Keep It Simple Security (Symfony cafe 28-01-2016)
-
Upload
oleg-zinchenko -
Category
Technology
-
view
385 -
download
0
Transcript of Keep It Simple Security (Symfony cafe 28-01-2016)
![Page 1: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/1.jpg)
![Page 2: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/2.jpg)
cystbearErlanger
Symfony expert
MongoDB adept
OSS doerhttps://twitter.com/1cdecoderhttps://github.com/cystbearhttp://trinity.ck.ua/
![Page 3: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/3.jpg)
![Page 4: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/4.jpg)
![Page 5: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/5.jpg)
![Page 6: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/6.jpg)
![Page 7: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/7.jpg)
+ = ❤
![Page 8: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/8.jpg)
![Page 9: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/9.jpg)
security.ymlsecurity: firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: pattern: ^/ form_login: login_path: /login check_path: /login_check provider: fos_userbundle logout: true anonymous: true
access_control: - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/user, role: ROLE_USER } - { path: ^/admin/, role: ROLE_ADMIN }
![Page 10: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/10.jpg)
http://www.xml.com/pub/a/2003/12/17/dive.htmlhttp://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html
![Page 11: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/11.jpg)
Good Parts
TokenListenerAuthentication Manager/ProviderFactory
![Page 12: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/12.jpg)
Token<?phpnamespace AppBundle\Security\Authentication\Token;use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
class WsseUserToken extends AbstractToken{ public $created; public $digest; public $nonce; public function __construct(array $roles = array()) { parent::__construct($roles); // If the user has roles, consider it authenticated $this->setAuthenticated(count($roles) > 0); } public function getCredentials() { return ''; }}
![Page 13: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/13.jpg)
Listener<?php
namespace AppBundle\Security\Firewall;
use AppBundle\Security\Authentication\Token\WsseUserToken;
class WsseListener implements ListenerInterface
{
protected $tokenStorage;
protected $authenticationManager;
public function handle(GetResponseEvent $event)
{
$request = $event->getRequest();
$wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([^"]+)", Created="([^"]+)"/';
if (!$request->headers->has('x-wsse') || 1 !== preg_match($wsseRegex, $request->headers->get('x-wsse'), $matches)) {
return;
}
$token = new WsseUserToken(); $token->setUser($matches[1]); ...
try {
$authToken = $this->authenticationManager->authenticate($token);
$this->tokenStorage->setToken($authToken);
return;
} catch (AuthenticationException $failed) { ... }
$response = new Response();
$response->setStatusCode(Response::HTTP_FORBIDDEN);
$event->setResponse($response);
}
}
![Page 14: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/14.jpg)
Authentication Manager<?php
namespace AppBundle\Security\Authentication\Provider;
use AppBundle\Security\Authentication\Token\WsseUserToken;
class WsseProvider implements AuthenticationProviderInterface
{
private $userProvider;
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
$authenticatedToken = new WsseUserToken($user->getRoles());
$authenticatedToken->setUser($user);
return $authenticatedToken;
}
throw new AuthenticationException('The WSSE authentication failed.');
}
protected function validateDigest($digest, $nonce, $created, $secret)
{ ... }
public function supports(TokenInterface $token)
{
return $token instanceof WsseUserToken;
}
}
![Page 15: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/15.jpg)
Factory<?php
namespace AppBundle\DependencyInjection\Security\Factory;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
class WsseFactory implements SecurityFactoryInterface
{
public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
{
$providerId = 'security.authentication.provider.wsse.'.$id;
$container
->setDefinition($providerId, new DefinitionDecorator('wsse.security.authentication.provider'))
->replaceArgument(0, new Reference($userProvider))
;
$listenerId = 'security.authentication.listener.wsse.'.$id;
$listener = $container->setDefinition($listenerId, new DefinitionDecorator('wsse.security.authentication.listener'));
return array($providerId, $listenerId, $defaultEntryPoint);
}
public function getPosition()
{ return 'pre_auth'; }
public function getKey()
{ return 'wsse'; }
public function addConfiguration(NodeDefinition $node)
{
}
}
![Page 16: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/16.jpg)
ACE
http://symfony.com/doc/current/cookbook/security/acl.html
![Page 17: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/17.jpg)
Voters
http://symfony.com/doc/current/cookbook/security/voters.htmlhttps://www.youtube.com/watch?v=e7HfW4TgnUY
![Page 18: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/18.jpg)
Voter (1)<?php
namespace AppBundle\Security;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
class PostVoter extends Voter
{
const VIEW = 'view';
const EDIT = 'edit';
protected function supports($attribute, $subject)
{
if (!in_array($attribute, array(self::VIEW, self::EDIT))) { return false; }
if (!$subject instanceof Post) { return false; }
return true;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof User) { return false; }
$post = $subject;
switch($attribute) {
case self::VIEW: return $this->canView($post, $user);
case self::EDIT: return $this->canEdit($post, $user);
}
throw new \LogicException('This code should not be reached!');
}
}
![Page 19: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/19.jpg)
Voter (2)<?php
private function canView(Post $post, User $user)
{
if ($this->canEdit($post, $user)) { return true; }
return !$post->isPrivate();
}
private function canEdit(Post $post, User $user)
{
return $user === $post->getOwner();
}
}
![Page 20: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/20.jpg)
![Page 21: Keep It Simple Security (Symfony cafe 28-01-2016)](https://reader031.fdocuments.us/reader031/viewer/2022030201/58a63f1f1a28ab68118b674b/html5/thumbnails/21.jpg)