Add the security layer to your (RESTfull) API and serve a distributed web application Marco Loche PHPDay 2014 

PHP is the language Community gives value 

1. Introduction 

Who am I ? 

About  my  company   

eLearning •  Learning Management System – Content management system dedicated to learning management   

eLearning Sharable Content Object Reference Model – SCORM compliant content must be transferable on LMS server – SCORM compliant content can comunicate with LMS – SCORM compliant conten must be agnostic about server technology   

How to serve content remotly and on different domains keeping control of whoever is using it ? 

2. Context 

An open system for browsing, sharing and including resources 

API era is now 

REST is the best 

A matter of consuming resources 

Uniform  interface   Uniform interface 

Richardson Model Access through HTTP (RMM level 0) Endpoints of the api are resource representations (RMM level 1) Interact with resources with HTTP Verbs and Content negotiation (RMM level 2) … Hypermedia and the glory (RMM level 3) 

    Be fluent and transitional 

REST in Symfony jms/serializer-bundle friendsofsymfony/rest-bundle willdurand/hateoas-bundle nelmio/api-doc-bundle 

Lesson learned 

3. Managing origin of distributed client 

Protecting personal data and identity integrity     

 Same Origin Policy 

Pages of the same origin can manipulate each other's DOM 

Content loaded from one domain can not interact with content coming from another 

Extended to other aspects : HTTP Cookies, XMLHttpRequest 

Defining origin http://tools.ietf.org/html/rfc6454 trusted === {scheme, host, port} not trusted !== {scheme, host, port} 

So what’s trustworthy? http://www.example.com/index.html http://www.example.com/content/page2.html http://user:[email protected]/api/resource 

And what’s not? http://www.example.com/index.html http://www.example.com:81/content/page2.html https://www.example.com/content/page2.html http://example.com/content/page2.html http://api.example.com/content/page2.html 

We need to relax 

Techniques for relaxing   •  document.domain property •  Cross-document messaging •  JSONP •  CORS   

document.domain property http://www.example.com/ document.domain = 'example.com'; http://store.example.com/ document.domain = 'example.com'; 

Cross-document messaging http://www.example.com/ http://store.example.net/ http://example.com/ otherWindow.postMessage("hello there!", "http://example.net"); http://example.net/ window.addEventListener("message",receiveMessage,false); function receiveMessage(event) { if (event.origin !== "http://example.com") // DO STUFF HERE WITH event.data } 

JSONP 

JSONP

Ok, but we want more! Previous solutions are valid only if you want to be in RMM1 No Verbs No Content Negotiation No Headers for security 

Cross-Origin Resource Sharing •  W3C Recomandation (16 january 2014) •  Enable true cross domain communication for JavaScript application •  Build on top of the XHR 

Simple Cross-Origin Request JavaScript Code Browser API Server xhr.send() Actual request Actual response onload / onerror 

Simple Request Method HEAD GET POST   

Simple request header Accept Accept-Language Content-Type Content-Language 

Simple response header Cache-Control Content-Language Content-Type Expires Last-Modified Pragma 

GET /resource HTTP/1.1 Origin: http://www.example.com Host: api.example.com ... HTTP/1.1 200 OK Access-Control-Allow-Origin: http://www.example.com ... 

Cross-Origin Request with Prefilght JavaScript Code Browser API Server xhr.send() Actual request Actual response onload / onerror Prefligth request Preflight response 

•  CORS with preflight request are originated by : –  Other HTTP verbs (PUT PATCH DELETE) –  Other Content-Type (Application/Json) –  Custom Headers (Allow-Header : X-AUTH) –  Non simple header expose (Expose-Header) •  Preflight request + actual request 

OPTIONS /resource HTTP/1.1 Origin: http://www.example.com Access-Control-Request-Method: PUT Access-Control-Request-Headers: X-Custom-Header Host: api.example.com HTTP/1.1 200 OK Access-Control-Allow-Origin: http://www.example.com Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE Access-Control-Allow-Headers: X-Custom-Header Access-Control-Max-Age: 3600 ... 

PUT /cors HTTP/1.1 Origin: http://www.example.com Host: api.example.com X-Custom-Header: value   HTTP/1.1 200 OK Access-Control-Allow-Origin: http://www.example.com Content-Type: text/html; charset=utf-8 

Implementation Client side: •  Nicolas Zakas’s Request Object Wrapper •  jQuery Server side: •  NelmioCorsBundle 

composer.json "require": { "nelmio/cors-bundle": "~1.0"}, } 

app/config/config.yml nelmio_cors: defaults: allow_credentials: false allow_origin: [*] allow_methods: ['GET','PUT','POST'] expose_headers: [] max_age: 3600 hosts: [] 

app/config/config.yml nelmio_cors: defaults: allow_credentials: false allow_origin: [*] allow_methods: ['GET','PUT','POST'] expose_headers: [] max_age: 3600 hosts: [] 

app/config/config.yml nelmio_cors: defaults: allow_credentials: false allow_origin: [*] allow_methods: ['GET','PUT','POST'] expose_headers: [] max_age: 3600 hosts: [] 

app/config/config.yml nelmio_cors: defaults: allow_credentials: false allow_origin: [*] allow_methods: ['GET','PUT','POST'] expose_headers: [] max_age: 3600 hosts: [] 

[…] paths: '^/api/': allow_origin: ['*'] allow_methods: ['GET','PUT','POST'] '^/api/sensitiveResource': allow_origin:['https://trusted.io'] 

Lesson learned If you want to be RESTfull you have to go with CORS 

4. Managing  security  of  your   resources   

Authentication •  Basic authentication •  Digest authentication •  Token authentication •  API Key •  WSSE •  OpenID 

Authorization •  Authorization token •  OAuth 1.0a •  OAuth 2 

API Security in Symfony hwi/HWIOAuthBundle friendsofsymfony/oauth-server-bundle escapestudios/EscapeWSSEAuthenticationBundle 

HANDS ON 

https://www.university.edu 0. authentication Web Application Client LMS SCORM 1. API Key https://auth.example.com 2 request authorization https://content.example.com 3 3 send token 4 access resources 

Custom Authentication Provider 

app/configu/security.yml security: providers: [...] capturator: id: capturator.security.tokenAuth in_memory: memory: users: authentication-authority: - password: %auth_authority_pwd% - roles: ROLE_AUTH' 

app/configu/security.yml security: providers: [...] capturator: id: capturator.security.tokenAuth in_memory: memory: users: authentication-authority: - password: %auth_authority_pwd% - roles: 'ROLE_AUTHENTICATION_AUTHORITY' 

firewalls: capturator_api_licenser: pattern: ^/api/token(.*) anonymous: ~ http_basic: realm: "Secured Authentication Authority Realm" provider: in_memory capturator_api: pattern: ^/api/(.*) capturator: true stateless: true [...] access_control: [...] - { path: ^/api/token(.*), roles: ROLE_AUTH, ip: 192.168.0.1, requires_channel: https } 

Capturator/CoreBundle/Resources/config/services.xml Capturator\CoreBundle\Security\User\CapturatorUserProvider Capturator\CoreBundle\Security\Service\TokenRetriever [...] [...] 

Capturator/CoreBundle/Resources/config/services.xml Capturator\CoreBundle\Security\User\CapturatorUserProvider Capturator\CoreBundle\Security\Service\TokenRetriever [...] [...] 

class CapturatorListener implements ListenerInterface { protected $securityContext; protected $authenticationManager; protected $tokeRetriever; […] public function handle(GetResponseEvent $event) { $request = $event->getRequest(); $requestTokenString = $this->tokeRetriever->retrieve($request); $token = new CapturatorToken(); $token->setUser($requestTokenString); $authToken = $this->authenticationManager->authenticate($token); $this->securityContext->setToken($authToken); } } 

class CapturatorListener implements ListenerInterface { protected $securityContext; protected $authenticationManager; protected $tokeRetriever; […] public function handle(GetResponseEvent $event) { $request = $event->getRequest(); $requestTokenString = $this->tokeRetriever->retrieve($request); $token = new CapturatorToken(); $token->setUser($requestTokenString); $authToken = $this->authenticationManager->authenticate($token); $this->securityContext->setToken($authToken); } } 

namespace Capturator\CoreBundle\Security\Service; use Symfony\Component\HttpFoundation\Request; use Capturator\CoreBundle\Exception\AuthenticationException; class TokenRetriever implements TokenRetrieverInterface { public function retrieve(Request $request) { if (!$request->query->has('token') && !$request->headers->has('x-cassys-auth')) { throw new AuthenticationException( ‘Missing required authentication parameter', __CLASS__); } $requestTokenString = $request->query->has('token') ? $request->query->get('token') : $request->headers->get('x-cassys-auth'); return $requestTokenString; } } 

class CapturatorListener implements ListenerInterface { protected $securityContext; protected $authenticationManager; protected $tokeRetriever; […] public function handle(GetResponseEvent $event) { $request = $event->getRequest(); $requestTokenString = $this->tokeRetriever->retrieve($request); $token = new CapturatorToken(); $token->setUser($requestTokenString); $authToken = $this->authenticationManager->authenticate($token); $this->securityContext->setToken($authToken); } } 

Capturator/CoreBundle/Security/User/CapturatorUserProvider.php class CapturatorUserProvider implements UserProviderInterface { protected $em; public function __construct(EntityManager $em) { $this->em = $em; } public function loadUserByUsername( $token) [...] public function refreshUser(UserInterface $user ) [...] public function supportsClass($class) { return ($class == "Capturator\CoreBundle\Security\User\CapturatorUser"); } } 

The SimplePreAuthenticatorInterface interface was introduced in Symfony 2.4. 

Extendig NelmioCorsBundle Associating Origin and Authorization 

/Users/marco/Progetti/Cassys-Server/app/config/config.yml capturator_cors: allow_origin_entity: CapturatorCoreBundle:CustomerDomainName defaults: allow_credentials: false expose_headers: [] max_age: 0 hosts: [] paths: '^/api/3/': allow_headers: ['X-Cassys-Auth', 'X-Requested-With', 'Content-Type'] allow_methods: ['POST', 'PUT', 'GET'] 

/Users/marco/Progetti/Cassys-Server/app/config/config.yml capturator_cors: allow_origin_entity: CapturatorCoreBundle:CustomerDomainName defaults: allow_credentials: false expose_headers: [] max_age: 0 hosts: [] paths: '^/api/3/': allow_headers: ['X-Cassys-Auth', 'X-Requested-With', 'Content-Type'] allow_methods: ['POST', 'PUT', 'GET'] 

Capturator/CoreBundle/Resources/config/services.xml Capturator\CorsBundle\Options\CustomerDomainProvider %capturator_cors.map% %capturator_cors.defaults% %capturator_cors.allow_origin_entity% 

Capturator/CoreBundle/Resources/config/services.xml Capturator\CorsBundle\Options\CustomerDomainProvider %capturator_cors.map% %capturator_cors.defaults% %capturator_cors.allow_origin_entity% 

Capturator/CorsBundle/Options/CustomerDomainRepositoryInterface.php namespace Capturator\CorsBundle\Options; interface CustomerDomainRepositoryInterface { /** * @param $origin * @return mixed */ public function findOneByOriginDomain( $origin, $token);} 

CorsBundle/Options/CustomerDomainProvider.php [...]use Nelmio\CorsBundle\Options\ProviderInterface; class CustomerDomainProvider implements ProviderInterface { [...] public function getOptions(Request $request) { [...] $origin = $request->headers->get('Origin'); $token= $request->headers->get('X-CUSTOM-AUTH'); if (!is_null($this->repository->findOneByOriginDomain($origin, $token))) { $options['allow_origin'] = array($origin); $options= array_merge($this->defaults, $options); return $options; } } } 

CorsBundle/Options/CustomerDomainProvider.php [...]use Nelmio\CorsBundle\Options\ProviderInterface; class CustomerDomainProvider implements ProviderInterface { [...] public function getOptions(Request $request) { [...] $origin = $request->headers->get('Origin'); $token= $request->headers->get('X-CUSTOM-AUTH'); if (!is_null($this->repository->findOneByOriginDomain($origin, $token))) { $options['allow_origin'] = array($origin); $options= array_merge($this->defaults, $options); return $options; } } } 

5. Conclusion 

Work done 

Prefer open protocol 

Access control 

References h7p://www.ics.uci.edu/~fielding/pubs/disserta@on/top.htm   h7ps://www.owasp.org/index.php/REST_Security_Cheat_Sheet#Introduc@on   h7p://www.w3.org/TR/cors/   h7p://www.iana.org/assignments/link-­‐rela@ons/   h7ps://www.oasis-­‐open.org/commi7ees/wss/documents/WSS-­‐Username-­‐02-­‐0223-­‐merged.pdf   h7p://oauth.net/   h7p://www.ieP.org/rfc/rfc2617.txt   h7p://www.ieP.org/rfc/rfc5849.txt  (OAuth  1.0a)   h7p://www.ieP.org/rfc/rfc6749.txt  (OAutn  2.0)   h7p://tools.ieP.org/html/dra[-­‐kelly-­‐json-­‐hal-­‐06   h7p://www.w3.org/TR/json-­‐ld/   

Readings h7p://en.wikipedia.org/wiki/Cross-­‐origin_resource_sharing   h7ps://code.google.com/p/browsersec/wiki/Part2#Standard_browser_security_features   h7p://www.html5rocks.com/en/tutorials/cors/   h7p://enable-­‐cors.org/   h7p://williamdurand.fr/2012/08/02/rest-­‐apis-­‐with-­‐symfony2-­‐the-­‐right-­‐way/   h7p://welcometothebundle.com/symfony2-­‐rest-­‐api-­‐the-­‐best-­‐2013-­‐way/   h7p://2012.phpday.it/talk/designing-­‐h7p-­‐interfaces-­‐and-­‐resPul-­‐web-­‐services/   h7p://2013.phpday.it/talk/rest-­‐apis-­‐made-­‐easy-­‐with-­‐symfony2/   h7p://www.slideshare.net/dlondero/rest-­‐in-­‐prac@ce-­‐27335543   h7p://edu.williamdurand.fr/web-­‐security-­‐101-­‐slides/#/   h7p://edu.williamdurand.fr/security-­‐slides/#slide1   h7p://friendsofsymfony.github.io/slides/res@ng-­‐with-­‐symfony2.html#/   h7p://symfony.com/doc/current/cookbook/security/custom_authen@ca@on_provider.html   h7p://symfony.com/doc/current/cookbook/security/api_key_authen@[email protected]   

Thanks http://joind.in/11303 @netamorfose www.marcoloche.com [email protected] All pictures are mine 

Q & A http://joind.in/11303 @netamorfose www.marcoloche.com [email protected] All pictures are mine