Your SlideShare is downloading.
×
×
![]()
Saving this for later?
Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply
Transcript
- 1. Love & LossA Symfony Security Play
- 2. brewcycleportland.com
- 3. @kriswallsmith
- 4. assetic
- 5. Buzz
- 6. Spork
- 7. “…the current implementation of the SecurityComponent is … not easily accessible”http://www.testically.org/2011/03/14/why-i-gave-up-on-the-symfony2-security-component/
- 8. “I would rather see Symfony2 postponed againor the Security Component removed …I don’t think it is even near of being usable tothe community outside the core.”http://www.testically.org/2011/03/14/why-i-gave-up-on-the-symfony2-security-component/
- 9. “The past few days I have really be strugglingwith the Symfony2 security component.It is the most complex component ofSymfony2 if you ask me!”http://blog.vandenbrand.org/2012/06/19/symfony2-authentication-provider-authenticate-against-webservice/
- 10. “(I’m) wondering if I should just work aroundrather than work with the framework”https://groups.google.com/forum/#!msg/symfony2/AZpgbEk4Src/73P99zOmq2YJ
- 11. Enhance yourPHPfun!
- 12. http://curiouscomedy.org
- 13. HttpKernelkernel.exceptionkernel.request kernel.terminatekernel.controller kernel.view kernel.response
- 14. kernel.request kernel.controller kernel.view kernel.response kernel.terminatekernel.exceptionHttpKernel
- 15. kernel.request kernel.controller kernel.view kernel.response kernel.terminatekernel.exceptionHttpKernel
- 16. HttpKernelGet the response and get out
- 17. kernel.requestRouteretc…Firewall
- 18. FirewallJust another listener
- 19. class YesFirewall{public function handle($event){// always say yes}}
- 20. use SymfonyComponentHttpFoundationResponse;class NoFirewall{public function handle($event){// always say no$event->setResponse(new Response(go away, 401));}}
- 21. use SymfonyComponentHttpFoundationResponse;class PickyFirewall{public function handle($event){$request = $event->getRequest();$user = $request->headers->get(PHP_AUTH_USER);// only names that start with "Q"if (Q == $user[0]) return;$event->setResponse(new Response(go away, 401));}}
- 22. Security ListenersThe firewall’s henchmen
- 23. FirewallListenerskernel.request
- 24. class Firewall{public $listeners = array();public function handle($event){foreach ($this->listeners as $listener) {$listener->handle($event);if ($event->hasResponse()) return;}}}
- 25. class YesListener{public function handle($event){// always say yes}}
- 26. use SymfonyComponentHttpFoundationResponse;class NoListener{public function handle($event){// always say no$event->setResponse(new Response(go away, 401));}}
- 27. use SymfonyComponentHttpFoundationResponse;class PickyListener{public function handle($event){$request = $event->getRequest();$user = $request->headers->get(PHP_AUTH_USER);// only names that start with "Q"if (Q == $user[0]) return;$event->setResponse(new Response(go away, 401));}}
- 28. AuthenticationAre you who you say you are?
- 29. AuthorizationAre you allowed to ____?
- 30. TokensThe Language of Security
- 31. Authentication ListenersMap from request to token
- 32. RequestResponse (?) TokenCoreHTTP
- 33. AuthenticationListener AAuthenticationListener BAuthenticationManagerFirewall
- 34. class AuthenticationListener{public $authMan, $context;public function handle($e){$r = $e->getRequest();$u = $r->headers->get(PHP_AUTH_USER);$t = new AnonToken($u);$t = $this->authMan->authenticate($t);$this->context->setToken($t);}}
- 35. class AuthenticationManager{public function authenticate($t){// always say no}}
- 36. class AuthenticationManager{public function authenticate($t){// always say yesreturn new AuthToken($t->getUser());}}
- 37. class AuthenticationManager{public function authenticate($t){$u = $t->getUser();// only names that start with "Q"if (Q == $u[0]) {return new AuthToken($u);}}}
- 38. Authentication ManagerResponsible for authenticatingthe token
- 39. Authentication ProvidersDo the actual authentication work
- 40. UserProvidersAuthenticationProvidersAuthenticationListener AAuthenticationListener BAuthenticationManager
- 41. User ProvidersAccess the repository of users
- 42. class AuthenticationManager{public $providers = array();public function authenticate($t){foreach ($this->providers as $p) {if ($p->supports($t)) {return $p->authenticate($t);}}}}
- 43. class AuthenticationProvider{public $up;public function authenticate($t){$u = $t->getUser();$u = $this->up->loadUserByUsername($u);if ($u) return new AuthToken($u);}}
- 44. class UserProvider{public $repo;public function loadUserByUsername($u){return ($this->repo->find(array(username => $u,)));}}
- 45. Authentication
- 46. Authentication Listeners• Map client data from request totoken• Pass token to authenticationmanager• Update state of security context
- 47. Authentication Manager• Responsible for authenticating thetoken• Calls the appropriateauthentication provider• Handles exceptions
- 48. Authentication Providers• Performs authentication using clientdata in the token• Marks the token as authenticated• Attaches the user object to thetoken
- 49. User Providers• Retrieves the user from the database
- 50. Authorization
- 51. class AuthorizationListener{public function handle($e){// always say yes}}
- 52. use SymfonyComponentHttpFoundationResponse;class AuthorizationListener{public function handle($e){// always say no$e->setResponse(new Response(go away, 403));}}
- 53. Access MapLooks at a request and determinestoken requirements
- 54. Access Decision ManagerThe gatekeeper
- 55. VotersDecisionManagerListener Map
- 56. use SymfonyComponentHttpFoundationResponse;class AccessListener{public $context, $map, $decider;public function handle($e){$r = $e->getRequest();$t = $this->context->getToken();$reqs = $this->map->getRequirements($r);if (!$this->decider->decide($t, $reqs)) {$e->setResponse(new Response(go away, 403));}}}
- 57. class AccessMap{public function getRequirements($r){$path = $r->getPathInfo();if (0 === strpos($path, /admin)) {return array(ADMIN);}}}
- 58. class AccessDecisionManager{public $voters;public function decide($t, $reqs){foreach ($this->voters as $v) {if ($v->vote($t, null, $reqs)) {return true;}}return false;}}
- 59. class AccessVoter{public function vote($t, $obj, $reqs){foreach ($reqs as $req) {if (!$t->hasAttribute($req)) {return false;}}return true;}}
- 60. Authorization
- 61. Extension Points
- 62. The firewall has many listeners
- 63. The authentication manager hasmany authentication providers
- 64. Which MAY rely onuser providers
- 65. The access decision managerhas many votersAuthenticatedRolesACL
- 66. Questions?
- 67. is hiring
- 68. “Horrible”“Worst talk ever”“Go back to high school”https://joind.in/8665
Be the first to comment