Love and Loss: A Symfony Security Play

9,844 views

Published on

The security component tackles the complex problems of authentication and authorization by spreading concerns across a number of single responsibility objects. This is a flexible design, but difficult for beginners to navigate. This presentation will bring the security component to life for us all to understand! Join us to see some of your favorite members of the Symfony community perform the security component in a series of scenes, interspliced with some technical descriptions of what's going on.

Published in: Technology

Love and Loss: A Symfony Security Play

  1. 1. Love & LossA Symfony Security Play
  2. 2. brewcycleportland.com
  3. 3. @kriswallsmith
  4. 4. assetic
  5. 5. Buzz
  6. 6. Spork
  7. 7. “…the current implementation of the SecurityComponent is … not easily accessible”http://www.testically.org/2011/03/14/why-i-gave-up-on-the-symfony2-security-component/
  8. 8. “I would rather see Symfony2 postponed againor the Security Component removed …I don’t think it is even near of being usable tothe community outside the core.”http://www.testically.org/2011/03/14/why-i-gave-up-on-the-symfony2-security-component/
  9. 9. “The past few days I have really be strugglingwith the Symfony2 security component.It is the most complex component ofSymfony2 if you ask me!”http://blog.vandenbrand.org/2012/06/19/symfony2-authentication-provider-authenticate-against-webservice/
  10. 10. “(I’m) wondering if I should just work aroundrather than work with the framework”https://groups.google.com/forum/#!msg/symfony2/AZpgbEk4Src/73P99zOmq2YJ
  11. 11. Enhance yourPHPfun!
  12. 12. http://curiouscomedy.org
  13. 13. HttpKernelkernel.exceptionkernel.request kernel.terminatekernel.controller kernel.view kernel.response
  14. 14. kernel.request kernel.controller kernel.view kernel.response kernel.terminatekernel.exceptionHttpKernel
  15. 15. kernel.request kernel.controller kernel.view kernel.response kernel.terminatekernel.exceptionHttpKernel
  16. 16. HttpKernelGet the response and get out
  17. 17. kernel.requestRouteretc…Firewall
  18. 18. FirewallJust another listener
  19. 19. class YesFirewall{public function handle($event){// always say yes}}
  20. 20. use SymfonyComponentHttpFoundationResponse;class NoFirewall{public function handle($event){// always say no$event->setResponse(new Response(go away, 401));}}
  21. 21. use SymfonyComponentHttpFoundationResponse;class PickyFirewall{public function handle($event){$request = $event->getRequest();$user = $request->headers->get(PHP_AUTH_USER);// only names that start with "Q"if (Q == $user[0]) return;$event->setResponse(new Response(go away, 401));}}
  22. 22. Security ListenersThe firewall’s henchmen
  23. 23. FirewallListenerskernel.request
  24. 24. class Firewall{public $listeners = array();public function handle($event){foreach ($this->listeners as $listener) {$listener->handle($event);if ($event->hasResponse()) return;}}}
  25. 25. class YesListener{public function handle($event){// always say yes}}
  26. 26. use SymfonyComponentHttpFoundationResponse;class NoListener{public function handle($event){// always say no$event->setResponse(new Response(go away, 401));}}
  27. 27. use SymfonyComponentHttpFoundationResponse;class PickyListener{public function handle($event){$request = $event->getRequest();$user = $request->headers->get(PHP_AUTH_USER);// only names that start with "Q"if (Q == $user[0]) return;$event->setResponse(new Response(go away, 401));}}
  28. 28. AuthenticationAre you who you say you are?
  29. 29. AuthorizationAre you allowed to ____?
  30. 30. TokensThe Language of Security
  31. 31. Authentication ListenersMap from request to token
  32. 32. RequestResponse (?) TokenCoreHTTP
  33. 33. AuthenticationListener AAuthenticationListener BAuthenticationManagerFirewall
  34. 34. class AuthenticationListener{public $authMan, $context;public function handle($e){$r = $e->getRequest();$u = $r->headers->get(PHP_AUTH_USER);$t = new AnonToken($u);$t = $this->authMan->authenticate($t);$this->context->setToken($t);}}
  35. 35. class AuthenticationManager{public function authenticate($t){// always say no}}
  36. 36. class AuthenticationManager{public function authenticate($t){// always say yesreturn new AuthToken($t->getUser());}}
  37. 37. class AuthenticationManager{public function authenticate($t){$u = $t->getUser();// only names that start with "Q"if (Q == $u[0]) {return new AuthToken($u);}}}
  38. 38. Authentication ManagerResponsible for authenticatingthe token
  39. 39. Authentication ProvidersDo the actual authentication work
  40. 40. UserProvidersAuthenticationProvidersAuthenticationListener AAuthenticationListener BAuthenticationManager
  41. 41. User ProvidersAccess the repository of users
  42. 42. class AuthenticationManager{public $providers = array();public function authenticate($t){foreach ($this->providers as $p) {if ($p->supports($t)) {return $p->authenticate($t);}}}}
  43. 43. class AuthenticationProvider{public $up;public function authenticate($t){$u = $t->getUser();$u = $this->up->loadUserByUsername($u);if ($u) return new AuthToken($u);}}
  44. 44. class UserProvider{public $repo;public function loadUserByUsername($u){return ($this->repo->find(array(username => $u,)));}}
  45. 45. Authentication
  46. 46. Authentication Listeners• Map client data from request totoken• Pass token to authenticationmanager• Update state of security context
  47. 47. Authentication Manager• Responsible for authenticating thetoken• Calls the appropriateauthentication provider• Handles exceptions
  48. 48. Authentication Providers• Performs authentication using clientdata in the token• Marks the token as authenticated• Attaches the user object to thetoken
  49. 49. User Providers• Retrieves the user from the database
  50. 50. Authorization
  51. 51. class AuthorizationListener{public function handle($e){// always say yes}}
  52. 52. use SymfonyComponentHttpFoundationResponse;class AuthorizationListener{public function handle($e){// always say no$e->setResponse(new Response(go away, 403));}}
  53. 53. Access MapLooks at a request and determinestoken requirements
  54. 54. Access Decision ManagerThe gatekeeper
  55. 55. VotersDecisionManagerListener Map
  56. 56. use SymfonyComponentHttpFoundationResponse;class AccessListener{public $context, $map, $decider;public function handle($e){$r = $e->getRequest();$t = $this->context->getToken();$reqs = $this->map->getRequirements($r);if (!$this->decider->decide($t, $reqs)) {$e->setResponse(new Response(go away, 403));}}}
  57. 57. class AccessMap{public function getRequirements($r){$path = $r->getPathInfo();if (0 === strpos($path, /admin)) {return array(ADMIN);}}}
  58. 58. class AccessDecisionManager{public $voters;public function decide($t, $reqs){foreach ($this->voters as $v) {if ($v->vote($t, null, $reqs)) {return true;}}return false;}}
  59. 59. class AccessVoter{public function vote($t, $obj, $reqs){foreach ($reqs as $req) {if (!$t->hasAttribute($req)) {return false;}}return true;}}
  60. 60. Authorization
  61. 61. Extension Points
  62. 62. The firewall has many listeners
  63. 63. The authentication manager hasmany authentication providers
  64. 64. Which MAY rely onuser providers
  65. 65. The access decision managerhas many votersAuthenticatedRolesACL
  66. 66. Questions?
  67. 67. is hiring
  68. 68. “Horrible”“Worst talk ever”“Go back to high school”https://joind.in/8665

×