Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep It Simple Security (Symfony Cafe 28-01-2016)

Oleg Zinchenko
January 29, 2016
Technology
0
110

Keep It Simple Security (Symfony Cafe 28-01-2016)

Oleg Zinchenko

January 29, 2016
Tweet

More Decks by Oleg Zinchenko

See All by Oleg Zinchenko
ORO Meetup #4
cystbear
0
77
Erlang (GeekTalks)
cystbear
0
70
Clojure basics
cystbear
0
79
Welcome to Erlang
cystbear
0
81
Erlang/N2O KNPMeetup
cystbear
0
140
Symfony Best Practices and beyond
cystbear
1
200
DDD on example of Symfony (SymfonyCamp UA 2014)
cystbear
3
910
MongoDB KNPLabs GeekTime
cystbear
1
66
DDD in PHP, on example of Symfony
cystbear
10
4k

Other Decks in Technology

See All in Technology
プロンプトエンジニアリングでがんばらない-Agentic Workflow へ-近藤憲児
kenjikondobai
6
1.3k
本当のガバクラ基礎
toru_kubota
0
220
モーダル間の変換後の一致性とジャンル表を用いた解釈可能性の考察 ~Text-to-MusicとText-To-ImageかつImage-to-Musicを例に~
otanet
0
320
Secrets of a PowerShell "Guru"
guyrleech
1
110
実例で紹介するRAG導入時の知見と精度向上の勘所
yamahiro
7
2.4k
LLM開発・活用の舞台裏@2024.04.25
yushin_n
3
1.4k
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
15
35k
今日からできる!簡単 .NET 高速化 Tips -2024 edition-
xin9le
7
4.9k
Azureの基本的な権限管理の勉強会
yhana
1
2.2k
cgroup v2 で何が変わったのか / TechFeed Experts Night #28
tenforward
2
110
同じ様なUIをiOS/Android間で合わせるヒントNo.2
fumiyasac0921
1
110
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
8
690

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
267
19k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
9
1.3k
Rails Girls Zürich Keynote
gr2m
91
13k
Building Applications with DynamoDB
mza
88
5.6k
Designing the Hi-DPI Web
ddemaree
276
33k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
21
1.6k
The Straight Up "How To Draw Better" Workshop
denniskardys
228
130k
Adopting Sorbet at Scale
ufuk
69
8.6k
How STYLIGHT went responsive
nonsquared
92
4.8k
Agile that works and the tools we love
rasmusluckow
325
20k
Building Flexible Design Systems
yeseniaperezcruz
320
37k
The Cost Of JavaScript in 2023
addyosmani
21
3.9k

Transcript

  1. None

  2. cystbear Erlanger Symfony expert MongoDB adept OSS doer https://twitter.com/1cdecoder https://github.com/cystbear

    http://trinity.ck.ua/
  3. None
  4. None
  5. None
  6. None

  7. + = ❤

  8. None

  9. security.yml security: firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: pattern:

    ^/ form_login: login_path: /login check_path: /login_check provider: fos_userbundle logout: true anonymous: true access_control: - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/user, role: ROLE_USER } - { path: ^/admin/, role: ROLE_ADMIN }

  10. http://www.xml.com/pub/a/2003/12/17/dive.html http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

  11. Good Parts Token Listener Authentication Manager/Provider Factory

  12. Token <?php namespace AppBundle\Security\Authentication\Token; use Symfony\Component\Security\Core\Authentication\Token\AbstractToken; class WsseUserToken extends AbstractToken

    { public $created; public $digest; public $nonce; public function __construct(array $roles = array()) { parent::__construct($roles); // If the user has roles, consider it authenticated $this->setAuthenticated(count($roles) > 0); } public function getCredentials() { return ''; } }

  13. Listener <?php namespace AppBundle\Security\Firewall; use AppBundle\Security\Authentication\Token\WsseUserToken; class WsseListener implements ListenerInterface

    { protected $tokenStorage; protected $authenticationManager; public function handle(GetResponseEvent $event) { $request = $event->getRequest(); $wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([^"]+)", Created="([^"]+)"/'; if (!$request->headers->has('x-wsse') || 1 !== preg_match($wsseRegex, $request->headers->get('x-wsse'), $matches)) { return; } $token = new WsseUserToken(); $token->setUser($matches[1]); ... try { $authToken = $this->authenticationManager->authenticate($token); $this->tokenStorage->setToken($authToken); return; } catch (AuthenticationException $failed) { ... } $response = new Response(); $response->setStatusCode(Response::HTTP_FORBIDDEN); $event->setResponse($response); } }

  14. Authentication Manager <?php namespace AppBundle\Security\Authentication\Provider; use AppBundle\Security\Authentication\Token\WsseUserToken; class WsseProvider implements

    AuthenticationProviderInterface { private $userProvider; public function authenticate(TokenInterface $token) { $user = $this->userProvider->loadUserByUsername($token->getUsername()); if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) { $authenticatedToken = new WsseUserToken($user->getRoles()); $authenticatedToken->setUser($user); return $authenticatedToken; } throw new AuthenticationException('The WSSE authentication failed.'); } protected function validateDigest($digest, $nonce, $created, $secret) { ... } public function supports(TokenInterface $token) { return $token instanceof WsseUserToken; } }

  15. Factory <?php namespace AppBundle\DependencyInjection\Security\Factory; use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface; class WsseFactory implements SecurityFactoryInterface

    { public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint) { $providerId = 'security.authentication.provider.wsse.'.$id; $container ->setDefinition($providerId, new DefinitionDecorator('wsse.security.authentication.provider')) ->replaceArgument(0, new Reference($userProvider)) ; $listenerId = 'security.authentication.listener.wsse.'.$id; $listener = $container->setDefinition($listenerId, new DefinitionDecorator('wsse.security.authentication.listener')); return array($providerId, $listenerId, $defaultEntryPoint); } public function getPosition() { return 'pre_auth'; } public function getKey() { return 'wsse'; } public function addConfiguration(NodeDefinition $node) { } }

  16. ACE http://symfony.com/doc/current/cookbook/security/acl.html

  17. Voters http://symfony.com/doc/current/cookbook/security/voters.html https://www.youtube.com/watch?v=e7HfW4TgnUY

  18. Voter (1) <?php namespace AppBundle\Security; use Symfony\Component\Security\Core\Authorization\Voter\Voter; class PostVoter extends

    Voter { const VIEW = 'view'; const EDIT = 'edit'; protected function supports($attribute, $subject) { if (!in_array($attribute, array(self::VIEW, self::EDIT))) { return false; } if (!$subject instanceof Post) { return false; } return true; } protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $user = $token->getUser(); if (!$user instanceof User) { return false; } $post = $subject; switch($attribute) { case self::VIEW: return $this->canView($post, $user); case self::EDIT: return $this->canEdit($post, $user); } throw new \LogicException('This code should not be reached!'); } }

  19. Voter (2) <?php private function canView(Post $post, User $user) {

    if ($this->canEdit($post, $user)) { return true; } return !$post->isPrivate(); } private function canEdit(Post $post, User $user) { return $user === $post->getOwner(); } }
  20. None
  21. None