Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[SymfonyCon Paris] Dig in security

Sarah KHALIL
December 09, 2015
Technology
4
890

[SymfonyCon Paris] Dig in security

Security in Symfony is often misunderstood. Let's have a look at what is really happening behind the opaque configuration of the Security Bundle. Then we will see how it is possible to implement any way to authenticate a user in Symfony without third party library.

Sarah KHALIL

December 09, 2015
Tweet

More Decks by Sarah KHALIL

See All by Sarah KHALIL
[SymfonyCon Lisbon] A Year of Symfony
saro0h
0
870
[SymfonyLive Paris] Une année de Symfony
saro0h
0
800
[SymfonyCon Cluj] A year of Symfony
saro0h
2
1.6k
Discover the Serializer component
saro0h
3
440
[SymfonyLive Paris] Quoi de neuf depuis 1 an ?
saro0h
4
1.4k
[SymfonyCon Berlin] A year of Symfony
saro0h
2
970
[OpenClassrooms] Workflow Component
saro0h
3
950
PHP Benelux - Build Restful API easily with Symfony
saro0h
5
730
SymfonyLive San Francisco 2015 - Overriding Symfony in a million ways
saro0h
6
1k

Other Decks in Technology

See All in Technology
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
220
10分でわかるfreee エンジニア向け会社説明資料
freee
18
520k
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
660
신뢰할 수 있는 AI 검색 엔진을 만들기 위한 Liner의 여정
huffon
0
370
一休.comレストランにおけるRustの活用
kymmt90
3
590
Automated Promptingを目指すその前に / Before we can aim for Automated Prompting
rkaga
0
110
グローバル展開を見据えたサービスにおける機械翻訳プラクティス / dp-ai-translating
cyberagentdevelopers
PRO
1
150
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
9
120k
CAMERA-Suite: 広告文生成のための評価スイート / ai-camera-suite
cyberagentdevelopers
PRO
3
270
WINTICKETアプリで実現した高可用性と高速リリースを支えるエコシステム / winticket-eco-system
cyberagentdevelopers
PRO
1
190
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
1
170
生成AIと知識グラフの相互利用に基づく文書解析
koujikozaki
1
140

Featured

See All Featured
The Art of Programming - Codeland 2020
erikaheidi
51
13k
[RailsConf 2023] Rails as a piece of cake
palkan
51
4.9k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
The Pragmatic Product Professional
lauravandoore
31
6.3k
How STYLIGHT went responsive
nonsquared
95
5.2k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
22k
Documentation Writing (for coders)
carmenintech
65
4.4k
A better future with KSS
kneath
238
17k
Code Review Best Practice
trishagee
64
17k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
Optimizing for Happiness
mojombo
376
69k

Transcript

  1. DIG IN SECURITY WITH SYMFONY 2015

  2. WHO AM I? • Head of • Trainer & Developer

    • Enjoying sharer Sarah Khalil @saro0h

  3. WHAT’S THE PLAN?

  4. WHAT’S THE PLAN? Security: Authentication 1

  5. WHAT’S THE PLAN? Security: Authentication 1 Security: Authorization 2

  6. WHAT’S THE PLAN? Security: Authentication 1 What’s new in Symfony3

    3 Security: Authorization 2

  7. SECURITY IN SYMFONY

  8. Security Component

  9. Security Bundle

  10. None

  11. dump() var_

  12. dump()

  13. None

  14. Vote for him, he’s so swagg

  15. Vote for him, he’s so swagg

  16. Vote for him, he’s so swagg

  17. None
  18. None

  19. 4 KEY CONCEPTS User Provider Firewall Encoder

  20. WHAT DO WE HAVE TO WRITE?

  21. WHAT DO WE HAVE TO WRITE? security: encoders: Symfony\Component\Security\Core\User\User: bcrypt

    providers: in_memory: memory: users: sarah: password: $2a$12$LCY0M… roles: 'ROLE_USER' firewalls: admin: provider: in_memory pattern: /^admin form_login: login_path: /login check_path: /login_check

  22. AUTHENTICATION FLOW Firewall backend _username = ‘sarah.khalil’ _password = ‘mypwd’

    Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); Encoder Factory $factory->getEncoder($user); $encoder $encoder->isPasswordValid('mypwd'); Encoder true authenticated false | 401: Unauthorized /admin/myprofile or

  23. AUTHENTICATION FLOW Firewall backend _username = ‘sarah.khalil’ _password = ‘mypwd’

    Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); Encoder Factory $factory->getEncoder($user); $encoder $encoder->isPasswordValid('mypwd'); Encoder true authenticated false | 401: Unauthorized /admin/myprofile or

  24. 1. USER

  25. 1. USER

  26. WHAT IS A USER? The object stores: • credentials •

    associated roles

  27. MUST IMPLEMENT Symfony\Component\Security\Core\User\ UserInterface|AdvancedUserInterface

  28. 2. FIREWALL

  29. 2. FIREWALL

  30. Determines whether or not the user needs to be authenticated.

    AUTHENTICATION: FIREWALL

  31. Your application all routes begin with /admin all routes beginning

    with /shop all routes beginning with /blog all other routes…

  32. Your application all routes begin with /admin all routes beginning

    with /shop all routes beginning with /blog all other routes… The user needs to be authenticated to access this part of the app

  33. WHAT DO WE HAVE TO WRITE? security: firewalls: admin: provider:

    in_memory pattern: /^admin form_login: login_path: /login check_path: /login_check

  34. WHAT DO WE HAVE TO WRITE? security: firewalls: admin: provider:

    in_memory pattern: /^admin form_login: login_path: /login check_path: /login_check

  35. WHAT DO WE HAVE TO WRITE? security: firewalls: admin: provider:

    in_memory pattern: /^admin form_login: login_path: /login check_path: /login_check

  36. WHAT DO WE HAVE TO WRITE? security: firewalls: admin: provider:

    in_memory pattern: /^admin form_login: login_path: /login check_path: /login_check

  37. BUILT-IN WAYS OF AUTHENTICATING A USER

  38. http-basic http-digest BUILT-IN WAYS OF AUTHENTICATING A USER

  39. http-basic http-digest form-based BUILT-IN WAYS OF AUTHENTICATING A USER

  40. http-basic http-digest form-based x.509 certificate BUILT-IN WAYS OF AUTHENTICATING A

    USER

  41. http-basic http-digest form-based x.509 certificate BUILT-IN WAYS OF AUTHENTICATING A

    USER Your own authenticator

  42. AUTHENTICATION FLOW Firewall backend redirects to /admin/myprofile login form

  43. AUTHENTICATION FLOW Firewall backend _username = ‘sarah.khalil’ _password = ‘mypwd’

    authenticated 401: Unauthorized or /admin/login

  44. 3. PROVIDER

  45. AUTHENTICATION: PROVIDER Find and/or create a user.

  46. security: providers: in_memory: memory: users: sarah: password: $2a$12$LCY0M… roles: 'ROLE_USER'

  47. AUTHENTICATION: PROVIDER

  48. AUTHENTICATION: PROVIDER

  49. AUTHENTICATION: PROVIDER

  50. AUTHENTICATION: PROVIDER

  51. AUTHENTICATION: PROVIDER

  52. AUTHENTICATION: PROVIDER

  53. AUTHENTICATION: PROVIDER

  54. AUTHENTICATION: PROVIDER

  55. AUTHENTICATION FLOW Firewall backend _username = ‘sarah.khalil’ _password = ‘mypwd’

    Provider authenticated 401: Unauthorized /admin/myprofile or

  56. AUTHENTICATION FLOW Firewall backend _username = ‘sarah.khalil’ _password = ‘mypwd’

    Provider $provider->loadUserByUsername('sarah.khalil'); authenticated 401: Unauthorized /admin/myprofile or

  57. AUTHENTICATION FLOW Firewall backend _username = ‘sarah.khalil’ _password = ‘mypwd’

    Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); authenticated 401: Unauthorized /admin/myprofile or

  58. interface UserProviderInterface { public function loadUserByUsername($username); public function refreshUser(UserInterface $user);

    public function supportsClass($class); }

  59. 4. ENCODER

  60. AUTHENTICATION: ENCODER Hashes and compares a password.

  61. CONFIGURATION security: encoders: Symfony\Component\Security\Core\User\User: bcrypt SecurityBundle

  62. AUTHENTICATION FLOW Firewall backend username = ‘sarah.khalil’ password = ‘mypwd’

    authenticated Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); /admin/myprofile

  63. AUTHENTICATION FLOW Firewall backend username = ‘sarah.khalil’ password = ‘mypwd’

    Encoder Factory authenticated Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); /admin/myprofile

  64. AUTHENTICATION FLOW Firewall backend username = ‘sarah.khalil’ password = ‘mypwd’

    Encoder Factory $factory->getEncoder($user); authenticated Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); /admin/myprofile

  65. AUTHENTICATION FLOW Firewall backend username = ‘sarah.khalil’ password = ‘mypwd’

    Encoder Factory $factory->getEncoder($user); $encoder authenticated Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); /admin/myprofile

  66. AUTHENTICATION FLOW Firewall backend username = ‘sarah.khalil’ password = ‘mypwd’

    Encoder Factory $factory->getEncoder($user); $encoder Encoder authenticated Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); /admin/myprofile

  67. AUTHENTICATION FLOW Firewall backend username = ‘sarah.khalil’ password = ‘mypwd’

    Encoder Factory $factory->getEncoder($user); $encoder Encoder $encoder->isPasswordValid('mypwd'); authenticated Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); /admin/myprofile

  68. AUTHENTICATION FLOW Firewall backend username = ‘sarah.khalil’ password = ‘mypwd’

    Encoder Factory $factory->getEncoder($user); $encoder Encoder $encoder->isPasswordValid('mypwd'); authenticated true Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); /admin/myprofile

  69. AUTHENTICATION FLOW Firewall backend username = ‘sarah.khalil’ password = ‘mypwd’

    Encoder Factory $factory->getEncoder($user); $encoder Encoder $encoder->isPasswordValid('mypwd'); authenticated true Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’); /admin/myprofile false | 401: Unauthorized or

  70. interface PasswordEncoderInterface { /** * Encodes the raw password. */

    public function encodePassword($raw, $salt); /** * Checks a raw password against an encoded password. */ public function isPasswordValid($encoded, $raw, $salt); }

  71. ALL TOGETHER NOW!

  72. security: encoders: Symfony\Component\Security\Core\User\User: bcrypt providers: in_memory: memory: users: sarah: password:

    $2a$12$LCY0M… roles: 'ROLE_USER' firewalls: admin: provider: in_memory pattern: /^admin form_login: login_path: /login check_path: /login_check

  73. AUTHENTICATION FLOW backend

  74. AUTHENTICATION FLOW backend _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile

  75. AUTHENTICATION FLOW Firewall backend _username = ‘sarah.khalil’ _password = ‘mypwd’

    /admin/myprofile

  76. AUTHENTICATION FLOW Firewall backend Provider _username = ‘sarah.khalil’ _password =

    ‘mypwd’ /admin/myprofile

  77. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); _username = ‘sarah.khalil’ _password

    = ‘mypwd’ /admin/myprofile

  78. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’);

    _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile

  79. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’);

    Encoder Factory _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile

  80. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’);

    Encoder Factory $factory->getEncoder($user); _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile

  81. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’);

    Encoder Factory $factory->getEncoder($user); $encoder _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile

  82. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’);

    Encoder Factory $factory->getEncoder($user); $encoder Encoder _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile

  83. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’);

    Encoder Factory $factory->getEncoder($user); $encoder Encoder $encoder->isPasswordValid('mypwd'); _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile

  84. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’);

    Encoder Factory $factory->getEncoder($user); $encoder Encoder $encoder->isPasswordValid('mypwd'); true _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile

  85. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’);

    Encoder Factory $factory->getEncoder($user); $encoder Encoder $encoder->isPasswordValid('mypwd'); true authenticated _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile

  86. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’);

    Encoder Factory $factory->getEncoder($user); $encoder Encoder $encoder->isPasswordValid('mypwd'); true authenticated _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile or

  87. AUTHENTICATION FLOW Firewall backend Provider $provider->loadUserByUsername('sarah.khalil'); $user = new User(‘sarah.khalil’);

    Encoder Factory $factory->getEncoder($user); $encoder Encoder $encoder->isPasswordValid('mypwd'); true authenticated false | 401: Unauthorized _username = ‘sarah.khalil’ _password = ‘mypwd’ /admin/myprofile or

  88. AUTHORIZATION

  89. $decision = $this ->get(‘security.authorization_checker') ->isGranted('ROLE_ADMIN'); if (false === $decision) {

    throw $this ->createAccessDeniedException(‘Access denied.’); } What you have usually in a controller

  90. $decision = $this ->get(‘security.authorization_checker') ->isGranted('ROLE_ADMIN'); if (false === $decision) {

    throw $this ->createAccessDeniedException(‘Access denied.’); } What you have usually in a controller $this ->denyAccessUnlessGranted('ROLE_ADMIN', null, ‘Access denied!');

  91. Or in a template {% if is_granted('ROLE_ADMIN') %} <a href="...">Delete</a>

    {% endif %}

  92. HOW DOES IT WORK?

  93. None
  94. None

  95. Let’s take a look at the security.authorization_checker service.

  96. final public function isGranted($attributes, $object = null) { // Checks

    if there is someone authenticated (if there is a token) // Makes sure that the attributes in an array // returns true or false return $this->accessDecisionManager->decide($token, $attributes, $object); } Symfony\Component\Security\Core\Authorization\AccessDecisionManager Any string that represent a permission anything that can help to make a decision

  97. Symfony\Component\Security\Core\Authorization \AccessDecisionManager The object needs: • voters • a decision

    strategy • $allowIfAllAbstainDecisions • $allowIfEqualGrantedDeniedDecisions

  98. VOTERS Voters are added in a compiler pass (Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSecurityVotersPass )

    Must have the security.voter tag

  99. VOTERS Voters are sorted by the attribute priority (the highest

    is the last to be executed). If you don’t put any priority, => 0 (first to be executed)

  100. security: access_decision_manager: strategy: affirmative allow_if_all_abstain: false allow_if_equal_granted_denied: true in app/config/security.yml

  101. $strategy = $allowIfAllAbstainDecisions = $allowIfEqualGrantedDeniedDecisions = affirmative or consensus or

    unanimous true or false true or false

  102. $strategy = affirmative $allowIfAllAbstainDecisions = false $allowIfEqualGrantedDeniedDecisions = true Default

    values

  103. Symfony\Component\Security\Core\Authorization \AccessDecisionManager The object needs: • voters • a decision

    strategy • $allowIfAllAbstainDecisions • $allowIfEqualGrantedDeniedDecisions

  104. //Symfony\Component\Security\Core\Authorization\AccessDecisionManager public function decide(TokenInterface $token, array $attributes, $object = null)

    { return $this->{$this->strategy} ($token, $attributes, $object); } decideAffirmative decideConsensus decideUnanimous

  105. decideAffirmative Gives access if at least one voter says ACCESS_GRANTED.

    One says yes.

  106. decideConsensus • Gives access if the majority says ACCESS_GRANTED (without

    abstainer) • If voters saying ACCESS_GRANTED === voters saying ACCESS_DENIED => the configuration takes the decision security.access_decision_manager.allow_if_equal_granted_denied Majority says yes. default = true

  107. decideUnanimous Gives access if all voters say ACCESS_GRANTED. All of

    them says yes.

  108. If all voters say ACCESS_ABSTAIN the configuration takes the decision.

    security.access_decision_manager.allow_if_all_abstain default = false

  109. decideXxxx //Symfony\Component\Security\Core\Authorization\AccessDecisionManager //… foreach ($this->voters as $voter) { $result[] =

    $voter->vote($token, $object, $attributes); } // logic to return true or false 200 or 403 (forbidden)

  110. Voter MUST NOT be called by you. Voter = Private

    Service

  111. Voter MUST NOT be called by you. Voter = Private

    Service

  112. Voters must be light in case of unanimous or consensus

    strategy. (because all voters are executed)

  113. ALL TOGETHER NOW!

  114. AuthorizationChecker::isGranted()

  115. Controller or template or service from AuthorizationChecker::isGranted()

  116. Controller or template or service from AuthorizationChecker::isGranted() AccessDecisionManager::decide() calls

  117. Controller or template or service from AuthorizationChecker::isGranted() Strategy Voters Decision

    maker if all can’t make a decision Decision maker if all abstain needs AccessDecisionManager::decide() calls

  118. Controller or template or service from AuthorizationChecker::isGranted() Strategy Voters Decision

    maker if all can’t make a decision Decision maker if all abstain needs AccessDecisionManager::decide() calls AccessDecisionManager::decideAffirmative() or AccessDecisionManager::decideConsensus() or AccessDecisionManager::decideUnanimous() calls

  119. Controller or template or service from VoterInterface::vote() … VoterInterface::vote() calls

    AuthorizationChecker::isGranted() Strategy Voters Decision maker if all can’t make a decision Decision maker if all abstain needs AccessDecisionManager::decide() calls AccessDecisionManager::decideAffirmative() or AccessDecisionManager::decideConsensus() or AccessDecisionManager::decideUnanimous() calls

  120. Controller or template or service from VoterInterface::vote() … VoterInterface::vote() calls

    AuthorizationChecker::isGranted() false true returns Strategy Voters Decision maker if all can’t make a decision Decision maker if all abstain needs AccessDecisionManager::decide() calls AccessDecisionManager::decideAffirmative() or AccessDecisionManager::decideConsensus() or AccessDecisionManager::decideUnanimous() calls

  121. WHAT’S NEW IN SYMFONY3?

  122. 2 NEW COMPONENTS

  123. 2 NEW COMPONENTS

  124. Before

  125. Be careful, BC break to expect in 3.1

  126. Tomorrow, 9 am, here!

  127. None
  128. None

  129. security.context security.token_storage security.authorization_checker DEPRECATIONS

  130. DEPRECATIONS intention csrf_token_id

  131. DEPRECATIONS VoterInterface::supportsClass VoterInterface::supportsAttribute

  132. DEPRECATIONS AbstractVoter Voter implement supports($attribute, $subject) and voteOnAttribute($attribute, $subject, TokenInterface

    $token)

  133. DEPRECATIONS The subcomponent ACL has been removed since version 2.8.

  134. None
  135. None

  136. Thank you! @saro0h speakerdeck.com/saro0h/ github.com/saro0h/oauth-github Follow me on @catlannister We

    hire ;)