Save 37% off PRO during our Black Friday Sale! »

Symfony Security Demystified

3dd28ad260d202a12c2e93fc28fad5d7?s=47 Marco Petersen
July 31, 2019
Programming
0
120

Symfony Security Demystified

3dd28ad260d202a12c2e93fc28fad5d7?s=128

Marco Petersen

July 31, 2019
Tweet

More Decks by Marco Petersen

See All by Marco Petersen
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
1
110
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
94
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
1.4k
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
220
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
1
160
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
1
160
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
130

Other Decks in Programming

See All in Programming
B00d69471ef4903e0353aa5476614b7f?s=48 yongtae723
0
760
9a5d3eac40dd7a3a8d5373b22145fa88?s=48 sntree2mi8
0
120
E3c2bac7a4a04823dda122cf243edd01?s=48 claudioed
0
250
35f9898750fef525fe881a2ef5fef9d6?s=48 mazamachi
0
200
5059d3f370ad7e1f4d8de4be79ae1a2c?s=48 rvirus0817
0
190
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
220
52cc8a838bf44a589d2572833b2dd1b9?s=48 palkan
2
130
Ba868bdf0f1f87ac2c5b0a6b33119e35?s=48 e869120
34
22k
A10e41b0a61d59f2258d7f6172c33479?s=48 kaityo256
2
110
42a6a049ac8f5265f31858a9509217fb?s=48 uhooi
0
390
E505897a79eede1a676f92740261e8f8?s=48 kubode
0
310
B5f0b0a84d9063dbe2cb2f1f6025f2f3?s=48 yyyank
0
110

Featured

See All Featured
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
342
16k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
18
2.5k
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
655
120k
Eb8975af8e49e19e3dd6b6b84a542e26?s=48 qrush
288
19k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
71
3.2k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
152
6.9k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
6
790
245cee81a9c424266e5e401d844ea881?s=48 lara
175
11k
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
129
22k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
241
23k
016edace78ffe826f2348d1e0c504afd?s=48 maggiecrowley
16
950
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
289
47k

Transcript

  1. Symfony Security Demystified

  2. Security is about user management

  3. Security is about user management protecting resources

  4. → Who are you? → Are you allowed (to do

    that)?

  5. → Who are you? ➡ Authentication → Are you allowed

    (to do that)? ➡ Authorization

  6. The Game Plan → authentication concepts → authorization concepts →

    how they're used in a framework project Example Project https://github.com/ocrampete16/symfony-security- demystified-talk

  7. btw, who dis? ! Marco Petersen " Software Developer @

    SensioLabs # @ocrampete16 $ marco.petersen@sensiolabs.de

  8. Authentication Who are you?

  9. User Providers load a user from a source $userProvider =

    new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd', 'roles' => ['ROLE_USER'], ], ]); $user = $userProvider->loadUserByUsername('marco');

  10. User Providers load a user from a source $userProvider =

    new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd', 'roles' => ['ROLE_USER'], ], ]); $user = $userProvider->loadUserByUsername('marco');
  11. None

  12. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  13. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  14. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  15. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  16. What does the default User Checker do? The User Checker

    does not do anything by default. Implement your own to check for things like: → disabled accounts → accounts past the trial period → expired credentials

  17. Password Encoders encode passwords $encoderFactory = new EncoderFactory([ User::class =>

    new PlaintextPasswordEncoder(), ]); $encoder = $encoderFactory->getEncoder($user); $hash = $encoder->encodePassword($plaintext, $salt);

  18. Password Encoders encode passwords $encoderFactory = new EncoderFactory([ User::class =>

    new PlaintextPasswordEncoder(), ]); $encoder = $encoderFactory->getEncoder($user); $hash = $encoder->encodePassword($plaintext, $salt);
  19. None

  20. Putting it all together

  21. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  22. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  23. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  24. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  25. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  26. Symfony uses the same class for authenticated and unauthenticated tokens

    // UserPasswordToken.php public function __construct( $user, $credentials, string $providerKey, array $roles = [] ) { // ... parent::setAuthenticated(\count($roles) > 0); }

  27. Symfony uses the same class for authenticated and unauthenticated tokens

    // UserPasswordToken.php public function __construct( $user, $credentials, string $providerKey, array $roles = [] ) { // ... parent::setAuthenticated(\count($roles) > 0); }

  28. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => ['ROLE_USER'], ], ]);

  29. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => ['ROLE_USER'], ], ]);

  30. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => [], ], ]); // ... // $token is unauthenticated! $token = $authenticationManager->authenticate($unauthenticatedToken);

  31. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => [], ], ]); // ... // $token is unauthenticated! $token = $authenticationManager->authenticate($unauthenticatedToken);

  32. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => [], ], ]); // ... // $token is unauthenticated! $token = $authenticationManager->authenticate($unauthenticatedToken);

  33. Authorization Do you have permission?

  34. Security voters vote whether an authenticated user can perform an

    action on a subject $voter = new BlogPostVoter(); // returns VoterInterface::ACCESS_GRANTED, // VoterInterface::ACCESS_ABSTAIN or VoterInterface::ACCESS_DENIED $vote = $voter->vote($token, $blogPost, ['edit']);

  35. Security voters vote whether an authenticated user can perform an

    action on a subject $voter = new BlogPostVoter(); // returns VoterInterface::ACCESS_GRANTED, // VoterInterface::ACCESS_ABSTAIN or VoterInterface::ACCESS_DENIED $vote = $voter->vote($token, $blogPost, ['edit']);

  36. The framework also uses Security Voters to check for roles

    and authentication states $roleVoter = new RoleVoter('ROLE_'); $authenticatedVoter = new AuthenticatedVoter( $authenticationTrustResolver ); // Does the user have the role `ROLE_USER`? $roleVoter->vote($token, null, ['ROLE_USER']); // Is the user logged in? $authenticatedVoter->vote($token, null, ['IS_AUTHENTICATED_FULLY']);

  37. The framework also uses Security Voters to check for roles

    and authentication states $roleVoter = new RoleVoter('ROLE_'); $authenticatedVoter = new AuthenticatedVoter( $authenticationTrustResolver ); // Does the user have the role `ROLE_USER`? $roleVoter->vote($token, null, ['ROLE_USER']); // Is the user logged in? $authenticatedVoter->vote($token, null, ['IS_AUTHENTICATED_FULLY']);

  38. The framework also uses Security Voters to check for roles

    and authentication states $roleVoter = new RoleVoter('ROLE_'); $authenticatedVoter = new AuthenticatedVoter( $authenticationTrustResolver ); // Does the user have the role `ROLE_USER`? $roleVoter->vote($token, null, ['ROLE_USER']); // Is the user logged in? $authenticatedVoter->vote($token, null, ['IS_AUTHENTICATED_FULLY']);

  39. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  40. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  41. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  42. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  43. When using the framework

  44. A simple security configuration security: providers: database_users: entity: { class:

    App\Entity\User, property: username } encoders: App\Entity\User: 'bcrypt' firewalls: main: anonymous: true form_login: true access_control: - { path: ^/profile, roles: ROLE_USER }

  45. framework providers: database_users: entity: { class: App\Entity\User, property: username }

    standalone $userProvider = new EntityUserProvider( $registry, App\Entity\User::class, 'username' );

  46. framework encoders: App\Entity\User: 'bcrypt' standalone $encoderFactory = new EncoderFactory([ App\Entity\User::class

    => new BCryptPasswordEncoder($cost), ]);

  47. framework firewalls: main: anonymous: true form_login: true standalone $authenticationManager =

    new AuthenticationProviderManager([ new AnonymousAuthenticationProvider($secret), new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]);

  48. framework access_control: - { path: ^/profile, roles: ROLE_USER } standalone

    $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(), ]); // if request matches ^/profile $granted = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] );

  49. In Summary

  50. The security workflow is comprised of two phases. Authentication asks

    "Who are you?" Authorization asks "Are you allowed to do that?"

  51. User providers load users from a source. User checkers check

    loaded users. Password encoders encode passwords.

  52. Security voters vote to grant or deny access (or abstain).

    Symfony uses Security Voters to check roles and authentication states.

  53. $kernel->terminate($request, $response);

  54. None