Security and AOP in Symfony2 Johannes Schmitt Hajime Nagahata (http://www.flickr.com/photos/yakinik/6880492715/) 

2 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda Introduction Authentication Authorization 

3 Johannes Schmitt | Security and AOP | 2012-11-23 - About 10 years experience with PHP - Writing my final thesis at Karlsruhe Institute of Technology (KIT) - one of the main authors behind several Symfony2 Components - particularly contributed to Symfony2 Security, DependencyInjection, and Config Component 

4 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda Introduction Authentication Authorization 

5 Johannes Schmitt | Security and AOP | 2012-11-23 The Security component focuses on two main objectives 2. Authorization 1. Authentication • Goal: Is the user who he claims he is? • Mechanisms: • HTTP-basic/digest • X.509 client certificate • Form-based login • Remember-me cookie • … • Your own authentication system 

6 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap 

7 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners 

8 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners Token 

9 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token 

10 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider 

11 Johannes Schmitt | Security and AOP | 2012-11-23 Symfony2 does not implement a user object for you, but instead provides you with an interface giving you full control over your domain objects AccountInterface - getRoles(): Returns an array with roles (e.g. ROLE_USER, ROLE_FOO, etc.) - getPassword() Returns the encoded password - getSalt() Returns a salt - eraseCredentials() Erases credentials from the user 

12 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider Encoder 

13 Johannes Schmitt | Security and AOP | 2012-11-23 The Security component automatically takes care of hashing submitted credentials before comparing them to the password coming from the database - MessageDigestPasswordEncoder - can use any algorithm supported by the hash() function - can automatically encode passwords using base64 instead of hex - can apply the algorithm multiple times - PlaintextPasswordEncoder - mainly used for testing, and development - does not hash your password 

14 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider Encoder UserChecker 

15 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication providers not only check the credentials, but also check several flags on the user account itself AdvancedAccountInterface - isEnabled(): Whether the account is enabled, or disabled. - isAccountNonLocked(): Whether the account has been locked, for example because of too many failed login attempts. - isAccountNonExpired(): Whether the account is expired. - isCredentialsNonExpired(): Whether the account’s credentials are expired. If any of the above methods returns false, the user will not be allowed to login 

16 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthFailureHandler AuthenticationProvider Token UserProvider Encoder UserChecker 

17 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy UserProvider Encoder UserChecker 

18 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy UserProvider Encoder UserChecker 

19 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe UserProvider Encoder UserChecker 

20 Johannes Schmitt | Security and AOP | 2012-11-23 The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe LogoutHandler LogoutSuccessHandler UserProvider Encoder UserChecker 

21 Johannes Schmitt | Security and AOP | 2012-11-23 The Security component knows three authentication trust levels - Anonymous Trust Level: - lowest trust level - used for guests which have not actually logged in - Remember-Me Trust Level: - middle trust level - all users who have authenticated using a remember-me cookie - Full-Fledged Trust Level: - highest trust level - all users who have submitted their password, or equivalent credentials to verify their identity The trust level is used to implement multi-tier security. 

22 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda Introduction Authentication Authorization 

23 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda Introduction Authentication Authorization General Concepts Web-Request Authorization Method Invocation Authorization Object-based Authorization (ACL) 

24 Johannes Schmitt | Security and AOP | 2012-11-23 The Security component focuses on two main objectives 2. Authorization 1. Authentication • Goal: Is the user who he claims he is? • Mechanisms: • HTTP-basic/digest • X.509 client certificate • Form-based login • Remember-me cookie • … • Your own authentication system • Goal: Is the user allowed to do XYZ? • Mechanisms: • Request Authorization • Controller Actions/Methods Authorization • Class-/Object-based Authorization (ACL) 

25 Johannes Schmitt | Security and AOP | 2012-11-23 The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor 

26 Johannes Schmitt | Security and AOP | 2012-11-23 The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager 

27 Johannes Schmitt | Security and AOP | 2012-11-23 The behavior of the AccessDecisionManager varies greatly depending on the voting strategy As soon as multiple voters can vote on the requested attributes or you request a vote on multiple attributes, the voting strategy matters. Affirmative Unanimous Consensus • Least restrictive strategy • Best performance when granting access • Symfony2‘s default voting strategy • Most restrictive strategy • Best performance when denying acess • Compromise between affirmative, and unanimous strategy • Equal performance for granting and denying 

28 Johannes Schmitt | Security and AOP | 2012-11-23 The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter 

29 Johannes Schmitt | Security and AOP | 2012-11-23 The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter 

30 Johannes Schmitt | Security and AOP | 2012-11-23 The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter AclProvider PermissionMap 

31 Johannes Schmitt | Security and AOP | 2012-11-23 The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider PermissionMap 

32 Johannes Schmitt | Security and AOP | 2012-11-23 The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap 

33 Johannes Schmitt | Security and AOP | 2012-11-23 Custom voters allow you to add more meaning to existing attributes 

34 Johannes Schmitt | Security and AOP | 2012-11-23 Expressions are a viable alternative to the traditional attributes AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap ExpressionVoter - Faster, more Efficient - More Flexible - Extensible 

35 Johannes Schmitt | Security and AOP | 2012-11-23 There are many built-in expressions Variables Functions • hasRole(A) • hasAnyRole(A, B) • isAnonymous() • isAuthenticated() • isFullyAuthenticated() • hasPermission(object, VIEW) • token: current token in the SecurityContext • user: logged in user object • object: object that access is requested for • #paramName: a method parameter • permitAll • denyAll Expressions also support the binary operators && and || to form more complex expressions. 

36 Johannes Schmitt | Security and AOP | 2012-11-23 New Expressions can be added very easily 

37 Johannes Schmitt | Security and AOP | 2012-11-23 Expressions can be use to implement a lightweight ACL-like system for simple use cases 

38 Johannes Schmitt | Security and AOP | 2012-11-23 Complex expressions can be reverse interpreted to find the denying expression 

39 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda Introduction Authentication Authorization General Concepts Web-Request Authorization Method Invocation Authorization Object-based Authorization (ACL) 

40 Johannes Schmitt | Security and AOP | 2012-11-23 Web-Request authorization using access control Best used for securing whole areas, but not for securing specific actions. 

41 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda Introduction Authentication Authorization General Concepts Web-Request Authorization Method Invocation Authorization Object-based Authorization (ACL) 

42 Johannes Schmitt | Security and AOP | 2012-11-23 Securing Contoller Actions, and Methods 

43 Johannes Schmitt | Security and AOP | 2012-11-23 Method Access Control is implemented via AOP Around Advices Reusable AOP Implementation provided by JMSAopBundle - Pointcut: Finds methods which have associated advices - Interceptors: - called for method invocations - can return early and prevent execution of the original method/additional interceptors - can throw, or catch exceptions - can modify the return value - AOP is useful when implementing concerns which are not related to core application functionality like security checks, logging, caching, etc. - Core Application Logic is not aware of AOP code 

44 Johannes Schmitt | Security and AOP | 2012-11-23 An example for converting procedural code to AOP code @RunAs adds an advice to the fetchFeeds method which does not need to be duplicated in each place where it is necessary. 

45 Johannes Schmitt | Security and AOP | 2012-11-23 The same functionality, but in procedural code 

46 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda Introduction Authentication Authorization General Concepts Web-Request Authorization Method Invocation Authorization Object-based Authorization (ACL) 

47 Johannes Schmitt | Security and AOP | 2012-11-23 The ACL system is fully decoupled from your domain objects and integrates with them seamlessly Domain Object (Blog Post, Comment, User, etc.) Access Control List (ACL) Roles Users Security Identity have exactly one Access Control Entries (ACEs) may inherit from has many has many Object Identity has exactly one 

48 Johannes Schmitt | Security and AOP | 2012-11-23 Class-based and Object-based Access Control Entries Document „foo“ Document „bar“ Document „???“ Object-based Class-based Object-based ACEs are checked before Class-based ACEs. 

49 Johannes Schmitt | Security and AOP | 2012-11-23 Field-based Access Control Entries Order • product • quantity • shipping address • payment details Anyone with access to the order may access these Requires Special Admin Access 

50 Johannes Schmitt | Security and AOP | 2012-11-23 Access Control Entries Access Control Entry • mask • granting strategy • granting - permissions are stored as bitmasks - up to 31 permissions per class - multiple permissions can be stored effeciently in the same ACE - pre-defined permissions - View - Create - Edit - Delete - Undelete - Owner 

51 Johannes Schmitt | Security and AOP | 2012-11-23 Access Control Entries Access Control Entry • mask • granting strategy • granting Defines the strategy by which bitmasks are compared - Any: $expected & $actual !== 0 - All: $expected & $actual === $actual - Same: $expected === $actual 

52 Johannes Schmitt | Security and AOP | 2012-11-23 Access Control Entries Access Control Entry • mask • granting strategy • granting - Whether the entry allows, or denies access - Useful in scenarios like - „generally allow access to all documents, but to a few specific documents deny access“ - „generally deny access, but allow access to a few specific documents“ 

53 Johannes Schmitt | Security and AOP | 2012-11-23 Access Control Entries can be inherited Thread Posts Forum Moderator ACE for EDIT Thread-Starter ACE for EDIT - Post-Creator ACE for EDIT - Thread-Starter ACE for EDIT - Moderator can not only edit forums, but also all threads, and posts - Thread-Starter can edit thread details, but not all posts in the thread - Post-Creator can edit his post 

54 Johannes Schmitt | Security and AOP | 2012-11-23 Johannes Schmitt [email protected] https://github.org/schmittjoh Thanks!