Symfony2 Security Mastering the authentication part of the Security component By re-implementing the component together in ~40 minutes

About me R&D developer @ Sensiolabs! Since ~2 years — Worked mainly on SensiolabsInsight Product 25 years old Web / Lead developer for web agencies & startups! netvibes.com — thefork.com… Joseph Rouff @rouffj github.com/rouffj josephrouff.com

Useful info No need to note anything: •Video: youtube.com/sensiolabs •Slides: speakerdeck.com/rouffj The source code is available on Github: •github.com/rouffj/HowtoSecurityBundle

Summary Facts of use Talk’s goals & progression Examples (6 user stories)

Facts of use Misunderstood component! Lots of concepts to assimilate (>15 concepts) — Complex workflow Lost beyond simple use cases! Apply recipes without understanding — Security part considered as a black box

Summary Facts of use Talk’s goals & progression Examples (6 user stories)

Goals What each core concepts are used for! Firewall — AuthenticationListener — Token — AuthenticationProvider… Knowing… When / How to add new implementations How to master our work on Security! Instead of using it blindly

Goals / How to reach goals? Code from scratch the component in < 40min! The core concepts (Firewall, AuthenticationListener, Token…) Based on a simple but real application! with user stories describing the business needs + = Show that each concept originally has a business need

Goals / How to reach goals? /howto-security/case1 /howto-security/case1/admin

Summary Facts of use Talk’s goals & progression Examples (6 user stories)

US1. The security of my app should be handled by the SimpleSecurity component Create an EventSubscriber subscribed to 'kernel.request' How to listen to each Request received by a Symfony2 app? https://github.com/rouffj/HowtoSecurityBundle/pull/1/files

US1 / Concept Firewall Intercept and analyze each incoming request.

US1 / Quizz My app is using Zend? ✔ Should I create a new "Firewall" if: My app is using CakePHP? ✔ My app is using Silex? ✘

US2. As a visitor, I should not be able to access the admin area By creating a URL Pattern which matches all admin's URLs How to declare a URL as being part of the admin area? https://github.com/rouffj/HowtoSecurityBundle/pull/2/files By using the RequestMatcher How to know if a Request matches a pattern with Symfony?

US2 / Concept Rule Associate a URL pattern with one or many AuthenticationListener. Also known as firewalls in Symfony2 language.

US3. I should be able to authenticate myself via the HTTP authentication mecanism 1. How to retrieve required data for authentication? 2. How to use retrieved data to try to authenticate the user?

US3a. I want to retrieve required data for HTTP Basic authentication In the HTTP Request Where can I retrieve data for authentication? https://github.com/rouffj/HowtoSecurityBundle/pull/3/files The header PHP_AUTH_USER should be available How to recognize an Authentication Request? The login + password (PHP_AUTH_*) What data is required to run the authentication process?

US3a / Concept Token Data set related to authentication. Authentication Request Request containing Authentication data. AuthenticationListener Retrieve the data from the Authentication Request to launch the authentication process.

US3b. I want to authenticate the Token By comparing Token data with the data of a Datastore How to check the validity of the Token? https://github.com/rouffj/HowtoSecurityBundle/pull/5/files Add roles to the Token + add it into the securityContext How to declare a Token as authenticated?

US3b / Concept AuthenticationProvider Attempt to transform the Token into an Authenticated Token via a datasource (LDAP, MySQL...). SecurityContext Contain the Token of the connected user. The SecurityContext is accessible anywhere in the application.

US3 / Quizz Authentication via Form (Phone/Pass) requires: AuthListener | Token | AuthProvider ✔ ✔ ✔ Authentication via Header (Phone/Pass) requires: AuthListener | Token | AuthProvider ✔ ✘ ✘ Authentication via Google+ requires: AuthListener | Token | AuthProvider ✔ ✔ ✔ Authentication via Facebook requires: AuthListener | Token | AuthProvider ✘ ✘ ✔ + + +

US4. If I make a mistake while submitting credentials, I should be able to retry authentication until they are correct https://github.com/rouffj/HowtoSecurityBundle/pull/6/files The 401 HTTP code with a "WWW-Authenticate" header What response should be returned when submitted credentials are wrong?

US4 / Concept EntryPoint Allow to restart the authentication process. It answers the question "What to do if the current user is not authenticated or gives wrong credentials?”.

US5. I should be able to authenticate myself by sending my credentials via the URL to avoid interactive login https://github.com/rouffj/HowtoSecurityBundle/pull/7/files The Request query should contains a “username” entry How to recognize an Authentication Request? The username+password in Request query What data is required to run the authentication process? AuthListener | Token | AuthProvider Does this user story need: ✔ ✘ ✘

Thanks for your attention ? joind.in/10373