') as $user) { if (false === $user instanceof User) { throw new HttpException(404, 'User not found'); } if (false === $me->isFollowing($user)) { $me->followUser($user); } } $this->getDoctrine() ->getManager() ->flush(); }

Slide 71

Slide 71 text

API Versioning Developer’s aspirin

Slide 72

Slide 72 text

API Versioning •URL Versioning •HTTP Header •HATEOAS

Slide 73

Slide 73 text

URL Versioning •http://example.com/v1/sgordalina/tweets •http://v1.example.com/sgordalina/tweets

Slide 74

Slide 74 text

HTTP Header

Slide 75

Slide 75 text

HTTP Header GET /sgordalina/tweets/1 HTTP/1.1 Host: example.com API-Version: 1.0

Slide 76

Slide 76 text

HATEOAS GET /sgordalina/tweets/1 HTTP/1.1 Host: example.com Accept: application/vnd.example.tweet-v1+json

Slide 77

Slide 77 text

Authentication

Slide 78

Slide 78 text

Authentication •HTTP Basic •WS-Security •Secret API Key •OAuth

Slide 79

Slide 79 text

HTTP Basic Natively supported by Symfony2

Slide 80

Slide 80 text

HTTP Basic # app/config/security.yml security: providers: in_memory: memory: users: admin: { password: password } firewalls: rest_api: pattern: /api/.* stateless: true http_basic: provider: in_memory

Slide 81

Slide 81 text

Secret API Key A common implementation

Slide 82

Slide 82 text

Secret API Key POST /sgordalina/tweets HTTP/1.1 Host: example.com Api-Secret-Key: kUYbs72gf83034 { "body": "the quick brown fox jumped over the espresso" }

Slide 83

Slide 83 text

WS-Security Web Services Security

Slide 84

Slide 84 text

WS-Security •Authentication is sent as an header •Credentials are hashed in a digest with a nonce and creation time •Example cookbook on Symfony 2 documentation (custom authentication provider)

Slide 85

Slide 85 text

OAuth Standardized third party authentication

Slide 86

Slide 86 text

OAuth •Delegate authentication to other services •HWIOAuthBundle •Supports many providers •Integrates with FOSUserBundle

Slide 87

Slide 87 text

Authorization

Slide 88

Slide 88 text

Authorization •Role based authorization •ACL based authorization

Slide 89

Slide 89 text

Roles # app/config/security.yml security: providers: in_memory: memory: users: admin: password: password roles: [ 'ROLE_ADMIN' ] writer: password: password roles: [ 'ROLE_WRITER' ] reader: password: password roles: [ 'ROLE_READER' ] role_hierarchy: ROLE_READER: ~ ROLE_WRITER: ROLE_READER ROLE_ADMIN: ROLE_WRITER

Slide 90

Slide 90 text

Roles use JMS\SecurityExtraBundle\Annotation\PreAuthorize; /** * @PreAuthorize("hasRole('ROLE_WRITER')") */ public function postBlogPostAction() { // application specific logic }

Slide 91

Slide 91 text

Roles public function postBlogPostAction() { if (false === $this->get('security.context')- >isGranted('ROLE_ADMIN')) { throw new HttpException(403, 'Forbidden'); } // application specific logic }

Slide 92

Slide 92 text

ACL public function postBlogPostAction() { $blogPost = // application specific logic $aclProvider = $this->get('security.acl.provider'); $objectIdentity = ObjectIdentity::fromDomainObject($blogPost); $userSecurityIdentity = UserSecurityIdentity::fromAccount($this->getUser); $acl = $aclProvider->createAcl($objectIdentity); $acl->insertObjectAce($userSecurityIdentity, MaskBuilder::MASK_OWNER); $aclProvider->updateAcl($acl); }

Slide 93

Slide 93 text

ACL public function postBlogPostAction() { $blogPost = // application specific logic $aclProvider = $this->get('security.acl.provider'); $objectIdentity = ObjectIdentity::fromDomainObject($blogPost); $userSecurityIdentity = UserSecurityIdentity::fromAccount($this->getUser); $acl = $aclProvider->createAcl($objectIdentity); $acl->insertObjectAce($userSecurityIdentity, MaskBuilder::MASK_OWNER); $aclProvider->updateAcl($acl); }

Slide 94

Slide 94 text

ACL public function postBlogPostAction() { $blogPost = // application specific logic $aclProvider = $this->get('security.acl.provider'); $objectIdentity = ObjectIdentity::fromDomainObject($blogPost); $userSecurityIdentity = UserSecurityIdentity::fromAccount($this->getUser); $acl = $aclProvider->createAcl($objectIdentity); $acl->insertObjectAce($userSecurityIdentity, MaskBuilder::MASK_OWNER); $aclProvider->updateAcl($acl); }

Slide 95

Slide 95 text

ACL public function postBlogPostAction() { $blogPost = // application specific logic $aclProvider = $this->get('security.acl.provider'); $objectIdentity = ObjectIdentity::fromDomainObject($blogPost); $userSecurityIdentity = UserSecurityIdentity::fromAccount($this->getUser); $acl = $aclProvider->createAcl($objectIdentity); $acl->insertObjectAce($userSecurityIdentity, MaskBuilder::MASK_OWNER); $aclProvider->updateAcl($acl); }

Slide 96

Slide 96 text

ACL use JMS\SecurityExtraBundle\Annotation\PreAuthorize; /** * @PreAuthorize("hasPermission(#blogPost, 'VIEW')") */ public function getBlogPostAction(Post $blogPost) { // application specific logic }

Slide 97

Slide 97 text

ACL public function getBlogPostAction(Post $blogPost) { if (false === $this->get('security.context')- >isGranted('VIEW', $blogPost)) { throw new HttpException(403, 'Forbidden'); } // application specific logic }

Slide 98

Slide 98 text

Documentation It is painful

Slide 99

Slide 99 text

Nelmio ApiDocBundle

Slide 100

Slide 100 text

Inline Documentation use Nelmio\ApiDocBundle\Annotation\ApiDoc; /** * Get a Tweet * * **Response Format** * * { * "tweet": { * "id": 1, * "body": "the quick brown fox died", * } * } * * @ApiDoc( * section="Tweets", * resource=true, * statusCodes={ * 200="OK" * } * ) */ public function getAction(Tweet $tweet) { return array('tweet' => $tweet); }

Slide 101

Slide 101 text

Inline Documentation /** * Get a Tweet * * **Response Format** * * { * "tweet": { * "id": 1, * "body": "the quick brown fox died", * } * } * * @ApiDoc( * section="Tweets", * resource=true, * statusCodes={ * 200="OK" * } * ) */

Slide 102

Slide 102 text

Inline Documentation /** * Get a Tweet * * **Response Format** * * { * "tweet": { * "id": 1, * "body": "the quick brown fox died", * } * } * * @ApiDoc( * section="Tweets", * resource=true, * statusCodes={ * 200="OK" * } * ) */

Slide 103

Slide 103 text

Inline Documentation /** * Get a Tweet * * **Response Format** * * { * "tweet": { * "id": 1, * "body": "the quick brown fox died", * } * } * * @ApiDoc( * section="Tweets", * resource=true, * statusCodes={ * 200="OK" * } * ) */

Slide 104

Slide 104 text

Documentation

Slide 105

Slide 105 text

Sandbox

Slide 106

Slide 106 text

Additional Resources • LinkRequest Listener • https://gist.github.com/gordalina/5597794 • WSS Authentication Provider • http://symfony.com/doc/current/cookbook/security/ custom_authentication_provider.html • Bundles • https://github.com/FriendsOfSymfony/FOSRestBundle • https://github.com/nelmio/NelmioApiDocBundle • https://github.com/schmittjoh/JMSSerializerBundle

Slide 107

Slide 107 text

Thank you! Samuel Gordalina @sgordalina #phpday 2013