FLOW3 Security Framework
 applied to TYPO3 Phoenix
                      Andreas Förthner
               <andreas.foerthne...
Your host
    Andreas Förthner
    Work: netlogix Media in Nuremberg
    Studied computer science in Erlangen
    FLOW3/Ph...
Agenda
    Which security concepts are needed for Phoenix?
    Authentication infrastructure
    Authorization and how to ...
WHICH SECURITY CONCEPTS ARE NEEDED?

T3CON10 Frankfurt – Andreas Förthner                Inspiring people to
FLOW3 Securit...
Which security concepts are needed?
    Authentication
       Ensure to talk to the correct partner
       Use different...
Which security concepts are needed?
    Authorization
       Restrict certain users from accessing functionality
       ...
Which security concepts are needed?
    Protect your stored data
       Declarativly describe who should be allowed to re...
Which security concepts are needed?
    Protect the communication channel
       Encrypt transfered data if needed
     ...
Which security concepts are needed?
    Validate incoming data
       Protection against XSS attacks
       No SQL-Injec...
Which security concepts are needed?

    Protect your system against unwanted requests
       Application Firewall based ...
AUTHENTICATION INFRASTRUCTURE

T3CON10 Frankfurt – Andreas Förthner                Inspiring people to
FLOW3 Security Fram...
Authentication Infrastructure
     TYPO3 is an application with different authentication areas:
        „Frontend“
     ...
Authentication Infrastructure
 security:
   authentication:
      providers:
         DefaultProvider:
            provide...
AUTHORIZATION AND HOW TO DISPLAY ALL THIS?

T3CON10 Frankfurt – Andreas Förthner                Inspiring people to
FLOW3 ...
Authorization and how to display all this?
     The functionality of TYPO3 has to be protected
        E.g. backend contr...
Authorization and how to display all this?
     Solution: Declarative policies, decoupled from the PHP code
     holding t...
Authorization and how to display all this?

                                             Great it‘s protected!

          ...
Authorization and how to display all this?

     Reflect the policy in the view with Fluid

         <f:security.ifAccess ...
SECURITY FOR DATA AKA CONTENT SECURITY

T3CON10 Frankfurt – Andreas Förthner                Inspiring people to
FLOW3 Secu...
Security for data AKA content security

     Write a policy for your content
     The persistence layer will automatically...
Security for data AKA content security

     Writing policies tailored to your data

 resources:
   entities:
       F3_Bl...
Security for data AKA content security
 acls:
   Everybody:
       entities:
          F3_Blog_Domain_Model_Post_HiddenPos...
SECURITY FOR FILES AKA SECURE DOWNLOADS

T3CON10 Frankfurt – Andreas Förthner                Inspiring people to
FLOW3 Sec...
Security for files AKA secure downloads

    Challenge:
       Really protect files from beeing downloaded
       Suppor...
Security for files AKA secure downloads
                                                             Interception for
    ...
Security for files AKA secure downloads
    Publish resource under a private path

  Public directory for files           ...
Security for files AKA secure downloads

    Advantages of this solution
       Central managment of all files
       Pu...
Security for files AKA secure downloads




                           Demo

 T3CON10 Frankfurt – Andreas Förthner        ...
Summary

    Security is more than authentication
    Security is centralized
    Security is handled by FLOW3 and not the...
So long and thanks for the fish…




                 Questions?

 T3CON10 Frankfurt – Andreas Förthner                Ins...
FLOW3 Security Framework applied to TYPO3 Phoenix
Upcoming SlideShare
Loading in …5
×

FLOW3 Security Framework applied to TYPO3 Phoenix

4,402 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,402
On SlideShare
0
From Embeds
0
Number of Embeds
1,227
Actions
Shares
0
Downloads
30
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

FLOW3 Security Framework applied to TYPO3 Phoenix

  1. 1. FLOW3 Security Framework applied to TYPO3 Phoenix Andreas Förthner <andreas.foerthner@netlogix.de> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  2. 2. Your host Andreas Förthner Work: netlogix Media in Nuremberg Studied computer science in Erlangen FLOW3/Phoenix Core Team since 2007 Leader of the TYPO3 security team together with Helmut Hummel T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  3. 3. Agenda Which security concepts are needed for Phoenix? Authentication infrastructure Authorization and how to display all this? Security for data AKA content security Security for files AKA secure downloads Summary and Questions T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  4. 4. WHICH SECURITY CONCEPTS ARE NEEDED? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  5. 5. Which security concepts are needed? Authentication  Ensure to talk to the correct partner  Use different mechanisms to validate the identity  Provide an easy to extend infrastructure  Manage user accounts T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  6. 6. Which security concepts are needed? Authorization  Restrict certain users from accessing functionality  Use a delarative policy to configure those restrictions  Change restrictions or add new ones without changing the Phoenix core T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  7. 7. Which security concepts are needed? Protect your stored data  Declarativly describe who should be allowed to read/write your domain models‘ data  Data you don‘t have access to, should not be loaded by the persitence layer  Provide an infrastructure for protected files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  8. 8. Which security concepts are needed? Protect the communication channel  Encrypt transfered data if needed  Sign transfered data  Gerneral CSRF protection T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  9. 9. Which security concepts are needed? Validate incoming data  Protection against XSS attacks  No SQL-Injections anymore Sanitize displayed data  E.g. no XSS code on your website T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  10. 10. Which security concepts are needed? Protect your system against unwanted requests  Application Firewall based on request filters  Drop unwanted/unauthorized requests as early as possible T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  11. 11. AUTHENTICATION INFRASTRUCTURE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  12. 12. Authentication Infrastructure TYPO3 is an application with different authentication areas:  „Frontend“  „Backend“  Custom areas, e.g. „Extranet area“ Users might have access to more than one area Different authentication mechanisms for different areas Use a different mechanism for connections from your internal network T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  13. 13. Authentication Infrastructure security: authentication: providers: DefaultProvider: providerClass: PersistedUsernamePasswordProvider requestPatterns: controllerObjectName: F3TYPO3ControllerBackend.* entryPoint: webRedirect: uri: typo3/login T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  14. 14. AUTHORIZATION AND HOW TO DISPLAY ALL THIS? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  15. 15. Authorization and how to display all this? The functionality of TYPO3 has to be protected  E.g. backend controllers should not be callable for everybody  Not every user should have access to the managment tab in the Phoenix backend  Only specific users should be allowed to create a CE in the left column The functionality stays, but policies can change! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  16. 16. Authorization and how to display all this? Solution: Declarative policies, decoupled from the PHP code holding the functionality resources: methods: F3_TYPO3_BackendController: "method(F3TYPO3ControllerBackendBackendController->.*())" acls: Administrator: methods: F3_TYPO3_BackendController : GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  17. 17. Authorization and how to display all this? Great it‘s protected! But: Internal Server Error?! Nice?! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  18. 18. Authorization and how to display all this? Reflect the policy in the view with Fluid <f:security.ifAccess resource=“F3_TYPO3_BackendController"> This is being shown in case you have access to the backend </f:security.ifAccess> <f:security.ifHasRole role="Administrator"> This is being shown in case you are administrator </f:security.ifHasRole> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  19. 19. SECURITY FOR DATA AKA CONTENT SECURITY T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  20. 20. Security for data AKA content security Write a policy for your content The persistence layer will automatically filter all data, you don‘t have access to, i.e.:  Your queries are very clean and readable  You can‘t forget to add a needed query constraint T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  21. 21. Security for data AKA content security Writing policies tailored to your data resources: entities: F3_Blog_Domain_Model_Post: F3_Blog_Domain_Model_Post_HiddenPosts: this.public == FALSE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  22. 22. Security for data AKA content security acls: Everybody: entities: F3_Blog_Domain_Model_Post_HiddenPosts: DENY Editor: entities: F3_Blog_Domain_Model_Post_HiddenPosts: GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  23. 23. SECURITY FOR FILES AKA SECURE DOWNLOADS T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  24. 24. Security for files AKA secure downloads Challenge:  Really protect files from beeing downloaded  Support huge files (>>GB)  Support different web servers (Apache2, IIS, …)  Additional features like: expiration date/time for published files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  25. 25. Security for files AKA secure downloads Interception for private resources Public directory for files 1. Give me URI! Image.jpg Fluid template with Resource publisher a file link 2. copies/ 3. URI to symlinks file Image.jpg public directory! Private directory for uploaded/stored files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  26. 26. Security for files AKA secure downloads Publish resource under a private path Public directory for files Private Allow from 213.83.33.146 directory for Directory called like your uploaded/stor session id ed files .htaccess Image.jpg Image.jpg Symlink/copy T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  27. 27. Security for files AKA secure downloads Advantages of this solution  Central managment of all files  Publishing is extremly fast, when symlinking is possible  No PHP involved in downloading! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  28. 28. Security for files AKA secure downloads Demo T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  29. 29. Summary Security is more than authentication Security is centralized Security is handled by FLOW3 and not the application code Policies can be changed without a change of the actual functionality (code) T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  30. 30. So long and thanks for the fish… Questions? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share

×