Slide 1

Slide 1 text

Symfony2 Security Mastering the authentication part of the Security component By re-implementing the component together in ~40 minutes

Slide 2

Slide 2 text

About me R&D developer @ Sensiolabs! Since ~2 years — Worked mainly on SensiolabsInsight Product 25 years old Web / Lead developer for web agencies & startups! netvibes.com — thefork.com… Joseph Rouff @rouffj github.com/rouffj josephrouff.com

Slide 3

Slide 3 text

Useful info No need to note anything: •Video: youtube.com/sensiolabs •Slides: speakerdeck.com/rouffj The source code is available on Github: •github.com/rouffj/HowtoSecurityBundle

Slide 4

Slide 4 text

Summary Facts of use Talk’s goals & progression Examples (6 user stories)

Slide 5

Slide 5 text

Facts of use Misunderstood component! Lots of concepts to assimilate (>15 concepts) — Complex workflow Lost beyond simple use cases! Apply recipes without understanding — Security part considered as a black box

Slide 6

Slide 6 text

Summary Facts of use Talk’s goals & progression Examples (6 user stories)

Slide 7

Slide 7 text

Goals What each core concepts are used for! Firewall — AuthenticationListener — Token — AuthenticationProvider… Knowing… When / How to add new implementations How to master our work on Security! Instead of using it blindly

Slide 8

Slide 8 text

Goals / How to reach goals? Code from scratch the component in < 40min! The core concepts (Firewall, AuthenticationListener, Token…) Based on a simple but real application! with user stories describing the business needs + = Show that each concept originally has a business need

Slide 9

Slide 9 text

Goals / How to reach goals? /howto-security/case1 /howto-security/case1/admin

Slide 10

Slide 10 text

Summary Facts of use Talk’s goals & progression Examples (6 user stories)

Slide 11

Slide 11 text

US1. The security of my app should be handled by the SimpleSecurity component Create an EventSubscriber subscribed to 'kernel.request' How to listen to each Request received by a Symfony2 app? https://github.com/rouffj/HowtoSecurityBundle/pull/1/files

Slide 12

Slide 12 text

US1 / Concept Firewall Intercept and analyze each incoming request.

Slide 13

Slide 13 text

US1 / Quizz My app is using Zend? ✔ Should I create a new "Firewall" if: My app is using CakePHP? ✔ My app is using Silex? ✘

Slide 14

Slide 14 text

US2. As a visitor, I should not be able to access the admin area By creating a URL Pattern which matches all admin's URLs How to declare a URL as being part of the admin area? https://github.com/rouffj/HowtoSecurityBundle/pull/2/files By using the RequestMatcher How to know if a Request matches a pattern with Symfony?

Slide 15

Slide 15 text

US2 / Concept Rule Associate a URL pattern with one or many AuthenticationListener. Also known as firewalls in Symfony2 language.

Slide 16

Slide 16 text

US3. I should be able to authenticate myself via the HTTP authentication mecanism 1. How to retrieve required data for authentication? 2. How to use retrieved data to try to authenticate the user?

Slide 17

Slide 17 text

US3a. I want to retrieve required data for HTTP Basic authentication In the HTTP Request Where can I retrieve data for authentication? https://github.com/rouffj/HowtoSecurityBundle/pull/3/files The header PHP_AUTH_USER should be available How to recognize an Authentication Request? The login + password (PHP_AUTH_*) What data is required to run the authentication process?

Slide 18

Slide 18 text

US3a / Concept Token Data set related to authentication. Authentication Request Request containing Authentication data. AuthenticationListener Retrieve the data from the Authentication Request to launch the authentication process.

Slide 19

Slide 19 text

US3b. I want to authenticate the Token By comparing Token data with the data of a Datastore How to check the validity of the Token? https://github.com/rouffj/HowtoSecurityBundle/pull/5/files Add roles to the Token + add it into the securityContext How to declare a Token as authenticated?

Slide 20

Slide 20 text

US3b / Concept AuthenticationProvider Attempt to transform the Token into an Authenticated Token via a datasource (LDAP, MySQL...). SecurityContext Contain the Token of the connected user. The SecurityContext is accessible anywhere in the application.

Slide 21

Slide 21 text

US3 / Quizz Authentication via Form (Phone/Pass) requires: AuthListener | Token | AuthProvider ✔ ✔ ✔ Authentication via Header (Phone/Pass) requires: AuthListener | Token | AuthProvider ✔ ✘ ✘ Authentication via Google+ requires: AuthListener | Token | AuthProvider ✔ ✔ ✔ Authentication via Facebook requires: AuthListener | Token | AuthProvider ✘ ✘ ✔ + + +

Slide 22

Slide 22 text

US4. If I make a mistake while submitting credentials, I should be able to retry authentication until they are correct https://github.com/rouffj/HowtoSecurityBundle/pull/6/files The 401 HTTP code with a "WWW-Authenticate" header What response should be returned when submitted credentials are wrong?

Slide 23

Slide 23 text

US4 / Concept EntryPoint Allow to restart the authentication process. It answers the question "What to do if the current user is not authenticated or gives wrong credentials?”.

Slide 24

Slide 24 text

US5. I should be able to authenticate myself by sending my credentials via the URL to avoid interactive login https://github.com/rouffj/HowtoSecurityBundle/pull/7/files The Request query should contains a “username” entry How to recognize an Authentication Request? The username+password in Request query What data is required to run the authentication process? AuthListener | Token | AuthProvider Does this user story need: ✔ ✘ ✘

Slide 25

Slide 25 text

Thanks for your attention ? joind.in/10373