-
1.
Symfony2 Security Layer
Non chiedetemi del MethodSecurityInterceptor
-
2.
Noi siamo qui
-
3.
Eh?!
-
4.
Sim sala min!
-
5.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
6.
Autenticazione
Autorizzazione
-
7.
app/config/security.yml
security:
providers:
nomi_fantasiosi:
entity:
class: AcmeUserBundle:User
property: username
encoders:
AcmeUserBundleEntityUser: sha1
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
8.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: sha1
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
9.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: md5
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
10.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: sha1
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
11.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: sha512
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
12.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
13.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
http_basic: ~
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
14.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
http_digest: ~
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
15.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
x509: ~
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
16.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
17.
app/config/security.yml
security:
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
SymfonyComponentSecurityCoreUserUser: plaintext
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
-
18.
L’autenticato
public function indexAction()
{
$user = $this
->get('security.context')
->getToken()
->getUser();
}
-
19.
getToken()?!
-
20.
...con user e password
$this
->get('security.context')
->getToken()
->isAuthenticated()
-
21.
...con user e password
$this
->get('security.context')
->getToken()
E
->isAuthenticated()
RU
T
-
22.
...anonimo
$this
->get('security.context')
->getToken()
->isAuthenticated()
-
23.
...anonimo
$this
->get('security.context')
->getToken()
E
->isAuthenticated()
RU
T
-
24.
True?!
-
25.
Authentication
-
26.
La chiamata (app.php)
$kernel = new AppKernel('prod', false);
$request = Request::createFromGlobals();
$response = $kernel->handle($request);
$response->send();
$kernel->terminate($request, $response);
-
27.
La chiamata
$this
->dispatcher
->dispatch(‘kernel.request’, $event);
-
28.
Firewall
FirewallMap
-
29.
Firewall
FirewallMap
Listeners
-
30.
Firewall
FirewallMap
Listeners
Token
-
31.
Firewall
FirewallMap
Listeners
Token
AuthenticationProvider
-
32.
Firewall
FirewallMap
Listeners
Token
AuthenticationProvider
UserProvider Encoder
UserChecker
-
33.
Firewall
AuthSuccessHandler
FirewallMap
AuthFailureHandler
Listeners
LogoutHandler
Token
LogoutSuccessHandler AuthenticationProvider
UserProvider Encoder
UserChecker
-
34.
Firewall
AuthSuccessHandler
FirewallMap
SessionAuthStrategy
AuthFailureHandler
Listeners RememberMe
LogoutHandler
Token
LogoutSuccessHandler AuthenticationProvider
UserProvider Encoder
UserChecker
-
35.
Authorization
-
36.
Voter
-
37.
SecurityContext AccessListener MethodSecurityInterceptor
AccessDecisionManager
Voter
-
38.
SecurityContext AccessListener MethodSecurityInterceptor
AccessDecisionManager
Voter
AuthenticatedVoter
AuthenticatedTrustResolver
-
39.
SecurityContext AccessListener MethodSecurityInterceptor
AccessDecisionManager
Voter
RoleVoter AuthenticatedVoter
RoleHierarchy
AuthenticatedTrustResolver
-
40.
SecurityContext AccessListener MethodSecurityInterceptor
AccessDecisionManager
Voter
AclVoter RoleVoter AuthenticatedVoter
RoleHierarchy
PermissionMap
AuthenticatedTrustResolver
AclProvider
-
41.
Sveliamo il mistero
isAuthenticated
vs
isGranted(‘IS_FULLY_AUTHENTICATED’)
-
42.
Ego slide
• Manuel “Kea” Baldassarri
• Senior Developer
• Webdev dal 1992 e PHP dev dal 1998
• Pro PHP: best practices
• Marito e bi-padre
• mb@ideato.it
twitter: k3a
• flickr: kea42
slideshare: kea42
-
43.
?
-
44.
Tip #1
Impersonare un utente
-
45.
Tip #2
• Documentazione
• http://symfony.com/doc/current/book
• http://symfony.com/doc/current/cookbook
• http://symfony.com/doc/current/components
• https://github.com/matthiasnoback/symfony-docs
• http://symfony.com/doc/current/reference/
configuration/security.htm
-
46.
Tip #3
Leggi il codice
-
47.
Creative Common
• http://www.flickr.com/photos/mardrom/
8010607983/
\n
Cosa vedremo: overview sul component, qualche esempio di conf e un po’ come funziona “da dentro”\n
\n
\n
\n
90% del lavoro nel 90% dei casi è configurazione\n
\n
Verifica che tu sia chi dici di essere\nVerifica che tu abbia i privilegi per fare qualcosa\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Più firewall non condividono il contesto di sicurezza\n
\n
\n
\n
\n
\n
\n
vediamo il codice\n
\n
All’interno del kernel, dopo l’inizializzazione\n
Il firewall viene notificato dall’evento kernel.request, chiede al firewallmap se c’è una corrispondenza con i pattern delle url delle secured areas (requestMatcher)\nEsempi!\n
in tal caso viene chiesto al listener di gestire la richiesta.\nLISTENERS: AnonymousAuthenticationListener, BasicAuth, Digest, Logout, SwitchUser, X509, UserPwdForm, RemberMe\n
Anonymous, RemeberMe, UsernamePassword, PreAuth\nimplementano la TokenInferface (getUsername, getRoles, getCredentials, isAuth, getUser)\n
\n
memory, entity\n
\n
supporta 3 strategie per la gestione della sessione:\n * NONE: the session is not changed\n * MIGRATE: the session id is updated, attributes are kept\n * INVALIDATE: the session id is updated, attributes are lost\n
\n
Un votante è una classe dedicata a verificare che l'utente abbia i diritti per connettersi all'applicazione.\nAccesso consentito, negato, astenuto\n
AccessDecMan usa i votanti per decidere se dare o meno l’autorizzazione\n
\n
\n
Strategie: Affirmative (basta un grant), Consensus (maggioranza), Unanimous (unanimità)\n\n
\n
\n
\n
\n
\n
\n
\n