Security

1. Authentication

                           Authentication is the act of verifying who a user is, and is the basis of the lo-
gin process. Typically, authentication uses the combination of an identifier–a
username or email address–and a password. The user submits these values
through a form, and the application then compares the submitted informa-
tion against that previously stored (e.g., upon registration).

2. Authorization

                         Authorization is the process of verifying that a user has enough permission

to do something. 

Yii provides two authorization methods: 

               Access Control Filter (ACF) and 

               Role-Based Access Control (RBAC).

Yii2 global filter/behavior to force user to authenticate first

you can add global behavior to your config:

add the following code below 'components' => [...]

(Example  to add path - backend\config\main.php)

Globally set redirect to login for guest users in every controller

 'as beforeRequest' => [
    'class' => 'yii\filters\AccessControl',
    'rules' => [
        [
            'actions' => ['login', 'error'],
            'allow' => true,
        ],
        [

            'allow' => true,
            'roles' => ['@'],
        ],
    ],
],

Redirect to login for guest users in every controller

   if(Yii::app()->user->isGuest){
     //not logged user
    }else{
     //loggedin user
    }

Examples

public function beforeAction()
{
       if (Yii::app()->user->isGuest)
            $this->redirect(Yii::app()->createUrl('user/login'));

       //something code right here if user valided
}

        {
                
       if (Yii::app()->user->isGuest)
        $this->redirect(Yii::app()->createUrl('site/login'));
        else
        $this->render('index');
        }

Yii2 concept-configurations