Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP, Symfony and Security

4ce43cd2535d0afe50065a743af646e9?s=47 Diana Arnos
November 21, 2019

PHP, Symfony and Security

As presented on SymfonyCon 2019 - Amsterdam

Have you ever tried talking to someone about using PHP in secure applications? It's nothing new that we deal with prejudice against PHP every day and the situation is even worse when we talk about security. The latest versions of PHP provide security tools and modern cryptography and Symfony itself make its efforts to deliver robust security features that are simple to implement. We'll learn about the latest language and framework initiatives in this regard and check out short and quick tips for boosting you application's security.

4ce43cd2535d0afe50065a743af646e9?s=128

Diana Arnos

November 21, 2019
Tweet

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None
  53. None
  54. None
  55. None
  56. None
  57. None
  58. None
  59. None
  60. None
  61. None
  62. None
  63. None
  64. None
  65. None
  66. None
  67. None
  68. None
  69. None
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. unserialize($data, ["allowed_classes" => ["ClassOne", "ClassTwo"]]);

  78. None
  79. None
  80. None
  81. None
  82. None
  83. None
  84. $ composer require symfony/security

  85. None
  86. None
  87. None
  88. None
  89. None
  90. namespace App\Entity; /*...*/ use Symfony\Component\Security\Core\User\UserInterface ; /** * @ORM\Entity(repositoryClass="App\Repository\UserRepository") */

    class User implements UserInterface { // class methods }
  91. namespace App\Entity; /*...*/ use Symfony\Component\Security\Core\User\UserInterface ; /** * @ORM\Entity(repositoryClass="App\Repository\UserRepository") */

    class User implements UserInterface { // class methods }
  92. security: providers: app_user_provider: entity: class: App\Entity\User property: email

  93. None
  94. namespace Symfony\Component\Security\Core\Encoder; /*...*/ interface PasswordEncoderInterface { public function encodePassword ($raw,

    $salt); public function isPasswordValid( $encoded, $raw, $salt); }
  95. public function checkCredentials($credentials, UserInterface $user) { return $this->passwordEncoder->isPasswordValid($user, $credentials['password']); }

  96. security: encoders: App\Entity\User: algorithm: argon2i #bcrypt #auto

  97. None
  98. $ php bin/console make:auth

  99. What style of authentication do you want? [Empty authenticator ]:

    [0] Empty authenticator [1] Login form authenticator > 1 The class name of the authenticator to create (e.g. AppCustomAuthenticator ): > LoginFormAuthenticator Choose a name for the controller class (e.g. SecurityController ) [SecurityController ]: >
  100. None
  101. None
  102. None
  103. <input type="hidden" name="_csrf_token" value="{{ csrf_token( 'authenticate' ) }}">

  104. None
  105. public function getCredentials (Request $request) { $credentials = [ 'email'

    => $request->request->get( 'email'), 'password' => $request->request->get( 'password'), 'csrf_token' => $request->request->get( '_csrf_token'), ]; return $credentials; }
  106. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }
  107. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }
  108. public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate',

    $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } return $this->userRepository->findOneBy([ 'email' => $credentials['email']]); }
  109. security: firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: anonymous: true

    guard: authenticators: - App\Security\LoginFormAuthenticator entry_point: App\Security\LoginFormAuthenticator
  110. None
  111. None
  112. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  113. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  114. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  115. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  116. namespace App\Controller; /*...*/ class AdminController extends AbstractController { /** *

    @Route("/admin", name="app_admin") * @isGranted("ROLE_ADMIN") // check directly * @Security("is_granted('ROLE_ADMIN')”) // use the Security annotation */ public function index() { // get the service $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN') // OR... $this->denyAccessUnlessGranted('ROLE_ADMIN'); // processing and return } }
  117. None
  118. {% if is_granted('ROLE_ADMIN') %} <p>You are an admin</p> {% endif

    %}
  119. security: role_hierarchy: ROLE_ADMIN: ROLE_USER ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_WHATEVER_YOU_WANT] access_control: - {

    path: ^/admin, roles: ROLE_ADMIN, ip: 127.0.0.1 } - { path: ^/page, roles: ROLE_USER, host: localhost }
  120. None
  121. None
  122. None
  123. None