Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Symfony Security Demystified

3dd28ad260d202a12c2e93fc28fad5d7?s=47 Marco Petersen
July 31, 2019
Programming
0
110

Symfony Security Demystified

3dd28ad260d202a12c2e93fc28fad5d7?s=128

Marco Petersen

July 31, 2019
Tweet

More Decks by Marco Petersen

See All by Marco Petersen
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
1
97
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
42
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
1.4k
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
220
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
1
150
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
1
160
3dd28ad260d202a12c2e93fc28fad5d7?s=48 ocrampete16
0
130

Other Decks in Programming

See All in Programming
1a1d418bdf51cbf8fce1317f6c80a907?s=48 satoshi0212
3
270
29dd31db419a2e56cf6a8a11f9de98ee?s=48 masakazoo
2
510
F34964538565e89f55b1df6e33c9a1e8?s=48 kapsy1312
0
210
23a9ea59992e5349aa4bf659a6d583d3?s=48 nanashiki
1
520
Faafc04d9e69b73b9f49995fd4c94d4d?s=48 whatyouhide
0
240
3931098ae486b6df619050c63e24f6cc?s=48 osyo
1
190
4651f57d479e562a45dd624cc24dbee3?s=48 nsaito9628
1
150
D76231a2114896dfcc7b79ac69558b79?s=48 yosuke_furukawa
PRO
35
9.8k
08d5432a5bc31e6d9edec87b94cb1db1?s=48 k0kubun
19
11k
Eae7b6aeee72d3081b01d09a2d675f9a?s=48 akkeylab
5
970
44f37c1fe3a6a56376bb41a338741355?s=48 ring
1
510
351bca0f01c8cb553535791140636368?s=48 sidepelican
3
190

Featured

See All Featured
Ecdea9b9714877b86cee08458f085481?s=48 trallard
24
1.2k
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
52
3.3k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
30
1.7k
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
207
38k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
297
39k
7559f6cff1f5efc2d210965febd4d71c?s=48 bermonpainter
348
27k
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
107
6.5k
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
28
2.8k
11c84dff30266b907714802088852677?s=48 jasonvnalue
87
8.3k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
171
7.7k
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
61
6.7k
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
37
4.6k

Transcript

  1. Symfony Security Demystified

  2. Security is about user management

  3. Security is about user management protecting resources

  4. → Who are you? → Are you allowed (to do

    that)?

  5. → Who are you? ➡ Authentication → Are you allowed

    (to do that)? ➡ Authorization

  6. The Game Plan → authentication concepts → authorization concepts →

    how they're used in a framework project Example Project https://github.com/ocrampete16/symfony-security- demystified-talk

  7. btw, who dis? ! Marco Petersen " Software Developer @

    SensioLabs # @ocrampete16 $ marco.petersen@sensiolabs.de

  8. Authentication Who are you?

  9. User Providers load a user from a source $userProvider =

    new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd', 'roles' => ['ROLE_USER'], ], ]); $user = $userProvider->loadUserByUsername('marco');

  10. User Providers load a user from a source $userProvider =

    new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd', 'roles' => ['ROLE_USER'], ], ]); $user = $userProvider->loadUserByUsername('marco');
  11. None

  12. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  13. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  14. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  15. The User Checker ensures that the user meets certain requirements

    $userChecker = new UserChecker(); $userChecker->checkPreAuth($user); // authenticate user here $userChecker->checkPostAuth($user);

  16. What does the default User Checker do? The User Checker

    does not do anything by default. Implement your own to check for things like: → disabled accounts → accounts past the trial period → expired credentials

  17. Password Encoders encode passwords $encoderFactory = new EncoderFactory([ User::class =>

    new PlaintextPasswordEncoder(), ]); $encoder = $encoderFactory->getEncoder($user); $hash = $encoder->encodePassword($plaintext, $salt);

  18. Password Encoders encode passwords $encoderFactory = new EncoderFactory([ User::class =>

    new PlaintextPasswordEncoder(), ]); $encoder = $encoderFactory->getEncoder($user); $hash = $encoder->encodePassword($plaintext, $salt);
  19. None

  20. Putting it all together

  21. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  22. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  23. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  24. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  25. const PROVIDER_KEY = 'default'; $unauthenticatedToken = new UsernamePasswordToken('marco', 'p4$$w0rd', PROVIDER_KEY);

    $authenticationManager = new AuthenticationProviderManager([ new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]); $authenticatedToken = $authenticationManager->authenticate($unauthenticatedToken);

  26. Symfony uses the same class for authenticated and unauthenticated tokens

    // UserPasswordToken.php public function __construct( $user, $credentials, string $providerKey, array $roles = [] ) { // ... parent::setAuthenticated(\count($roles) > 0); }

  27. Symfony uses the same class for authenticated and unauthenticated tokens

    // UserPasswordToken.php public function __construct( $user, $credentials, string $providerKey, array $roles = [] ) { // ... parent::setAuthenticated(\count($roles) > 0); }

  28. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => ['ROLE_USER'], ], ]);

  29. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => ['ROLE_USER'], ], ]);

  30. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => [], ], ]); // ... // $token is unauthenticated! $token = $authenticationManager->authenticate($unauthenticatedToken);

  31. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => [], ], ]); // ... // $token is unauthenticated! $token = $authenticationManager->authenticate($unauthenticatedToken);

  32. $userProvider = new InMemoryUserProvider([ 'marco' => [ 'password' => 'p4$$w0rd',

    'roles' => [], ], ]); // ... // $token is unauthenticated! $token = $authenticationManager->authenticate($unauthenticatedToken);

  33. Authorization Do you have permission?

  34. Security voters vote whether an authenticated user can perform an

    action on a subject $voter = new BlogPostVoter(); // returns VoterInterface::ACCESS_GRANTED, // VoterInterface::ACCESS_ABSTAIN or VoterInterface::ACCESS_DENIED $vote = $voter->vote($token, $blogPost, ['edit']);

  35. Security voters vote whether an authenticated user can perform an

    action on a subject $voter = new BlogPostVoter(); // returns VoterInterface::ACCESS_GRANTED, // VoterInterface::ACCESS_ABSTAIN or VoterInterface::ACCESS_DENIED $vote = $voter->vote($token, $blogPost, ['edit']);

  36. The framework also uses Security Voters to check for roles

    and authentication states $roleVoter = new RoleVoter('ROLE_'); $authenticatedVoter = new AuthenticatedVoter( $authenticationTrustResolver ); // Does the user have the role `ROLE_USER`? $roleVoter->vote($token, null, ['ROLE_USER']); // Is the user logged in? $authenticatedVoter->vote($token, null, ['IS_AUTHENTICATED_FULLY']);

  37. The framework also uses Security Voters to check for roles

    and authentication states $roleVoter = new RoleVoter('ROLE_'); $authenticatedVoter = new AuthenticatedVoter( $authenticationTrustResolver ); // Does the user have the role `ROLE_USER`? $roleVoter->vote($token, null, ['ROLE_USER']); // Is the user logged in? $authenticatedVoter->vote($token, null, ['IS_AUTHENTICATED_FULLY']);

  38. The framework also uses Security Voters to check for roles

    and authentication states $roleVoter = new RoleVoter('ROLE_'); $authenticatedVoter = new AuthenticatedVoter( $authenticationTrustResolver ); // Does the user have the role `ROLE_USER`? $roleVoter->vote($token, null, ['ROLE_USER']); // Is the user logged in? $authenticatedVoter->vote($token, null, ['IS_AUTHENTICATED_FULLY']);

  39. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  40. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  41. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  42. Putting it all together $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(),

    new BlogPostVoter(), ]); $hasRole = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] ); $canEditBlogPost = $accessDecisionManager->decide( $authenticatedToken, ['edit'], $blogPost );

  43. When using the framework

  44. A simple security configuration security: providers: database_users: entity: { class:

    App\Entity\User, property: username } encoders: App\Entity\User: 'bcrypt' firewalls: main: anonymous: true form_login: true access_control: - { path: ^/profile, roles: ROLE_USER }

  45. framework providers: database_users: entity: { class: App\Entity\User, property: username }

    standalone $userProvider = new EntityUserProvider( $registry, App\Entity\User::class, 'username' );

  46. framework encoders: App\Entity\User: 'bcrypt' standalone $encoderFactory = new EncoderFactory([ App\Entity\User::class

    => new BCryptPasswordEncoder($cost), ]);

  47. framework firewalls: main: anonymous: true form_login: true standalone $authenticationManager =

    new AuthenticationProviderManager([ new AnonymousAuthenticationProvider($secret), new DaoAuthenticationProvider( $userProvider, $userChecker, PROVIDER_KEY, $encoderFactory ), ]);

  48. framework access_control: - { path: ^/profile, roles: ROLE_USER } standalone

    $accessDecisionManager = new AccessDecisionManager([ new RoleVoter(), ]); // if request matches ^/profile $granted = $accessDecisionManager->decide( $authenticatedToken, ['ROLE_USER'] );

  49. In Summary

  50. The security workflow is comprised of two phases. Authentication asks

    "Who are you?" Authorization asks "Are you allowed to do that?"

  51. User providers load users from a source. User checkers check

    loaded users. Password encoders encode passwords.

  52. Security voters vote to grant or deny access (or abstain).

    Symfony uses Security Voters to check roles and authentication states.

  53. $kernel->terminate($request, $response);

  54. None