You Shall Not Pass - Security in Symfony
34
You shall not pass! Adam Polak
-
Upload
the-software-house -
Category
Technology
-
view
1.377 -
download
0
Transcript of You Shall Not Pass - Security in Symfony
You shall not pass!Adam Polak
About meAdam Polak
Developer at The Software House
fb: polak.adam1
Client
Mr. Janusz
Existing app
Task 1• admin can remove any idea• logged user can add new ideas• logged user can remove his ideas
Authorization
Security• highly configurable• easy to use• integrated with Symfony 2
Encodersencoders: Example2Bundle\Entity\User: algorithm: bcrypt cost: 12
interface PasswordEncoderInterface
public function encodePassword($raw, $salt);
public function isPasswordValid($encoded, $raw, $salt);
Example2Bundle\Entity\User: id: our.custom.encoder.service.id
Providersproviders: users: entity: class: Example2Bundle:User property: username
interface UserProviderInterface
public function loadUserByUsername($username);
public function refreshUser(UserInterface $user);
public function supportsClass($class);
Firewallsfirewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: anonymous: ~ form_login: login_path: example_2_login check_path: example_2_login_check username_parameter: login_type[login] password_parameter: login_type[password] default_target_path: /example-2 #Target can be specified as a form parameter ex. #target_path_parameter: login_type[redirect] provider: users logout: path: /example-2/logout target: /example-2
access_control: - { path: ^/example-2, roles: IS_AUTHENTICATED_ANONYMOUSLY}
ShowTime
Votersinterface VoterInterface{ const ACCESS_GRANTED = 1; const ACCESS_ABSTAIN = 0; const ACCESS_DENIED = -1; public function supportsAttribute($attribute); public function supportsClass($class); public function vote(TokenInterface $token, $object, array $attributes); }
Too complicated
Voters v2abstract class AbstractVoter implements VoterInterface{ public function supportsAttribute($attribute); public function supportsClass($class); public function vote(TokenInterface $token, $object, array $attributes); abstract protected function getSupportedClasses(); abstract protected function getSupportedAttributes(); abstract protected function isGranted($attribute, $object, $user = null); }
Are we done yet ?
Voters
services: comment.voter: class: Example3Bundle\Voter\CommentVoter tags: - { name: security.voter }
Talk is cheap.Show me the code.
Task 2• integration with facebook connect• user should be logged in if his email is the same as the one on
facebook account
Custom Provider• Token• Listener• Authentication provider• Factory
Token• keeps request information required for authentication• after authentication it keeps logged user object
Tokeninterface TokenInterface{ public function __toString(); public function getRoles(); public function getCredentials(); public function getUser(); public function setUser($user); public function getUsername(); public function isAuthenticated(); public function setAuthenticated($isAuthenticated); public function eraseCredentials(); public function getAttributes(); public function setAttributes(array $attributes); public function hasAttribute($name); public function getAttribute($name); public function setAttribute($name, $value); }
Token
abstract class AbstractToken implements TokenInterface{ public function getCredentials();
}
Listener• checks request for information required for authorisation• creates non authenticated token• starts authorisation process
interface ListenerInterface{ public function handle(GetResponseEvent $event); }
Authentication Provider• authorises a given type of token• adds user to authorised token
interface AuthenticationProviderInterface extends AuthenticationManagerInterface{ public function supports(TokenInterface $token); }
interface AuthenticationManagerInterface{ public function authenticate(TokenInterface $token); }
Factory• assigns services to container• creates provider instance for each firewall• can define additional configuration parameters for our provider
Factoryinterface SecurityFactoryInterface{ public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint); public function getPosition(); public function getKey(); public function addConfiguration(NodeDefinition $builder); }
$extension = $container->getExtension('security'); $extension->addSecurityListenerFactory(new OurCustomFactory());
Code ?
Task 3
Something you know Something you have
Authorisation process• user log in• send authorisation code on user email• display authorisation code form• authorise user
Listener
form_login: success_handler: authentication.two_factor.listener
interface AuthenticationSuccessHandlerInterface{ public function onAuthenticationSuccess(Request $request, TokenInterface $token); }
How it works ?
Thank you
