Zend_Amf_Server allows you to specify authentication and authorization hooks to control access to the services. It is using the infrastructure provided by Zend_Auth and Zend_Acl components.

In order to define authentication, the user provides authentication adapter extening Zend_Amf_Auth_Abstract abstract class. The adapter should implement the authenticate() method just like regular authentication adapter.

The adapter should use properties _username and _password from the parent Zend_Amf_Auth_Abstract class in order to authenticate. These values are set by the server using setCredentials() method before call to authenticate() if the credentials are received in the AMF request headers.

The identity returned by the adapter should be an object containing property role for the ACL access control to work.

If the authentication result is not successful, the request is not proceseed further and failure message is returned with the reasons for failure taken from the result.

The adapter is connected to the server using setAuth() method:

Access control is performed by using Zend_Acl object set by setAcl() method:

If the ACL object is set, and the class being called defines initAcl() method, this method will be called with the ACL object as an argument. The class then can create additional ACL rules and return TRUE, or return FALSE if no access control is required for this class.

After ACL have been set up, the server will check if access is allowed with role set by the authentication, resource being the class name (or NULL for function calls) and privilege being the function name. If no authentication was provided, then if the anonymous role was defined, it will be used, otherwise the access will be denied.