Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Symfony Security Demystified

3dd28ad260d202a12c2e93fc28fad5d7?s=47 Marco Petersen
July 31, 2019
Programming
0
100

Symfony Security Demystified

3dd28ad260d202a12c2e93fc28fad5d7?s=128

Marco Petersen

July 31, 2019
Tweet

More Decks by Marco Petersen

See All by Marco Petersen
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
38
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
14
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
1.4k
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
190
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
1
150
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
1
150
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
130

Other Decks in Programming

See All in Programming
53c93eb80b5958590b18205dc5fd3634?s=48 smdmts
0
150
2e0a66c86d35c1ef7ae20eae1de4ffda?s=48 jreznot
2
990
2722ca734f5f05badb74f976d1f2b6c8?s=48 yonetty
0
140
D12a80cab206033a820ccff8319f957b?s=48 s_uryu
0
470
23190387d424e33d6a1a807cea1e0469?s=48 osamtimizer
0
180
E0a89ea965a4ac4b5f091d6bd9e8d8ea?s=48 takahiro_komatsu1982
0
120
Fd8ec708dd64775183ba0ad57a5efb28?s=48 yuta25
1
140
102398563fd1bf878b35dc2d5ee67cbe?s=48 kamilahsantos
1
100
2f2c7576c7b5d763ad12f342b9afc3a1?s=48 akkyie
0
460
444706893bf3e53d6d96b4509d2d05d5?s=48 tanden
2
1.8k
9bf923e39671cde83584e3e926296c13?s=48 kishikawakatsumi
1
530
B67d76d100e6dbb2ec11087c44d02fbf?s=48 takahiro901
0
110

Featured

See All Featured
9128d500301ae51524e887bb680f471d?s=48 caitiem20
312
18k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
776
200k
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
20
4.7k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
63
10k
C1daf20e5c49ff910745198ef9869ac2?s=48 hatefulcrawdad
255
17k
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
8
670
Ecdea9b9714877b86cee08458f085481?s=48 trallard
18
980
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
120
16k
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
8
880
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
88
3.5k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
103
5.2k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
283
47k

Transcript

  1. Symfony Security Demystified

  2. Security is about user management

  3. Security is about user management protecting resources

  4. → Who are you? → Are you allowed (to do

    that)?

  5. → Who are you? ➡ Authentication → Are you allowed

    (to do that)? ➡ Authorization

  6. The Game Plan → authentication concepts → authorization concepts →

    how they're used in a framework project Example Project https://github.com/ocrampete16/symfony-security- demystified-talk

  7. btw, who dis? ! Marco Petersen " Software Developer @

    SensioLabs # @ocrampete16 $ marco.petersen@sensiolabs.de

  8. Authentication Who are you?

  9. User Providers load a user from a source $userProvider =

    new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd', 'roles' => ['ROLE_USER'], ], ]); $user = $userProvider->loadUserByUsername('marco');

  10. User Providers load a user from a source $userProvider =

    new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd', 'roles' => ['ROLE_USER'], ], ]); $user = $userProvider->loadUserByUsername('marco');
  11. None

  12. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  13. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  14. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  15. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  16. What does the default User Checker do? The User Checker

    does not do anything by default. Implement your own to check for things like: → disabled accounts → accounts past the trial period → expired credentials

  17. Password Encoders encode passwords $encoderFactory = new EncoderFactory([ User::class =>

    new PlaintextPasswordEncoder(), ]); $encoder = $encoderFactory->getEncoder($user); $hash = $encoder->encodePassword($plaintext, $salt);

  18. Password Encoders encode passwords $encoderFactory = new EncoderFactory([ User::class =>

    new PlaintextPasswordEncoder(), ]); $encoder = $encoderFactory->getEncoder($user); $hash = $encoder->encodePassword($plaintext, $salt);
  19. None

  20. Putting it all together

  21. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  22. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  23. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  24. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  25. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  26. Symfony uses the same class for authenticated and unauthenticated tokens

    // UserPasswordToken.php public function __construct( $user, $credentials, string $providerKey, array $roles = [] ) { // ... parent::setAuthenticated(\count($roles) > 0); }

  27. Symfony uses the same class for authenticated and unauthenticated tokens

    // UserPasswordToken.php public function __construct( $user, $credentials, string $providerKey, array $roles = [] ) { // ... parent::setAuthenticated(\count($roles) > 0); }

  28. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => ['ROLE_USER'], ], ]);

  29. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => ['ROLE_USER'], ], ]);

  30. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => [], ], ]); // ... // $token is unauthenticated! $token = $authenticationManager->authenticate($unauthenticatedToken);

  31. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => [], ], ]); // ... // $token is unauthenticated! $token = $authenticationManager->authenticate($unauthenticatedToken);

  32. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => [], ], ]); // ... // $token is unauthenticated! $token = $authenticationManager->authenticate($unauthenticatedToken);

  33. Authorization Do you have permission?

  34. Security voters vote whether an authenticated user can perform an

    action on a subject $voter = new BlogPostVoter(); // returns VoterInterface::ACCESS_GRANTED, // VoterInterface::ACCESS_ABSTAIN or VoterInterface::ACCESS_DENIED $vote = $voter->vote($token, $blogPost, ['edit']);

  35. Security voters vote whether an authenticated user can perform an

    action on a subject $voter = new BlogPostVoter(); // returns VoterInterface::ACCESS_GRANTED, // VoterInterface::ACCESS_ABSTAIN or VoterInterface::ACCESS_DENIED $vote = $voter->vote($token, $blogPost, ['edit']);

  36. The framework also uses Security Voters to check for roles

    and authentication states $roleVoter = new RoleVoter('ROLE_'); $authenticatedVoter = new AuthenticatedVoter( $authenticationTrustResolver ); // Does the user have the role `ROLE_USER`? $roleVoter->vote($token, null, ['ROLE_USER']); // Is the user logged in? $authenticatedVoter->vote($token, null, ['IS_AUTHENTICATED_FULLY']);

  37. The framework also uses Security Voters to check for roles

    and authentication states $roleVoter = new RoleVoter('ROLE_'); $authenticatedVoter = new AuthenticatedVoter( $authenticationTrustResolver ); // Does the user have the role `ROLE_USER`? $roleVoter->vote($token, null, ['ROLE_USER']); // Is the user logged in? $authenticatedVoter->vote($token, null, ['IS_AUTHENTICATED_FULLY']);

  38. The framework also uses Security Voters to check for roles

    and authentication states $roleVoter = new RoleVoter('ROLE_'); $authenticatedVoter = new AuthenticatedVoter( $authenticationTrustResolver ); // Does the user have the role `ROLE_USER`? $roleVoter->vote($token, null, ['ROLE_USER']); // Is the user logged in? $authenticatedVoter->vote($token, null, ['IS_AUTHENTICATED_FULLY']);

  39. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  40. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  41. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  42. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  43. When using the framework

  44. A simple security configuration security: providers: database_users: entity: { class:

    App\Entity\User, property: username } encoders: App\Entity\User: 'bcrypt' firewalls: main: anonymous: true form_login: true access_control: - { path: ^/profile, roles: ROLE_USER }

  45. framework providers: database_users: entity: { class: App\Entity\User, property: username }

    standalone $userProvider = new EntityUserProvider( $registry, App\Entity\User::class, 'username' );

  46. framework encoders: App\Entity\User: 'bcrypt' standalone $encoderFactory = new EncoderFactory([ App\Entity\User::class

    => new BCryptPasswordEncoder($cost), ]);

  47. framework firewalls: main: anonymous: true form_login: true standalone $authenticationManager =

    new AuthenticationProviderManager([ new AnonymousAuthenticationProvider($secret), new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]);

  48. framework access_control: - { path: ^/profile, roles: ROLE_USER } standalone

    $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(), ]); // if request matches ^/profile $granted = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] );

  49. In Summary

  50. The security workflow is comprised of two phases. Authentication asks

    "Who are you?" Authorization asks "Are you allowed to do that?"

  51. User providers load users from a source. User checkers check

    loaded users. Password encoders encode passwords.

  52. Security voters vote to grant or deny access (or abstain).

    Symfony uses Security Voters to check roles and authentication states.

  53. $kernel->terminate($request, $response);

  54. None