Symfony2 security layer

2,384 views

Published on

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,384
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
37
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • \n
  • Cosa vedremo: overview sul component, qualche esempio di conf e un po’ come funziona “da dentro”\n
  • \n
  • \n
  • \n
  • 90% del lavoro nel 90% dei casi è configurazione\n
  • \n
  • Verifica che tu sia chi dici di essere\nVerifica che tu abbia i privilegi per fare qualcosa\n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Più firewall non condividono il contesto di sicurezza\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • vediamo il codice\n
  • \n
  • All’interno del kernel, dopo l’inizializzazione\n
  • Il firewall viene notificato dall’evento kernel.request, chiede al firewallmap se c’è una corrispondenza con i pattern delle url delle secured areas (requestMatcher)\nEsempi!\n
  • in tal caso viene chiesto al listener di gestire la richiesta.\nLISTENERS: AnonymousAuthenticationListener, BasicAuth, Digest, Logout, SwitchUser, X509, UserPwdForm, RemberMe\n
  • Anonymous, RemeberMe, UsernamePassword, PreAuth\nimplementano la TokenInferface (getUsername, getRoles, getCredentials, isAuth, getUser)\n
  • \n
  • memory, entity\n
  • \n
  • supporta 3 strategie per la gestione della sessione:\n * NONE: the session is not changed\n * MIGRATE: the session id is updated, attributes are kept\n * INVALIDATE: the session id is updated, attributes are lost\n
  • \n
  • Un votante è una classe dedicata a verificare che l'utente abbia i diritti per connettersi all'applicazione.\nAccesso consentito, negato, astenuto\n
  • AccessDecMan usa i votanti per decidere se dare o meno l’autorizzazione\n
  • \n
  • \n
  • Strategie: Affirmative (basta un grant), Consensus (maggioranza), Unanimous (unanimità)\n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Symfony2 security layer

    1. 1. Symfony2 Security Layer Non chiedetemi del MethodSecurityInterceptor
    2. 2. Noi siamo qui
    3. 3. Eh?!
    4. 4. Sim sala min!
    5. 5. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    6. 6. AutenticazioneAutorizzazione
    7. 7. app/config/security.ymlsecurity: providers: nomi_fantasiosi: entity: class: AcmeUserBundle:User property: username encoders: AcmeUserBundleEntityUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    8. 8. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    9. 9. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: md5 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    10. 10. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    11. 11. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: sha512 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    12. 12. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    13. 13. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ http_basic: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    14. 14. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ http_digest: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    15. 15. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ x509: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    16. 16. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    17. 17. app/config/security.ymlsecurity: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: ROLE_USER } admin: { password: kitten, roles: ROLE_ADMIN } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
    18. 18. L’autenticatopublic function indexAction(){ $user = $this ->get(security.context) ->getToken() ->getUser();}
    19. 19. getToken()?!
    20. 20. ...con user e password $this ->get(security.context) ->getToken() ->isAuthenticated()
    21. 21. ...con user e password $this ->get(security.context) ->getToken() E ->isAuthenticated() RU T
    22. 22. ...anonimo$this ->get(security.context) ->getToken() ->isAuthenticated()
    23. 23. ...anonimo$this ->get(security.context) ->getToken() E ->isAuthenticated() RU T
    24. 24. True?!
    25. 25. Authentication
    26. 26. La chiamata (app.php)$kernel = new AppKernel(prod, false);$request = Request::createFromGlobals();$response = $kernel->handle($request);$response->send();$kernel->terminate($request, $response);
    27. 27. La chiamata$this ->dispatcher ->dispatch(‘kernel.request’, $event);
    28. 28. FirewallFirewallMap
    29. 29. FirewallFirewallMap Listeners
    30. 30. FirewallFirewallMap Listeners Token
    31. 31. Firewall FirewallMap Listeners TokenAuthenticationProvider
    32. 32. Firewall FirewallMap Listeners Token AuthenticationProviderUserProvider Encoder UserChecker
    33. 33. FirewallAuthSuccessHandler FirewallMap AuthFailureHandler Listeners LogoutHandler TokenLogoutSuccessHandler AuthenticationProvider UserProvider Encoder UserChecker
    34. 34. FirewallAuthSuccessHandler FirewallMap SessionAuthStrategy AuthFailureHandler Listeners RememberMe LogoutHandler TokenLogoutSuccessHandler AuthenticationProvider UserProvider Encoder UserChecker
    35. 35. Authorization
    36. 36. Voter
    37. 37. SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter
    38. 38. SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter AuthenticatedVoter AuthenticatedTrustResolver
    39. 39. SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter RoleVoter AuthenticatedVoter RoleHierarchy AuthenticatedTrustResolver
    40. 40. SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchyPermissionMap AuthenticatedTrustResolver AclProvider
    41. 41. Sveliamo il mistero isAuthenticated vsisGranted(‘IS_FULLY_AUTHENTICATED’)
    42. 42. Ego slide• Manuel “Kea” Baldassarri• Senior Developer• Webdev dal 1992 e PHP dev dal 1998• Pro PHP: best practices• Marito e bi-padre• mb@ideato.it twitter: k3a• flickr: kea42 slideshare: kea42
    43. 43. ?
    44. 44. Tip #1Impersonare un utente
    45. 45. Tip #2• Documentazione • http://symfony.com/doc/current/book • http://symfony.com/doc/current/cookbook • http://symfony.com/doc/current/components • https://github.com/matthiasnoback/symfony-docs • http://symfony.com/doc/current/reference/ configuration/security.htm
    46. 46. Tip #3Leggi il codice
    47. 47. Creative Common• http://www.flickr.com/photos/mardrom/ 8010607983/

    ×