Manuel Baldassarri, profile picture
Uploaded byManuel Baldassarri
KEY, PDF2,288 views

Symfony2 security layer

The document discusses Symfony's security layer. It describes configuring security providers, encoders, firewalls, and access control in the security.yml file. It also summarizes how Symfony handles authentication through tokens, providers, and encoders and authorization through voters and access control rules.

Embed presentation

Downloaded 39 times
Symfony2 Security Layer Non chiedetemi del MethodSecurityInterceptor
Noi siamo qui
Eh?!
Sim sala min!
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
Autenticazione Autorizzazione
app/config/security.yml security: providers: nomi_fantasiosi: entity: class: AcmeUserBundle:User property: username encoders: AcmeUserBundleEntityUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: md5 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: sha512 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ http_basic: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ http_digest: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ x509: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
L’autenticato public function indexAction() { $user = $this ->get('security.context') ->getToken() ->getUser(); }
getToken()?!
...con user e password $this ->get('security.context') ->getToken() ->isAuthenticated()
...con user e password $this ->get('security.context') ->getToken() E ->isAuthenticated() RU T
...anonimo $this ->get('security.context') ->getToken() ->isAuthenticated()
...anonimo $this ->get('security.context') ->getToken() E ->isAuthenticated() RU T
True?!
Authentication
La chiamata (app.php) $kernel = new AppKernel('prod', false); $request = Request::createFromGlobals(); $response = $kernel->handle($request); $response->send(); $kernel->terminate($request, $response);
La chiamata $this ->dispatcher ->dispatch(‘kernel.request’, $event);
Firewall FirewallMap
Firewall FirewallMap Listeners
Firewall FirewallMap Listeners Token
Firewall FirewallMap Listeners Token AuthenticationProvider
Firewall FirewallMap Listeners Token AuthenticationProvider UserProvider Encoder UserChecker
Firewall AuthSuccessHandler FirewallMap AuthFailureHandler Listeners LogoutHandler Token LogoutSuccessHandler AuthenticationProvider UserProvider Encoder UserChecker
Firewall AuthSuccessHandler FirewallMap SessionAuthStrategy AuthFailureHandler Listeners RememberMe LogoutHandler Token LogoutSuccessHandler AuthenticationProvider UserProvider Encoder UserChecker
Authorization
Voter
SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter
SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter AuthenticatedVoter AuthenticatedTrustResolver
SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter RoleVoter AuthenticatedVoter RoleHierarchy AuthenticatedTrustResolver
SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy PermissionMap AuthenticatedTrustResolver AclProvider
Sveliamo il mistero isAuthenticated vs isGranted(‘IS_FULLY_AUTHENTICATED’)
Ego slide • Manuel “Kea” Baldassarri • Senior Developer • Webdev dal 1992 e PHP dev dal 1998 • Pro PHP: best practices • Marito e bi-padre • mb@ideato.it twitter: k3a • flickr: kea42 slideshare: kea42
?
Tip #1 Impersonare un utente
Tip #2 • Documentazione • http://symfony.com/doc/current/book • http://symfony.com/doc/current/cookbook • http://symfony.com/doc/current/components • https://github.com/matthiasnoback/symfony-docs • http://symfony.com/doc/current/reference/ configuration/security.htm
Tip #3 Leggi il codice
Creative Common • http://www.flickr.com/photos/mardrom/ 8010607983/

More Related Content

PPTX
Sécurisation de vos applications web à l’aide du composant Security de Symfony
byVladyslav Riabchenko
 
PDF
KISS: Keep It Simple Security - Oleg Zinchenko - Symfony Cafe Kyiv
byGrossum
 
PDF
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
byRyan Weaver
 
PPTX
CRUD básico con Symfony
bySymfony Zaragoza
 
PDF
KISS: Keep It Simple Security - Oleg Zinchenko - Symfony Cafe Kyiv
byGrossum Software Outsourcing
 
PDF
Keep It Simple Security (Symfony cafe 28-01-2016)
byOleg Zinchenko
 
PPTX
Sécurisation de vos applications web à l’aide du composant Security de Symfony
byVladyslav Riabchenko
 
PDF
Elixir Paris Meetup
byJoan Zapata
 
Sécurisation de vos applications web à l’aide du composant Security de Symfony
byVladyslav Riabchenko
 
KISS: Keep It Simple Security - Oleg Zinchenko - Symfony Cafe Kyiv
byGrossum
 
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
byRyan Weaver
 
CRUD básico con Symfony
bySymfony Zaragoza
 
KISS: Keep It Simple Security - Oleg Zinchenko - Symfony Cafe Kyiv
byGrossum Software Outsourcing
 
Keep It Simple Security (Symfony cafe 28-01-2016)
byOleg Zinchenko
 
Sécurisation de vos applications web à l’aide du composant Security de Symfony
byVladyslav Riabchenko
 
Elixir Paris Meetup
byJoan Zapata
 

Similar to Symfony2 security layer

PPTX
springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds
byzmulani8
 
PDF
The hidden gems of Spring Security
byMassimiliano Dessì
 
PDF
You Shall Not Pass - Security in Symfony
byThe Software House
 
PDF
Attribute-Based Access Control in Symfony
byAdam Elsodaney
 
PDF
Spring4 security
bySang Shin
 
PDF
Java Web Programming [9/9] : Web Application Security
byIMC Institute
 
PDF
Guard Authentication: Powerful, Beautiful Security
byRyan Weaver
 
KEY
Pyramid Security
byYusuke Muraoka
 
PDF
Apache2 BootCamp : Restricting Access
byWildan Maulana
 
PDF
Love and Loss: A Symfony Security Play
byKris Wallsmith
 
PPTX
Symfony2 Authentication
byOFlorin
 
PDF
SecureSocial - Authentication for Play Framework
byjaliss
 
PPT
Htaccess info
byumakant jadhav
 
springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds
byzmulani8
 
The hidden gems of Spring Security
byMassimiliano Dessì
 
You Shall Not Pass - Security in Symfony
byThe Software House
 
Attribute-Based Access Control in Symfony
byAdam Elsodaney
 
Spring4 security
bySang Shin
 
Java Web Programming [9/9] : Web Application Security
byIMC Institute
 
Guard Authentication: Powerful, Beautiful Security
byRyan Weaver
 
Pyramid Security
byYusuke Muraoka
 
Apache2 BootCamp : Restricting Access
byWildan Maulana
 
Love and Loss: A Symfony Security Play
byKris Wallsmith
 
Symfony2 Authentication
byOFlorin
 
SecureSocial - Authentication for Play Framework
byjaliss
 
Htaccess info
byumakant jadhav
 

More from Manuel Baldassarri

PDF
Automazione quotidiana in php
byManuel Baldassarri
 
KEY
Ant vs Phing
byManuel Baldassarri
 
PDF
Swoole Overview
byManuel Baldassarri
 
PDF
Un CMS in 25min con Symfony CMF
byManuel Baldassarri
 
PDF
From * to Symfony2
byManuel Baldassarri
 
PDF
Videogiochi in PHP 👾
byManuel Baldassarri
 
KEY
Symfony CMF: un nuovo paradigma per la gestione dei contenuti
byManuel Baldassarri
 
ODP
Form refactoring
byManuel Baldassarri
 
Automazione quotidiana in php
byManuel Baldassarri
 
Ant vs Phing
byManuel Baldassarri
 
Swoole Overview
byManuel Baldassarri
 
Un CMS in 25min con Symfony CMF
byManuel Baldassarri
 
From * to Symfony2
byManuel Baldassarri
 
Videogiochi in PHP 👾
byManuel Baldassarri
 
Symfony CMF: un nuovo paradigma per la gestione dei contenuti
byManuel Baldassarri
 
Form refactoring
byManuel Baldassarri
 

Symfony2 security layer

  • 1.
    Symfony2 Security Layer Non chiedetemi del MethodSecurityInterceptor
  • 2.
  • 4.
  • 5.
  • 6.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 7.
  • 8.
    app/config/security.yml security: providers: nomi_fantasiosi: entity: class: AcmeUserBundle:User property: username encoders: AcmeUserBundleEntityUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 9.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 10.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: md5 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 11.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 12.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: sha512 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 13.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 14.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ http_basic: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 15.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ http_digest: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 16.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ x509: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 17.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 18.
    app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  • 19.
    L’autenticato public function indexAction() { $user = $this ->get('security.context') ->getToken() ->getUser(); }
  • 20.
  • 21.
    ...con user epassword $this ->get('security.context') ->getToken() ->isAuthenticated()
  • 22.
    ...con user epassword $this ->get('security.context') ->getToken() E ->isAuthenticated() RU T
  • 23.
    ...anonimo $this ->get('security.context') ->getToken() ->isAuthenticated()
  • 24.
    ...anonimo $this ->get('security.context') ->getToken() E ->isAuthenticated() RU T
  • 25.
  • 26.
  • 27.
    La chiamata (app.php) $kernel= new AppKernel('prod', false); $request = Request::createFromGlobals(); $response = $kernel->handle($request); $response->send(); $kernel->terminate($request, $response);
  • 28.
    La chiamata $this ->dispatcher ->dispatch(‘kernel.request’, $event);
  • 29.
  • 30.
  • 31.
  • 32.
    Firewall FirewallMap Listeners Token AuthenticationProvider
  • 33.
    Firewall FirewallMap Listeners Token AuthenticationProvider UserProvider Encoder UserChecker
  • 34.
    Firewall AuthSuccessHandler FirewallMap AuthFailureHandler Listeners LogoutHandler Token LogoutSuccessHandler AuthenticationProvider UserProvider Encoder UserChecker
  • 35.
    Firewall AuthSuccessHandler FirewallMap SessionAuthStrategy AuthFailureHandler Listeners RememberMe LogoutHandler Token LogoutSuccessHandler AuthenticationProvider UserProvider Encoder UserChecker
  • 36.
  • 37.
  • 38.
    SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter
  • 39.
    SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter AuthenticatedVoter AuthenticatedTrustResolver
  • 40.
    SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter RoleVoter AuthenticatedVoter RoleHierarchy AuthenticatedTrustResolver
  • 41.
    SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy PermissionMap AuthenticatedTrustResolver AclProvider
  • 42.
    Sveliamo il mistero isAuthenticated vs isGranted(‘IS_FULLY_AUTHENTICATED’)
  • 43.
    Ego slide • Manuel“Kea” Baldassarri • Senior Developer • Webdev dal 1992 e PHP dev dal 1998 • Pro PHP: best practices • Marito e bi-padre • [email protected] twitter: k3a • flickr: kea42 slideshare: kea42
  • 44.
  • 45.
  • 46.
    Tip #2 • Documentazione • http://symfony.com/doc/current/book • http://symfony.com/doc/current/cookbook • http://symfony.com/doc/current/components • https://github.com/matthiasnoback/symfony-docs • http://symfony.com/doc/current/reference/ configuration/security.htm
  • 47.
  • 48.

Editor's Notes

  • #2 \n
  • #3 Cosa vedremo: overview sul component, qualche esempio di conf e un po’ come funziona “da dentro”\n
  • #4 \n
  • #5 \n
  • #6 \n
  • #7 90% del lavoro nel 90% dei casi è configurazione\n
  • #8 \n
  • #9 Verifica che tu sia chi dici di essere\nVerifica che tu abbia i privilegi per fare qualcosa\n\n
  • #10 \n
  • #11 \n
  • #12 \n
  • #13 \n
  • #14 \n
  • #15 \n
  • #16 \n
  • #17 \n
  • #18 \n
  • #19 Più firewall non condividono il contesto di sicurezza\n
  • #20 \n
  • #21 \n
  • #22 \n
  • #23 \n
  • #24 \n
  • #25 \n
  • #26 vediamo il codice\n
  • #27 \n
  • #28 All’interno del kernel, dopo l’inizializzazione\n
  • #29 Il firewall viene notificato dall’evento kernel.request, chiede al firewallmap se c’è una corrispondenza con i pattern delle url delle secured areas (requestMatcher)\nEsempi!\n
  • #30 in tal caso viene chiesto al listener di gestire la richiesta.\nLISTENERS: AnonymousAuthenticationListener, BasicAuth, Digest, Logout, SwitchUser, X509, UserPwdForm, RemberMe\n
  • #31 Anonymous, RemeberMe, UsernamePassword, PreAuth\nimplementano la TokenInferface (getUsername, getRoles, getCredentials, isAuth, getUser)\n
  • #32 \n
  • #33 memory, entity\n
  • #34 \n
  • #35 supporta 3 strategie per la gestione della sessione:\n * NONE: the session is not changed\n * MIGRATE: the session id is updated, attributes are kept\n * INVALIDATE: the session id is updated, attributes are lost\n
  • #36 \n
  • #37 Un votante è una classe dedicata a verificare che l'utente abbia i diritti per connettersi all'applicazione.\nAccesso consentito, negato, astenuto\n
  • #38 AccessDecMan usa i votanti per decidere se dare o meno l’autorizzazione\n
  • #39 \n
  • #40 \n
  • #41 Strategie: Affirmative (basta un grant), Consensus (maggioranza), Unanimous (unanimità)\n\n
  • #42 \n
  • #43 \n
  • #44 \n
  • #45 \n
  • #46 \n
  • #47 \n
  • #48 \n