Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP, Symfony and Security

Diana Arnos
November 21, 2019
Programming
0
650

PHP, Symfony and Security

As presented on SymfonyCon 2019 - Amsterdam

Have you ever tried talking to someone about using PHP in secure applications? It's nothing new that we deal with prejudice against PHP every day and the situation is even worse when we talk about security. The latest versions of PHP provide security tools and modern cryptography and Symfony itself make its efforts to deliver robust security features that are simple to implement. We'll learn about the latest language and framework initiatives in this regard and check out short and quick tips for boosting you application's security.

Diana Arnos

November 21, 2019
Tweet

More Decks by Diana Arnos

See All by Diana Arnos
PHP Além do Síncrono
dianaarnos
1
480
O Mundo Mágico dos Profilers
dianaarnos
0
130
Trabalhar na gringa - Como chegar lá?
dianaarnos
0
270
PCS2020 - PHP Além do Síncrono
dianaarnos
2
970
VDPWeekend - Emprego dos Sonhos - O que esperam de você e como ser cada vez melhor
dianaarnos
1
150
PHPPR Live 2020 - PHP Paralelo e Distribuído
dianaarnos
0
110
Profiling 101: o que é e como fazer - PHPConference 2019
dianaarnos
1
360
PHP e Segurança: é possível - PHPConference BR 2019
dianaarnos
0
520
Back End Performático - CPGoiás 2019
dianaarnos
0
86

Other Decks in Programming

See All in Programming
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
8
4k
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
23
15k
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
270
雑に思考を整理する技術と効能
konifar
58
29k
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
130
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
750
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
520
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
920
ゆるい個人開発のススメ
kuroppe1819
10
990
Hanami and htmx
bkuhlmann
0
210
2 週間で Twitter Bot を作ってみた
contour_gara
0
350
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
140

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
49
28k
For a Future-Friendly Web
brad_frost
172
9k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k
Music & Morning Musume
bryan
41
5.6k
Clear Off the Table
cherdarchuk
84
310k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
The Power of CSS Pseudo Elements
geoffreycrofte
60
5k
The Art of Programming - Codeland 2020
erikaheidi
42
12k
Design by the Numbers
sachag
274
18k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Scaling GitHub
holman
457
140k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None

  50. None
  51. None
  52. None
  53. None
  54. None
  55. None

  57. None
  58. None
  59. None
  60. None
  61. None
  62. None
  63. None
  64. None
  65. None
  66. None
  67. None
  68. None
  69. None
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. None
  78. None

  79. unserialize($data, ["allowed_classes" => ["ClassOne", "ClassTwo"]]);

  80. None
  81. None
  82. None
  83. None
  84. None
  85. None

  86. $ composer require symfony/security

  87. None
  88. None
  89. None
  90. None
  91. None

  92. namespace App\Entity; /*...*/ use Symfony\Component\Security\Core\User\UserInterface ; /** * @ORM\Entity(repositoryClass="App\Repository\UserRepository") */

    class User implements UserInterface { // class methods }

  93. namespace App\Entity; /*...*/ use Symfony\Component\Security\Core\User\UserInterface ; /** * @ORM\Entity(repositoryClass="App\Repository\UserRepository") */

    class User implements UserInterface { // class methods }

  94. security: providers: app_user_provider: entity: class: App\Entity\User property: email

  95. None

  96. namespace Symfony\Component\Security\Core\Encoder; /*...*/ interface PasswordEncoderInterface { public function encodePassword ($raw,

    $salt); public function isPasswordValid( $encoded, $raw, $salt); }

  97. public function checkCredentials($credentials, UserInterface $user) { return $this->passwordEncoder->isPasswordValid($user, $credentials['password']); }

  98. security: encoders: App\Entity\User: algorithm: argon2i #bcrypt #auto

  99. None

  100. $ php bin/console make:auth

  101. What style of authentication do you want? [Empty authenticator ]:

    [0] Empty authenticator [1] Login form authenticator > 1 The class name of the authenticator to create (e.g. AppCustomAuthenticator ): > LoginFormAuthenticator Choose a name for the controller class (e.g. SecurityController ) [SecurityController ]: >
  102. None
  103. None
  104. None

  105. <input type="hidden" name="_csrf_token" value="{{ csrf_token( 'authenticate' ) }}">

  106. None

  107. public function getCredentials (Request $request) { $credentials = [ 'email'

    => $request->request->get( 'email'), 'password' => $request->request->get( 'password'), 'csrf_token' => $request->request->get( '_csrf_token'), ]; return $credentials; }

  108. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }

  109. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }

  110. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }

  111. security: firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: anonymous: true

    guard: authenticators: - App\Security\LoginFormAuthenticator entry_point: App\Security\LoginFormAuthenticator
  112. None
  113. None

  114. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  115. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  116. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  117. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }

  118. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  119. None

  120. {% if is_granted('ROLE_ADMIN') %} <p>You are an admin</p> {% endif

    %}

  121. security: role_hierarchy: ROLE_ADMIN: ROLE_USER ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_WHATEVER_YOU_WANT] access_control: - {

    path: ^/admin, roles: ROLE_ADMIN, ip: 127.0.0.1 } - { path: ^/page, roles: ROLE_USER, host: localhost }
  122. None
  123. None
  124. None
  125. None