More Related Content Similar to Symfony2 security layer Similar to Symfony2 security layer (20) More from Manuel Baldassarri More from Manuel Baldassarri (8) Symfony2 security layer6. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
8. app/config/security.yml
security:
providers:
nomi_fantasiosi:
entity:
class: AcmeUserBundle:User
property: username
encoders:
AcmeUserBundleEntityUser: sha1
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
9. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: sha1
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
10. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: md5
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
11. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: sha1
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
12. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: sha512
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
13. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
14. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
http_basic: ~
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
15. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
http_digest: ~
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
16. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
x509: ~
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
17. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
18. app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
21. ...con user e password
$this
->get('security.context')
->getToken()
->isAuthenticated()
22. ...con user e password
$this
->get('security.context')
->getToken()
E
->isAuthenticated()
RU
T
24. ...anonimo
$this
->get('security.context')
->getToken()
E
->isAuthenticated()
RU
T
27. La chiamata (app.php)
$kernel = new AppKernel('prod', false);
$request = Request::createFromGlobals();
$response = $kernel->handle($request);
$response->send();
$kernel->terminate($request, $response);
32. Firewall
FirewallMap
Listeners
Token
AuthenticationProvider
33. Firewall
FirewallMap
Listeners
Token
AuthenticationProvider
UserProvider Encoder
UserChecker
34. Firewall
AuthSuccessHandler
FirewallMap
AuthFailureHandler
Listeners
LogoutHandler
Token
LogoutSuccessHandler AuthenticationProvider
UserProvider Encoder
UserChecker
35. Firewall
AuthSuccessHandler
FirewallMap
SessionAuthStrategy
AuthFailureHandler
Listeners RememberMe
LogoutHandler
Token
LogoutSuccessHandler AuthenticationProvider
UserProvider Encoder
UserChecker
38. SecurityContext AccessListener MethodSecurityInterceptor
AccessDecisionManager
Voter
39. SecurityContext AccessListener MethodSecurityInterceptor
AccessDecisionManager
Voter
AuthenticatedVoter
AuthenticatedTrustResolver
40. SecurityContext AccessListener MethodSecurityInterceptor
AccessDecisionManager
Voter
RoleVoter AuthenticatedVoter
RoleHierarchy
AuthenticatedTrustResolver
41. SecurityContext AccessListener MethodSecurityInterceptor
AccessDecisionManager
Voter
AclVoter RoleVoter AuthenticatedVoter
RoleHierarchy
PermissionMap
AuthenticatedTrustResolver
AclProvider
43. Ego slide
• Manuel “Kea” Baldassarri
• Senior Developer
• Webdev dal 1992 e PHP dev dal 1998
• Pro PHP: best practices
• Marito e bi-padre
• mb@ideato.it
twitter: k3a
• flickr: kea42
slideshare: kea42
46. Tip #2
• Documentazione
• http://symfony.com/doc/current/book
• http://symfony.com/doc/current/cookbook
• http://symfony.com/doc/current/components
• https://github.com/matthiasnoback/symfony-docs
• http://symfony.com/doc/current/reference/
configuration/security.htm
Editor's Notes \n Cosa vedremo: overview sul component, qualche esempio di conf e un po’ come funziona “da dentro”\n \n \n \n 90% del lavoro nel 90% dei casi è configurazione\n \n Verifica che tu sia chi dici di essere\nVerifica che tu abbia i privilegi per fare qualcosa\n\n \n \n \n \n \n \n \n \n \n Più firewall non condividono il contesto di sicurezza\n \n \n \n \n \n \n vediamo il codice\n \n All’interno del kernel, dopo l’inizializzazione\n Il firewall viene notificato dall’evento kernel.request, chiede al firewallmap se c’è una corrispondenza con i pattern delle url delle secured areas (requestMatcher)\nEsempi!\n in tal caso viene chiesto al listener di gestire la richiesta.\nLISTENERS: AnonymousAuthenticationListener, BasicAuth, Digest, Logout, SwitchUser, X509, UserPwdForm, RemberMe\n Anonymous, RemeberMe, UsernamePassword, PreAuth\nimplementano la TokenInferface (getUsername, getRoles, getCredentials, isAuth, getUser)\n \n memory, entity\n \n supporta 3 strategie per la gestione della sessione:\n * NONE: the session is not changed\n * MIGRATE: the session id is updated, attributes are kept\n * INVALIDATE: the session id is updated, attributes are lost\n \n Un votante è una classe dedicata a verificare che l'utente abbia i diritti per connettersi all'applicazione.\nAccesso consentito, negato, astenuto\n AccessDecMan usa i votanti per decidere se dare o meno l’autorizzazione\n \n \n Strategie: Affirmative (basta un grant), Consensus (maggioranza), Unanimous (unanimità)\n\n \n \n \n \n \n \n \n