Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FLOW3 Security Framework applied to TYPO3 Phoenix

4,457 views

Published on

Published in: Technology
  • Be the first to comment

FLOW3 Security Framework applied to TYPO3 Phoenix

  1. 1. FLOW3 Security Framework applied to TYPO3 Phoenix Andreas Förthner <andreas.foerthner@netlogix.de> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  2. 2. Your host Andreas Förthner Work: netlogix Media in Nuremberg Studied computer science in Erlangen FLOW3/Phoenix Core Team since 2007 Leader of the TYPO3 security team together with Helmut Hummel T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  3. 3. Agenda Which security concepts are needed for Phoenix? Authentication infrastructure Authorization and how to display all this? Security for data AKA content security Security for files AKA secure downloads Summary and Questions T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  4. 4. WHICH SECURITY CONCEPTS ARE NEEDED? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  5. 5. Which security concepts are needed? Authentication  Ensure to talk to the correct partner  Use different mechanisms to validate the identity  Provide an easy to extend infrastructure  Manage user accounts T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  6. 6. Which security concepts are needed? Authorization  Restrict certain users from accessing functionality  Use a delarative policy to configure those restrictions  Change restrictions or add new ones without changing the Phoenix core T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  7. 7. Which security concepts are needed? Protect your stored data  Declarativly describe who should be allowed to read/write your domain models‘ data  Data you don‘t have access to, should not be loaded by the persitence layer  Provide an infrastructure for protected files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  8. 8. Which security concepts are needed? Protect the communication channel  Encrypt transfered data if needed  Sign transfered data  Gerneral CSRF protection T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  9. 9. Which security concepts are needed? Validate incoming data  Protection against XSS attacks  No SQL-Injections anymore Sanitize displayed data  E.g. no XSS code on your website T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  10. 10. Which security concepts are needed? Protect your system against unwanted requests  Application Firewall based on request filters  Drop unwanted/unauthorized requests as early as possible T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  11. 11. AUTHENTICATION INFRASTRUCTURE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  12. 12. Authentication Infrastructure TYPO3 is an application with different authentication areas:  „Frontend“  „Backend“  Custom areas, e.g. „Extranet area“ Users might have access to more than one area Different authentication mechanisms for different areas Use a different mechanism for connections from your internal network T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  13. 13. Authentication Infrastructure security: authentication: providers: DefaultProvider: providerClass: PersistedUsernamePasswordProvider requestPatterns: controllerObjectName: F3TYPO3ControllerBackend.* entryPoint: webRedirect: uri: typo3/login T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  14. 14. AUTHORIZATION AND HOW TO DISPLAY ALL THIS? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  15. 15. Authorization and how to display all this? The functionality of TYPO3 has to be protected  E.g. backend controllers should not be callable for everybody  Not every user should have access to the managment tab in the Phoenix backend  Only specific users should be allowed to create a CE in the left column The functionality stays, but policies can change! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  16. 16. Authorization and how to display all this? Solution: Declarative policies, decoupled from the PHP code holding the functionality resources: methods: F3_TYPO3_BackendController: "method(F3TYPO3ControllerBackendBackendController->.*())" acls: Administrator: methods: F3_TYPO3_BackendController : GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  17. 17. Authorization and how to display all this? Great it‘s protected! But: Internal Server Error?! Nice?! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  18. 18. Authorization and how to display all this? Reflect the policy in the view with Fluid <f:security.ifAccess resource=“F3_TYPO3_BackendController"> This is being shown in case you have access to the backend </f:security.ifAccess> <f:security.ifHasRole role="Administrator"> This is being shown in case you are administrator </f:security.ifHasRole> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  19. 19. SECURITY FOR DATA AKA CONTENT SECURITY T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  20. 20. Security for data AKA content security Write a policy for your content The persistence layer will automatically filter all data, you don‘t have access to, i.e.:  Your queries are very clean and readable  You can‘t forget to add a needed query constraint T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  21. 21. Security for data AKA content security Writing policies tailored to your data resources: entities: F3_Blog_Domain_Model_Post: F3_Blog_Domain_Model_Post_HiddenPosts: this.public == FALSE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  22. 22. Security for data AKA content security acls: Everybody: entities: F3_Blog_Domain_Model_Post_HiddenPosts: DENY Editor: entities: F3_Blog_Domain_Model_Post_HiddenPosts: GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  23. 23. SECURITY FOR FILES AKA SECURE DOWNLOADS T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  24. 24. Security for files AKA secure downloads Challenge:  Really protect files from beeing downloaded  Support huge files (>>GB)  Support different web servers (Apache2, IIS, …)  Additional features like: expiration date/time for published files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  25. 25. Security for files AKA secure downloads Interception for private resources Public directory for files 1. Give me URI! Image.jpg Fluid template with Resource publisher a file link 2. copies/ 3. URI to symlinks file Image.jpg public directory! Private directory for uploaded/stored files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  26. 26. Security for files AKA secure downloads Publish resource under a private path Public directory for files Private Allow from 213.83.33.146 directory for Directory called like your uploaded/stor session id ed files .htaccess Image.jpg Image.jpg Symlink/copy T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  27. 27. Security for files AKA secure downloads Advantages of this solution  Central managment of all files  Publishing is extremly fast, when symlinking is possible  No PHP involved in downloading! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  28. 28. Security for files AKA secure downloads Demo T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  29. 29. Summary Security is more than authentication Security is centralized Security is handled by FLOW3 and not the application code Policies can be changed without a change of the actual functionality (code) T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  30. 30. So long and thanks for the fish… Questions? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share

×