Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP, Symfony and Security

Diana Arnos
November 21, 2019
Programming
0
720

PHP, Symfony and Security

As presented on SymfonyCon 2019 - Amsterdam

Have you ever tried talking to someone about using PHP in secure applications? It's nothing new that we deal with prejudice against PHP every day and the situation is even worse when we talk about security. The latest versions of PHP provide security tools and modern cryptography and Symfony itself make its efforts to deliver robust security features that are simple to implement. We'll learn about the latest language and framework initiatives in this regard and check out short and quick tips for boosting you application's security.

Diana Arnos

November 21, 2019
Tweet

More Decks by Diana Arnos

See All by Diana Arnos
PHP Além do Síncrono
dianaarnos
1
500
O Mundo Mágico dos Profilers
dianaarnos
0
130
Trabalhar na gringa - Como chegar lá?
dianaarnos
0
300
PCS2020 - PHP Além do Síncrono
dianaarnos
2
980
VDPWeekend - Emprego dos Sonhos - O que esperam de você e como ser cada vez melhor
dianaarnos
1
160
PHPPR Live 2020 - PHP Paralelo e Distribuído
dianaarnos
0
120
Profiling 101: o que é e como fazer - PHPConference 2019
dianaarnos
1
380
PHP e Segurança: é possível - PHPConference BR 2019
dianaarnos
0
530
Back End Performático - CPGoiás 2019
dianaarnos
0
89

Other Decks in Programming

See All in Programming
Figma Dev Modeで変わる!Flutterの開発体験
watanave
0
150
as(型アサーション)を書く前にできること
marokanatani
10
2.7k
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
360
Jakarta EE meets AI
ivargrimstad
0
710
cmp.Or に感動した
otakakot
3
220
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
1k
Realtime API 入門
riofujimon
0
150
Ethereum_.pdf
nekomatu
0
470
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
3
1.2k
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100
ペアーズにおけるAmazon Bedrockを⽤いた障害対応⽀援 ⽣成AIツールの導⼊事例 @ 20241115配信AWSウェビナー登壇
fukubaka0825
6
2k
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.2k

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
What's in a price? How to price your products and services
michaelherold
243
12k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Music & Morning Musume
bryan
46
6.2k
Designing for humans not robots
tammielis
250
25k
Six Lessons from altMBA
skipperchong
27
3.5k
Done Done
chrislema
181
16k
A designer walks into a library…
pauljervisheath
204
24k
How STYLIGHT went responsive
nonsquared
95
5.2k
We Have a Design System, Now What?
morganepeng
50
7.2k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None

  50. None
  51. None
  52. None
  53. None
  54. None
  55. None

  57. None
  58. None
  59. None
  60. None
  61. None
  62. None
  63. None
  64. None
  65. None
  66. None
  67. None
  68. None
  69. None
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. None
  78. None

  79. unserialize($data, ["allowed_classes" => ["ClassOne", "ClassTwo"]]);

  80. None
  81. None
  82. None
  83. None
  84. None
  85. None

  86. $ composer require symfony/security

  87. None
  88. None
  89. None
  90. None
  91. None

  92. namespace App\Entity; /*...*/ use Symfony\Component\Security\Core\User\UserInterface ; /** * @ORM\Entity(repositoryClass="App\Repository\UserRepository") */

    class User implements UserInterface { // class methods }

  93. namespace App\Entity; /*...*/ use Symfony\Component\Security\Core\User\UserInterface ; /** * @ORM\Entity(repositoryClass="App\Repository\UserRepository") */

    class User implements UserInterface { // class methods }

  94. security: providers: app_user_provider: entity: class: App\Entity\User property: email

  95. None

  96. namespace Symfony\Component\Security\Core\Encoder; /*...*/ interface PasswordEncoderInterface { public function encodePassword ($raw,

    $salt); public function isPasswordValid( $encoded, $raw, $salt); }

  97. public function checkCredentials($credentials, UserInterface $user) { return $this->passwordEncoder->isPasswordValid($user, $credentials['password']); }

  98. security: encoders: App\Entity\User: algorithm: argon2i #bcrypt #auto

  99. None

  100. $ php bin/console make:auth

  101. What style of authentication do you want? [Empty authenticator ]:

    [0] Empty authenticator [1] Login form authenticator > 1 The class name of the authenticator to create (e.g. AppCustomAuthenticator ): > LoginFormAuthenticator Choose a name for the controller class (e.g. SecurityController ) [SecurityController ]: >
  102. None
  103. None
  104. None

  105. <input type="hidden" name="_csrf_token" value="{{ csrf_token( 'authenticate' ) }}">

  106. None

  107. public function getCredentials (Request $request) { $credentials = [ 'email'

    => $request->request->get( 'email'), 'password' => $request->request->get( 'password'), 'csrf_token' => $request->request->get( '_csrf_token'), ]; return $credentials; }

  108. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }

  109. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }

  110. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }

  111. security: firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: anonymous: true

    guard: authenticators: - App\Security\LoginFormAuthenticator entry_point: App\Security\LoginFormAuthenticator
  112. None
  113. None

  114. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  115. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  116. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  117. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  118. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  119. None

  120. {% if is_granted('ROLE_ADMIN') %} <p>You are an admin</p> {% endif

    %}

  121. security: role_hierarchy: ROLE_ADMIN: ROLE_USER ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_WHATEVER_YOU_WANT] access_control: - {

    path: ^/admin, roles: ROLE_ADMIN, ip: 127.0.0.1 } - { path: ^/page, roles: ROLE_USER, host: localhost }
  122. None
  123. None
  124. None
  125. None