Successfully reported this slideshow.

More Related Content

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Symfony2 security layer

  1. 1. Symfony2 Security Layer Non chiedetemi del MethodSecurityInterceptor
  2. 2. Noi siamo qui
  3. 3. Eh?!
  4. 4. Sim sala min!
  5. 5. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  6. 6. Autenticazione Autorizzazione
  7. 7. app/config/security.yml security: providers: nomi_fantasiosi: entity: class: AcmeUserBundle:User property: username encoders: AcmeUserBundleEntityUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  8. 8. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  9. 9. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: md5 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  10. 10. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: sha1 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  11. 11. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: sha512 firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  12. 12. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  13. 13. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ http_basic: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  14. 14. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ http_digest: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  15. 15. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ x509: ~ access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  16. 16. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  17. 17. app/config/security.yml security: providers: in_memory: memory: users: ryan: { password: ryanpass, roles: 'ROLE_USER' } admin: { password: kitten, roles: 'ROLE_ADMIN' } encoders: SymfonyComponentSecurityCoreUserUser: plaintext firewalls: secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check access_control: - { path: ^/admin, roles: ROLE_ADMIN }
  18. 18. L’autenticato public function indexAction() { $user = $this ->get('security.context') ->getToken() ->getUser(); }
  19. 19. getToken()?!
  20. 20. ...con user e password $this ->get('security.context') ->getToken() ->isAuthenticated()
  21. 21. ...con user e password $this ->get('security.context') ->getToken() E ->isAuthenticated() RU T
  22. 22. ...anonimo $this ->get('security.context') ->getToken() ->isAuthenticated()
  23. 23. ...anonimo $this ->get('security.context') ->getToken() E ->isAuthenticated() RU T
  24. 24. True?!
  25. 25. Authentication
  26. 26. La chiamata (app.php) $kernel = new AppKernel('prod', false); $request = Request::createFromGlobals(); $response = $kernel->handle($request); $response->send(); $kernel->terminate($request, $response);
  27. 27. La chiamata $this ->dispatcher ->dispatch(‘kernel.request’, $event);
  28. 28. Firewall FirewallMap
  29. 29. Firewall FirewallMap Listeners
  30. 30. Firewall FirewallMap Listeners Token
  31. 31. Firewall FirewallMap Listeners Token AuthenticationProvider
  32. 32. Firewall FirewallMap Listeners Token AuthenticationProvider UserProvider Encoder UserChecker
  33. 33. Firewall AuthSuccessHandler FirewallMap AuthFailureHandler Listeners LogoutHandler Token LogoutSuccessHandler AuthenticationProvider UserProvider Encoder UserChecker
  34. 34. Firewall AuthSuccessHandler FirewallMap SessionAuthStrategy AuthFailureHandler Listeners RememberMe LogoutHandler Token LogoutSuccessHandler AuthenticationProvider UserProvider Encoder UserChecker
  35. 35. Authorization
  36. 36. Voter
  37. 37. SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter
  38. 38. SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter AuthenticatedVoter AuthenticatedTrustResolver
  39. 39. SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter RoleVoter AuthenticatedVoter RoleHierarchy AuthenticatedTrustResolver
  40. 40. SecurityContext AccessListener MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy PermissionMap AuthenticatedTrustResolver AclProvider
  41. 41. Sveliamo il mistero isAuthenticated vs isGranted(‘IS_FULLY_AUTHENTICATED’)
  42. 42. Ego slide • Manuel “Kea” Baldassarri • Senior Developer • Webdev dal 1992 e PHP dev dal 1998 • Pro PHP: best practices • Marito e bi-padre • mb@ideato.it twitter: k3a • flickr: kea42 slideshare: kea42
  43. 43. ?
  44. 44. Tip #1 Impersonare un utente
  45. 45. Tip #2 • Documentazione • http://symfony.com/doc/current/book • http://symfony.com/doc/current/cookbook • http://symfony.com/doc/current/components • https://github.com/matthiasnoback/symfony-docs • http://symfony.com/doc/current/reference/ configuration/security.htm
  46. 46. Tip #3 Leggi il codice
  47. 47. Creative Common • http://www.flickr.com/photos/mardrom/ 8010607983/

Editor's Notes

  • \n
  • Cosa vedremo: overview sul component, qualche esempio di conf e un po’ come funziona “da dentro”\n
  • \n
  • \n
  • \n
  • 90% del lavoro nel 90% dei casi è configurazione\n
  • \n
  • Verifica che tu sia chi dici di essere\nVerifica che tu abbia i privilegi per fare qualcosa\n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Più firewall non condividono il contesto di sicurezza\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • vediamo il codice\n
  • \n
  • All’interno del kernel, dopo l’inizializzazione\n
  • Il firewall viene notificato dall’evento kernel.request, chiede al firewallmap se c’è una corrispondenza con i pattern delle url delle secured areas (requestMatcher)\nEsempi!\n
  • in tal caso viene chiesto al listener di gestire la richiesta.\nLISTENERS: AnonymousAuthenticationListener, BasicAuth, Digest, Logout, SwitchUser, X509, UserPwdForm, RemberMe\n
  • Anonymous, RemeberMe, UsernamePassword, PreAuth\nimplementano la TokenInferface (getUsername, getRoles, getCredentials, isAuth, getUser)\n
  • \n
  • memory, entity\n
  • \n
  • supporta 3 strategie per la gestione della sessione:\n * NONE: the session is not changed\n * MIGRATE: the session id is updated, attributes are kept\n * INVALIDATE: the session id is updated, attributes are lost\n
  • \n
  • Un votante è una classe dedicata a verificare che l'utente abbia i diritti per connettersi all'applicazione.\nAccesso consentito, negato, astenuto\n
  • AccessDecMan usa i votanti per decidere se dare o meno l’autorizzazione\n
  • \n
  • \n
  • Strategie: Affirmative (basta un grant), Consensus (maggioranza), Unanimous (unanimità)\n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • ×