Planet Drupal

Subscribe to Planet Drupal feed
Drupal.org - aggregated feeds in category Planet Drupal
Updated: 55 min 54 sec ago

Acquia: Security in the Cloud: Why Open Source is the Best Choice

Thu, 07/05/2015 - 16:37


This is the first of a series of security-related postings, which Acquia will compile into a free ebook. In this entry, we’ll look at the perennial question: Is Open Source software inherently more secure than commercial closed-source software?

Securing applications is an ongoing process. It’s a continuum that requires vigilance.

Application security begins during the requirements analysis stage of the Software Development Lifecycle, and must be nurtured throughout the life of the application to be successful.

With Drupal properly configured and managed, it is as secure and reliable as any enterprise content management tool available. However, a Drupal application must be maintained and enhanced over the course of its existence. Acquia Cloud eases this management and maintenance burden on customers, and substantially reduces the risk that software vulnerabilities, external actors, or poor human choices will compromise the integrity of the application or the organization.

As requirements are gathered for a new project, and both open and closed systems are considered, evaluators often ask, Which solution is more secure?

This is frequently cast as a contest between the ideologies of open and closed source software.

It’s the wrong question. All software is susceptible to errors at every step of the lifecycle: from first release, through patches, and on through end-of-life support, when the provider no longer supports the code.

Repeated professional and academic assessments have demonstrated that coding errors are simply part of software development. The professionalism of closed-source commercial software development, which has continually improved its security reviews and practices, is matched by the professional commitment of open source engineers. The main difference between the two is the visibility of source code to all users.

Because most malicious users take the same approach to probing for and exploiting known vulnerabilities, by trying to enter systems on the Web, source code availability seldom plays an important role in discovering flaws in mistakenly unprotected servers, services, or protocols. Open source code, however, enjoys a greater flexibility and speed-to-solution when a vulnerability is discovered, which we will look at later.

Writing, testing, and shipping perfect code is the impossible dream that falsely creates the impression that some software is inherently more secure than others. All non-trivial software is imperfect, and the hardware it runs on can also carry vulnerabilities. In fact, the likelihood of security vulnerabilities is inherent in any application, because people often make mistakes in development or configuration of an application.

So, when we talk about “computer security,” we must recognize that we’re really talking about human security practices that can fail at any number of user-controlled points. Open source software makes those potential flaws a discussion among a group of coders, reviewers, and security professionals. In closed source software, a potential flaw is often regarded as a secret -- one that may impede the resolution time or increase the risk of a discovered vulnerability.

A race with intruders

At the time a vulnerability is discovered, the clock starts counting down to an increase in attacks against that vulnerability. The closed-source software world depends on “security through obscurity,” the assumption that hiding source code makes it harder to discover vulnerabilities. This means that a newly discovered vulnerability sets off a race between the developer and malicious users: who’s going to patch or exploit that vulnerability first?

The same race happens in the open-source software field, but there are many more people familiar with the open source code, so the dynamics are very different. Sometimes projects even collaborate with each other to increase the number of developers working on the same fix, as was the case in August, 2014 for the XML-RPC Denial of Service affecting both WordPress and Drupal.

By comparison, in proprietary software only the commercial software company’s employees can work to fix an error in the closed code.

Indeed, many commercial software security vulnerabilities are discovered by outside consultants and security professionals, who inform the company that built the application. These outside discoverers may bring a solution to the problem along with their vulnerability report, but ultimately the vulnerability will only be patched when the company decides to respond, when it is able.

In some situations, this vulnerability becomes an open secret held closely by an ever-expanding circle of people in the know, all hoping the Bad Guys don’t find out before they deliver a patch. By contrast, commercial companies with a vested interest in the security and capabilities of certain open source systems are now frequently joining together to fund development or security remediations out in the open. Thus, open source actually adds another dimension of security through this community approach to development: it provides a constructive outlet for coders whose passion is searching for vulnerabilities.

Open source code software allows many hands to work towards the mission of identifying and fixing vulnerabilities. The same race to patch a vulnerability exists, but the open source community has a more distributed approach to responding to a known issue. This is generally understood to be an advantage. In a 2009 University of Washington paper, Is Open Source Software More Secure?, researchers, including a Microsoft contributor, concluded:

“...Open source does not pose any significant barriers to security, but rather reinforces sound security practices by involving many people that expose bugs quickly, and offers side-effects that provide customers and the community with concrete examples of reusable, secure, and working code.”

It’s worth mentioning, by the way, that in late 2014 Microsoft itself, once the paragon of the closed software model, announced that it will make its server-side .NET stack and core runtime frameworks available as open source code. Acquia’s Christopher Stone said it was the software equivalent of the falling of the Berlin Wall.

So the real operational security challenges come after a vulnerability is discovered, in the time between a patch becoming available and the time that customers patch their software. Most successful attacks occur in that window. Any system left unpatched is likely to be targeted at some point.

This is why Acquia Cloud's managed platform includes patching and maintaining of all server components, prepares security updates for their customers with Remote Administration, and recommends security best practices and configuration hardening for Drupal applications.

With Acquia, customers can count on rapid responses to vulnerabilities and a quick delivery of patches when available.

The intractable problems in computer security remain: open or closed, people write imperfect code; many are lazy about patching or upgrading to the latest version to close newly discovered vulnerabilities.

The challenge is bigger than open source versus closed software.

That’s why we’re confident that the Acquia approach is the best hybrid response to the threat of imperfect software. We leverage professional practice, the open source community, and a tightly managed continuous-deployment workflow to quickly patch vulnerabilities on our platform, while providing the tools to customers to stay up to date with regards to patching their Drupal applications.

We’ll get into the details of Acquia’s approach to patch management in one of our next posts.

Tags:  acquia drupal planet
Categories: Elsewhere

Forum One: To the Pattern Lab! Collaboration Using Modular Design Principles

Thu, 07/05/2015 - 16:15

Come check out our presentation at Drupalcon 2015 in Los Angeles about modular design on Thursday, May 14, 2015 at 1:00 – 2:00pm PST.

You’ll learn how to use styleguide/prototyping tools like Pattern Lab to increase collaboration between designers, themers, developers, and clients on Drupal projects. A focus on modular design early on in a Drupal project improves workflow and efficiency for the whole team!

After applying modular design principles into your design workflow you will have, guaranteed *:

  • Shinier, more polished sites: You’ll improve collaboration between themers and designers without relying so much on static photoshop comps, dramatically improving the end product’s quality at a higher detail level.
  • Happier clients: Clients will be able to see functional visual designs earlier in the project and be able to play with the site in an easy to use interface.
  • Happier developers: Developers can concentrate on the hard work of building the site while themers and designers concentrate on the visual design.
  • Project managers overcome with joy: Sites will be more easily themed, front-end bugs will be caught earlier, clients can see progress sooner, designers will be less bogged down in Photoshop iterations, and projects will be more successful.

We hope to see you there. It should be a lot of fun and we are genuinely interested in hearing your thoughts. If you are impatient and want to learn more about Pattern Lab and design patterns in general, take a look at this blog post by Brad Frost on designing pattern flexibility.

not an actual guarantee. Results may vary. Consult your doctor if your clients remain happy for over 4 hours

Categories: Elsewhere

ThinkShout: Meet the ThinkShout Team at DrupalCon LA!

Thu, 07/05/2015 - 15:00

It’s that time of year again - that’s right, DrupalCon! We’re excited to visit sunny (and warm, and apparently very dry) Los Angeles this year for DrupalCon 2015. We might have to dust off our shorts for this one.

The location for this year’s conference holds a special place in our hearts, as we have a handful of awesome clients and partners (and some friends, too) that we can’t wait to see while we geek out about all things Drupal. As always, we’ll all be running around during this four day event, but here are all the specific places where you can catch up with us:

Exhibit Hall

We’re partnering with our friends MailChimp at booth 800. Stop by for some cool swag, to talk shop, and learn about the exciting work we’re doing porting the MailChimp module to Drupal 8. We’re also hiring for several positions, so if you’d like to meet face tio face and get a better feel for what it would be like to join the ThinkShout team, come chat with us.

Official Sessions

Scaling Your Business Starts with the Right Spreadsheets: Performance Metrics

Join ThinkShout’s Sean Larkin and Forum One’s Chris Wolz as they discuss tools and techniques for collaboration and management that will help you make better long-term decisions for your business.

Tuesday May 12th, 10:45-11:45am

Room: 502B - Lullabot

If I Only Had a Frame(work): Crafting Experiences Across 3rd-Party Systems

Lev Tsypin and Brett Meyer will discuss creating and developing a create a cohesive experience across multiple platforms even when they aren’t all open source.

Wednesday May 13th, 1-2pm

Room: 515A - Phase 2

Building Your Drupal-Based Business, Or, What Keeps You Up at Night

This facilitated panel session will include ThinkShout’s own Sean Larkin, and will cover insights from agency owners on lessons learned, areas of focus, and what NOT to worry about. All that and some guidance on best practices, and ideas to sustain and support growth - with an active audience Q&A to boot.

Wednesday May 13th, 2:15-3:15pm

Room: Petree C - Acquia

Ballin' on a Budget: How to Create Great Design Without Breaking the Bank

Our Lead User Experience Designer, Josh Riggs, will give us the low-down on creating kick-ass designs for any budget by utilizing solid design fundamentals, great communication, and maybe a few tricks up the sleeve.

Thursday May 14th, 10:45-11:45am

Room: TBD

MailChimp and Drupal, The Anatomy of a Successful Partnership

In this Lightning Talk, ThinkShout CTO Lev Tsypin and MailChimp API guru Nathan Ranson will cover the evolution of MailChimp's support for Drupal, the basics of how the integration works, and hint at what's to come for Drupal 8.

Thursday May 14th, 1:15pm

Room: TBD

Birds of a Feather (BoF)

ThinkShout team members will also be leading a couple of great BoF sessions. We hope to see you there!

Design and Prototyping Methods for Responsive Drupal Sites with Josh Riggs (@joshriggs)

Tuesday May 12th, 10:45-11:45am

Room: 410 - The Cherry Hill Company

Integrating Drupal with Salesforce with Tauno Hogue

Wednesday May 13th, 10:45-11:45am

Room: 505 - Chromatic

And finally, as we mentioned earlier, we’re excited about visiting LA this year because we’ll get a bit of face time with some of the great west coast clients and partners we’ve been working with over the last few years. We will be hosting a special happy hour reception celebrating these LA organizations and honoring one of our long-time clients and partners, the Los Angeles Conservancy, with a donation from our team.

We hope to see you at DrupalCon this year. If you can’t make it, get in touch with us and we’ll fill you in on what you missed! You can also follow along on all the social networks: Twitter, Facebook, and Instagram - we’ll keep you posted!

To those of you heading down to LA, California or BUST!

Categories: Elsewhere

ERPAL: Relaunch erpal.info

Thu, 07/05/2015 - 09:45

Finally: we're done overhauling our internet presence and proudly present you our new website! Our main goal in re-launching erpal.info was to better to inform you, our web visitor, in a more targeted way about ERPAL. We've completely restructured the site, reducing it to the bare essentials.

We provide an overview of our two Drupal distributions, ERPAL Platform and ERPAL for Service Providers, and outline their main functions. At first glance you should be able to tell whether ERPAL could be of use to you, and, if so, how you'd benefit from it. If you need it, on the individual subpages you'll find more detailed information about these two distributions. Screenshots and graphical representations of the functions illuminate the explanations.

In addition, you'll find all the most important links on the topic of ERPAL. Whether you need access to documentation, downloads or the Issue Queue, it's all just a click away.
We also present additional products and services that could be of interest to you. For example, how Drop Guard can automate the application of your Drupal security updates, or how the ERPAL Time Tracker app could greatly simplify your time keeping.

Within the context of the website re-launch, we also take the opportunity to introduce our brand-new ERPAL Partner Program. On the website you'll learn how, as a Drupal agency, you could profit from this program. Joint sales and marketing activities, as well as comprehensive support, are just a few of the benefits.

Now we hope that you enjoy our new website and that you can quickly find all the information you're looking for. We look forward to your feedback!

Categories: Elsewhere

Drupal.org frontpage posts for the Drupal planet: Drupal 7.37 released

Thu, 07/05/2015 - 06:24

Drupal 7.37, a maintenance release with numerous bug fixes (no security fixes), is now available for download. See the Drupal 7.37 release notes for a full listing.

Download Drupal 7.37

Upgrading your existing Drupal 7 sites is recommended. There are no major, non-backwards-compatible features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

There are no security fixes in this release of Drupal core.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.37 contains bug fixes and small API/feature improvements only. The full list of changes between the 7.36 and 7.37 releases can be found by reading the 7.37 release notes. A complete list of all changes in the stable 7.x branch can be found in the git commit log.

Update notes

See the 7.37 release notes for details on important changes in this release.

Known issues

None.

Front page news: Planet DrupalDrupal version: Drupal 7.x
Categories: Elsewhere

Drupal core announcements: Drupal 8 Question-and-Answer Core Conversation at DrupalCon Los Angeles

Thu, 07/05/2015 - 01:05

Do you have questions about the upcoming Drupal 8 release (or Drupal 8.1.x or 9 and beyond)? On Thursday, May 14 at DrupalCon Los Angeles, I'll be moderating a question-and-answer core conversation with a panel of the Drupal 8 core committers. Questions can be submitted in advance online, and anyone can submit a question (or more than one). I will curate the submissions to ask the panel the most interesting and relevant questions.

Some suggested topics:

  • Drupal core's newly refined structure and decision-making process (see my earlier post for background information).
  • Contributing as a core subsystem or topic maintainer
  • The upcoming Drupal 8.0.0 release: what to expect and how we're going to get there
  • Any questions you have for core committers
  • Or anything else on your mind!

This is a rare opportunity for the community to communicate directly with the Drupal 8 committer team. Help us make the most of of it -- submit your questions now!

Categories: Elsewhere

Gizra.com: How we could monitor Twitter (if we had to)

Wed, 06/05/2015 - 23:00

Monitoring your live site is a pretty good idea - that's generally agreed. Same goes for visual regression testing. Doing it, however, is hard. Enough so that very few companies actually do visual regression testing/monitoring, so don't feel bad if you haven't either until now. But after reading this post you should seriously consider doing it. Or at least give it a try.

For example, here's an overview of how we could monitor Twitter, if someone would actually ask us to (as always you can jump right into the repository):

Visual regression on a Twitter page. So much functionality has been asserted in this simple screenshot

Continue reading…

Categories: Elsewhere

Drupal core announcements: Drupal core updates for May 6th, 2015

Wed, 06/05/2015 - 20:42

Congratulations to Alex "effulgentsia" Bronstein and Jess "xjm", who became core committers as part of the Evolving and documenting Drupal core's structure, responsibilities, and decision-making policy (which could still use your review)!

What's new with Drupal 8?

Since the last Drupal Core Update, the minimum version of MySQL needed to run D8 was raised to 5.5.3, and Drupal 8.0.0-beta10 was released in time for DrupalCon Los Angeles (which is next week).

Some other highlights of the month were:

How can I help get Drupal 8 done?

See Help get Drupal 8 released! for updated information on the current state of the release and more information on how you can help.

We're also looking for more contributors to help compile these posts. Contact mparker17 if you'd like to help!

Drupal 8 In Real Life Whew! That's a wrap!

Do you follow Drupal Planet with devotion, or keep a close eye on the Drupal event calendar, or git pull origin 8.0.x every morning without fail before your coffee? We're looking for more contributors to help compile these posts. You could either take a few hours once every six weeks or so to put together a whole post, or help with one section more regularly. If you'd like to volunteer for helping to draft these posts, please follow the steps here!

Categories: Elsewhere

Jim Birch: No more usernames! Setting up Drupal 7 for Email Login

Wed, 06/05/2015 - 19:00

Sorry, the user name 'Super Incredibly Good Looking Jim' is already taken...

I don't need another username.  I really don't need another username on a site that I am not going to have a public profile.  There are sites where having a username makes perfect sense, and then there are those that don't.

Reasons you may need to have a Username:
  • If the site offers a public profile
  • For use in internal commenting
  • For use in internal forum
  • For use in internal messaging

Even in some of these cases, we could get away with using a display name.  We will explore how to set up a Display Name that is separate from core's login funtionality below.

I am not building Twitter.  Nor am I building Ello, Reddit, Pinterest, or Periscope. In most cases, I only have administrators and content creators accessing the site.  Trying to keep the login process as painless as I can for my users, I will use an email address field as the unique identifier.  I would venture to guess that everyone online has at least one of those.

Read more

Categories: Elsewhere

Promet Source: Melding AngularJS With Drupal Sites: Retrospective

Wed, 06/05/2015 - 18:28
Let's start with the template file. A brief tour of the template file If you pull up the template file, you will see something similar to the following:
Categories: Elsewhere

Drupal Watchdog: VIDEO: DrupalCon Amsterdam Interview: Tom Erickson

Wed, 06/05/2015 - 18:17

In Drupal Watchdog’s proprietary corner, we have a lively chat with TOM ERICKSON (CEO, Acquia), who reveals himself as a pop-music maven, Napa oenophile, and passionate proponent of diversity in the technology field, particularly among women and millennials.

Tags:  DrupalCon Amsterdam DrupalCon Video Video: 
Categories: Elsewhere

Annertech: Let the world know: #DrupalOpenDays Ireland is fast approaching (and we're sponsoring)

Wed, 06/05/2015 - 14:37
Let the world know: #DrupalOpenDays Ireland is fast approaching (and we're sponsoring)

Drupal Open Days - the largest meeting of Drupal developers, users, and enthusiasts in Ireland - is fast approaching. This year is looking like it's going to be the biggest and best one yet.

Biggest - checkout who is coming

Best - checkout the great line up of speakers

Categories: Elsewhere

LevelTen Interactive: Five Drupal Modules That Will Save You from Mobilegeddon

Wed, 06/05/2015 - 07:00

Mobilegeddon has arrived. I hope your site was one of the survivors.... Read more

Categories: Elsewhere

flink: Take your Maps to the Max

Wed, 06/05/2015 - 05:40

We’ve always loved maps. Google, Openlayers, Leaflet... bring them on!

To date, those three are the most popular engines to fetch and assemble the tiles that make up your maps and deliver them to the browser.

We love all three, and through IP Geolocation Views & Maps, we support all three.

We have a penchant for Leaflet because its code is open-sourced, well-written and from the ground up made to suit mobile. It is also extended easily. This is witnessed by the great number of handy map widgets and plugins that float about on GitHub and as module add-ons on drupal.org.

With all of these rapidly gaining popularity, we thought it might inspire if we'd show-case a number of these goodies on a single interactive map page for you to play with.

As you hover and click around we hope you become just as convinced as we are, that maps not merely constitute stylish page elements, but also enhance content navigation and reporting, in ways that cannot be achieved through menus, search boxes and spreadsheets.

The best news is that you can now click all of this together in Drupal without any coding whatsoever. To make it totally easy for you to produce a map like the one below, we've made screenshots of the complete map configuration.

And that's enough from us. Time for you to PLAY !

Produced in collaboration with RegionBound.


div#node-91 img { max-width: 250px; } File under: Planet Drupal
Categories: Elsewhere

DrupalCon News: Developer Contest at DrupalCon!

Tue, 05/05/2015 - 22:10

Are you ready to create a great shopping experience and possibly win some fun prizes? Sphere.io’s Developer Contest at DrupalCon Los Angeles is your chance. Build a working Webshop (responsive, of course!) by developing a Drupal extension that integrates Drupal 8 and SPHERE.IO. Submissions are due Monday, May 11th at 9:00pm PST!

About the Mission:

Categories: Elsewhere

DrupalCon News: Build Lasting Connections at Women in Drupal Event

Tue, 05/05/2015 - 20:55

At my first Women in Drupal event, there were approximately fifteen women gathered in the corner of a temporarily-unused DrupalCon room. We turned on the lights, circled the chairs, and talked comfortably about our work. At the time, I was a backend developer and almost always the only woman on my teams.

Categories: Elsewhere

Lullabot: Lullabot's 7th Annual DrupalCon Party

Tue, 05/05/2015 - 20:33

Lullabot's annual party has become a DrupalCon tradition – fun friendly people hanging out and having a good time. If you're new to DrupalCon, it's a great place to meet people. If you're an old-timer like most of us, it's a great place to see old friends and make new ones.

Categories: Elsewhere

Acquia: Four Final Questions You Should Ask Your Drupal Cloud Host

Tue, 05/05/2015 - 18:48

You know how when you're buying a car, and the questions just keep on coming? And the salesperson keeps making roundtrips to the manager's desk?

It's kind of like that when you're considering where to host your website. There's always time for more questions. It's one less surprise later on.

That's why I keep adding to my list.

It started, you may recall, with just five questions. A week later, I added five more. Now, before closing out this series, I've got a final four.

Ask now, avoid unpleasant surprises later. That's my motto, and it should be yours.

1. What is your level of Drupal expertise?

Acquia offers the industry's highest level of technical Drupal expertise. Our support organization is larger than most hosting companies––over 60 professionals worldwide with over 250 years of combined experience. And Acquia’s overall level of in-house Drupal expertise is unparalleled with over 150 Drupalists, including core owners, security team members, and module contributors. Furthermore, Acquia’s wealth of Drupal knowledge is being expanded continuously. Closed loop processes between our support and engineering organizations help to drive new tools and add to our Help Center, which we then share with the Drupal community.

2. If my site turns into a volcano of errors, will you proactively notify me?

Acquia monitors the health of customers’ servers, and we proactively notify customers of the nature of any issues we detect. When the problem is server-side, we mitigate it, and when the issue is caused by something on the application side, we provide recommended steps to resolve the issue (though we do not usually implement them ourselves unless the customer cannot for some reason).

Acquia also gives customers access to advanced monitoring at the application level, via partners like New Relic or features like our Uptime Monitoring tool—both of which can be used to alert customers in a self-service fashion whenever the application is suffering. If the root cause is server-related, we will notify the customer proactively, but some issues are application-only (meaning they do not trigger server health alerts on our end), so that is why we recommend that customers utilize application-level monitoring whenever possible.

3. Do you offer advanced platform analysis tools to help ensure that my application is running at its best?

Every Acquia Cloud Subscription comes with a suite of tools that make managing your Drupal sites easier than ever before. Drupal site developers, administrators, and site owners can quickly identify problems, eliminate costly mistakes, simplify processes, and improve overall site performance. Acquia’s monitoring tools analyze and measure the quality of your site based on security and performance parameters. Dozens of tests ensure your site’s conformance with best practices for security, performance, and general Drupal and web application development. Monitoring over 50 settings, these tools provide real-time analysis and proactive alerts for issues with your Drupal code and configuration. You can identify code issues and modifications fast, easily download patch files, and view needed updates at-a-glance. You’ll receive a site score to help you improve the quality of your site. You’ll get clear, actionable recommendations to help solve problems and expand your Drupal knowledge.

Acquia provides several additional tools that help you quickly troubleshoot problems with your application. The Uptime Monitoring tool monitors your site’s uptime and responsiveness. It checks your site every minute to see if it’s online and serving pages. For a developer looking to quickly and easily get visibility into a problem, log streaming is a solution that allows for easy access to information without having to download a full day’s log file. It provides real-time access to server logs from within the UI—making troubleshooting more efficient.

4. What is your uptime Service Level Agreement (SLA), and how do you ensure that you meet it?

Acquia commits to 99.95 percent platform, infrastructure, and application uptime. To ensure this, we operate monitoring services 24x7. Acquia uses the Nagios monitoring platform to provide instant access to over 50 vital real-time and historical metrics. We also maintain robust home-grown monitoring tools to ensure performance. Our team of Cloud Operations professionals is always standing by—proactively monitoring your environment and responding to critical issue alerts. With coverage in all time zones and fluency in five languages, the team is available 24x7 for critical, site-impacting issue response.

Tags:  acquia drupal planet
Categories: Elsewhere

Drupal Watchdog: VIDEO: DrupalCon Amsterdam Interview: Cathy Theys

Tue, 05/05/2015 - 18:09

CATHY THEYS (Drupal Community Liaison, Blackmesh) runs sprints. She also mentors young Drupal sprinters. Go, Cathy!

Tags:  DrupalCon Amsterdam DrupalCon Video Video: 
Categories: Elsewhere

Drupal Watchdog: Protecting Your Drupal 8 Resources

Tue, 05/05/2015 - 16:05
Article

Drupal 8 incorporates a Modular Authentication System which, given a request, attempts to identify a Drupal user by inspecting the HTTP request headers.

Authentication comes in handy when we want to restrict access to a resource in Drupal. It can be applied to any route, although the method to implement it may differ. It is most commonly used to identify requests when we are exposing data through an API from our Drupal site.

Authentication and Authorization

Imagine you are going through airport security. The security agent asks to see your ID – a passport or driver’s license, say. The act of showing your ID is what we call Authentication. In Drupal – as in almost all websites – your authentication credentials are your username and password.

Next, the security agent checks your boarding pass to verify that you are in the right place and have clearance to get on a plane. That’s called Authorization. In Drupal your role (and therefore the permissions assigned to that role) are your Authorization credentials.

To summarize: authentication means who are you?; authorization means may you proceed?.

Enjoy your flight!

Authentication in Drupal 8

In Drupal 8, Authorization is handled by the Access System and won't be covered in this article; there is an internal system to handle Authentication, so let's start with the following statement:

Thanks to the Modular Authentication System, different Authentication Providers may extract a $user out of a given $request object.

There are a few keywords in that statement. Let's dissect them briefly:

Categories: Elsewhere

Pages