Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP, Symfony and Security

Diana Arnos
November 21, 2019

PHP, Symfony and Security

As presented on SymfonyCon 2019 - Amsterdam

Have you ever tried talking to someone about using PHP in secure applications? It's nothing new that we deal with prejudice against PHP every day and the situation is even worse when we talk about security. The latest versions of PHP provide security tools and modern cryptography and Symfony itself make its efforts to deliver robust security features that are simple to implement. We'll learn about the latest language and framework initiatives in this regard and check out short and quick tips for boosting you application's security.

Diana Arnos

November 21, 2019
Tweet

More Decks by Diana Arnos

Other Decks in Programming

Transcript

  1. What style of authentication do you want? [Empty authenticator ]:

    [0] Empty authenticator [1] Login form authenticator > 1 The class name of the authenticator to create (e.g. AppCustomAuthenticator ): > LoginFormAuthenticator Choose a name for the controller class (e.g. SecurityController ) [SecurityController ]: >
  2. public function getCredentials (Request $request) { $credentials = [ 'email'

    => $request->request->get( 'email'), 'password' => $request->request->get( 'password'), 'csrf_token' => $request->request->get( '_csrf_token'), ]; return $credentials; }
  3. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }
  4. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }
  5. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }
  6. security: firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: anonymous: true

    guard: authenticators: - App\Security\LoginFormAuthenticator entry_point: App\Security\LoginFormAuthenticator
  7. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  8. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  9. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  10. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  11. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  12. security: role_hierarchy: ROLE_ADMIN: ROLE_USER ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_WHATEVER_YOU_WANT] access_control: - {

    path: ^/admin, roles: ROLE_ADMIN, ip: 127.0.0.1 } - { path: ^/page, roles: ROLE_USER, host: localhost }