Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP, Symfony and Security

Diana Arnos
November 21, 2019
Programming
0
720

PHP, Symfony and Security

As presented on SymfonyCon 2019 - Amsterdam

Have you ever tried talking to someone about using PHP in secure applications? It's nothing new that we deal with prejudice against PHP every day and the situation is even worse when we talk about security. The latest versions of PHP provide security tools and modern cryptography and Symfony itself make its efforts to deliver robust security features that are simple to implement. We'll learn about the latest language and framework initiatives in this regard and check out short and quick tips for boosting you application's security.

Diana Arnos

November 21, 2019
Tweet

More Decks by Diana Arnos

See All by Diana Arnos
PHP Além do Síncrono
dianaarnos
1
500
O Mundo Mágico dos Profilers
dianaarnos
0
130
Trabalhar na gringa - Como chegar lá?
dianaarnos
0
300
PCS2020 - PHP Além do Síncrono
dianaarnos
2
980
VDPWeekend - Emprego dos Sonhos - O que esperam de você e como ser cada vez melhor
dianaarnos
1
160
PHPPR Live 2020 - PHP Paralelo e Distribuído
dianaarnos
0
120
Profiling 101: o que é e como fazer - PHPConference 2019
dianaarnos
1
380
PHP e Segurança: é possível - PHPConference BR 2019
dianaarnos
0
530
Back End Performático - CPGoiás 2019
dianaarnos
0
88

Other Decks in Programming

See All in Programming
僕がつくった48個のWebサービス達
yusukebe
20
17k
CSC509 Lecture 09
javiergs
PRO
0
140
GCCのプラグインを作る / I Made a GCC Plugin
shouth
1
160
Jakarta EE meets AI
ivargrimstad
0
120
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
270
macOS でできる リアルタイム動画像処理
biacco42
9
2.3k
Quine, Polyglot, 良いコード
qnighy
4
610
RailsのPull requestsのレビューの時に私が考えていること
yahonda
5
2.7k
みんなでプロポーザルを書いてみた
yuriko1211
0
170
Amazon Qを使ってIaCを触ろう!
maruto
0
370
Hotwire or React? ~Reactの録画機能をHotwireに置き換えて得られた知見~ / hotwire_or_react
harunatsujita
8
5k
受け取る人から提供する人になるということ
little_rubyist
0
180

Featured

See All Featured
Become a Pro
speakerdeck
PRO
25
5k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
A Tale of Four Properties
chriscoyier
156
23k
GitHub's CSS Performance
jonrohan
1030
460k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
How STYLIGHT went responsive
nonsquared
95
5.2k
A Philosophy of Restraint
colly
203
16k
Docker and Python
trallard
40
3.1k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None

  50. None
  51. None
  52. None
  53. None
  54. None
  55. None

  57. None
  58. None
  59. None
  60. None
  61. None
  62. None
  63. None
  64. None
  65. None
  66. None
  67. None
  68. None
  69. None
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. None
  78. None

  79. unserialize($data, ["allowed_classes" => ["ClassOne", "ClassTwo"]]);

  80. None
  81. None
  82. None
  83. None
  84. None
  85. None

  86. $ composer require symfony/security

  87. None
  88. None
  89. None
  90. None
  91. None

  92. namespace App\Entity; /*...*/ use Symfony\Component\Security\Core\User\UserInterface ; /** * @ORM\Entity(repositoryClass="App\Repository\UserRepository") */

    class User implements UserInterface { // class methods }

  93. namespace App\Entity; /*...*/ use Symfony\Component\Security\Core\User\UserInterface ; /** * @ORM\Entity(repositoryClass="App\Repository\UserRepository") */

    class User implements UserInterface { // class methods }

  94. security: providers: app_user_provider: entity: class: App\Entity\User property: email

  95. None

  96. namespace Symfony\Component\Security\Core\Encoder; /*...*/ interface PasswordEncoderInterface { public function encodePassword ($raw,

    $salt); public function isPasswordValid( $encoded, $raw, $salt); }

  97. public function checkCredentials($credentials, UserInterface $user) { return $this->passwordEncoder->isPasswordValid($user, $credentials['password']); }

  98. security: encoders: App\Entity\User: algorithm: argon2i #bcrypt #auto

  99. None

  100. $ php bin/console make:auth

  101. What style of authentication do you want? [Empty authenticator ]:

    [0] Empty authenticator [1] Login form authenticator > 1 The class name of the authenticator to create (e.g. AppCustomAuthenticator ): > LoginFormAuthenticator Choose a name for the controller class (e.g. SecurityController ) [SecurityController ]: >
  102. None
  103. None
  104. None

  105. <input type="hidden" name="_csrf_token" value="{{ csrf_token( 'authenticate' ) }}">

  106. None

  107. public function getCredentials (Request $request) { $credentials = [ 'email'

    => $request->request->get( 'email'), 'password' => $request->request->get( 'password'), 'csrf_token' => $request->request->get( '_csrf_token'), ]; return $credentials; }

  108. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }

  109. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }

  110. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }

  111. security: firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: anonymous: true

    guard: authenticators: - App\Security\LoginFormAuthenticator entry_point: App\Security\LoginFormAuthenticator
  112. None
  113. None

  114. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  115. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  116. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  117. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  118. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  119. None

  120. {% if is_granted('ROLE_ADMIN') %} <p>You are an admin</p> {% endif

    %}

  121. security: role_hierarchy: ROLE_ADMIN: ROLE_USER ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_WHATEVER_YOU_WANT] access_control: - {

    path: ^/admin, roles: ROLE_ADMIN, ip: 127.0.0.1 } - { path: ^/page, roles: ROLE_USER, host: localhost }
  122. None
  123. None
  124. None
  125. None