Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mastering the Security component's authentication mechanism

Mastering the Security component's authentication mechanism

The Security component is hard to tackle for most Symfony developers because it introduces lots of concepts to handle all possible use cases. Some of these use cases or concepts are not essential. The idea behind this presentation will be to focus only on authentication core concepts: Firewall, AuthenticationListener, EntryPoint, AuthenticationProvider.


Joseph Rouff

December 09, 2013


  1. Symfony2 Security Mastering the authentication part of the Security component

    By re-implementing the component together in ~40 minutes
  2. About me R&D developer @ Sensiolabs! Since ~2 years —

    Worked mainly on SensiolabsInsight Product 25 years old Web / Lead developer for web agencies & startups! netvibes.com — thefork.com… Joseph Rouff @rouffj github.com/rouffj josephrouff.com
  3. Useful info No need to note anything: •Video: youtube.com/sensiolabs •Slides:

    speakerdeck.com/rouffj The source code is available on Github: •github.com/rouffj/HowtoSecurityBundle
  4. Summary Facts of use Talk’s goals & progression Examples (6

    user stories)
  5. Facts of use Misunderstood component! Lots of concepts to assimilate

    (>15 concepts) — Complex workflow Lost beyond simple use cases! Apply recipes without understanding — Security part considered as a black box
  6. Summary Facts of use Talk’s goals & progression Examples (6

    user stories)
  7. Goals What each core concepts are used for! Firewall —

    AuthenticationListener — Token — AuthenticationProvider… Knowing… When / How to add new implementations How to master our work on Security! Instead of using it blindly
  8. Goals / How to reach goals? Code from scratch the

    component in < 40min! The core concepts (Firewall, AuthenticationListener, Token…) Based on a simple but real application! with user stories describing the business needs + = Show that each concept originally has a business need
  9. Goals / How to reach goals? /howto-security/case1 /howto-security/case1/admin

  10. Summary Facts of use Talk’s goals & progression Examples (6

    user stories)
  11. US1. The security of my app should be handled by

    the SimpleSecurity component Create an EventSubscriber subscribed to 'kernel.request' How to listen to each Request received by a Symfony2 app? https://github.com/rouffj/HowtoSecurityBundle/pull/1/files
  12. US1 / Concept Firewall Intercept and analyze each incoming request.

  13. US1 / Quizz My app is using Zend? ✔ Should

    I create a new "Firewall" if: My app is using CakePHP? ✔ My app is using Silex? ✘
  14. US2. As a visitor, I should not be able to

    access the admin area By creating a URL Pattern which matches all admin's URLs How to declare a URL as being part of the admin area? https://github.com/rouffj/HowtoSecurityBundle/pull/2/files By using the RequestMatcher How to know if a Request matches a pattern with Symfony?
  15. US2 / Concept Rule Associate a URL pattern with one

    or many AuthenticationListener. Also known as firewalls in Symfony2 language.
  16. US3. I should be able to authenticate myself via the

    HTTP authentication mecanism 1. How to retrieve required data for authentication? 2. How to use retrieved data to try to authenticate the user?
  17. US3a. I want to retrieve required data for HTTP Basic

    authentication In the HTTP Request Where can I retrieve data for authentication? https://github.com/rouffj/HowtoSecurityBundle/pull/3/files The header PHP_AUTH_USER should be available How to recognize an Authentication Request? The login + password (PHP_AUTH_*) What data is required to run the authentication process?
  18. US3a / Concept Token Data set related to authentication. Authentication

    Request Request containing Authentication data. AuthenticationListener Retrieve the data from the Authentication Request to launch the authentication process.
  19. US3b. I want to authenticate the Token By comparing Token

    data with the data of a Datastore How to check the validity of the Token? https://github.com/rouffj/HowtoSecurityBundle/pull/5/files Add roles to the Token + add it into the securityContext How to declare a Token as authenticated?
  20. US3b / Concept AuthenticationProvider Attempt to transform the Token into

    an Authenticated Token via a datasource (LDAP, MySQL...). SecurityContext Contain the Token of the connected user. The SecurityContext is accessible anywhere in the application.
  21. US3 / Quizz Authentication via Form (Phone/Pass) requires: AuthListener |

    Token | AuthProvider ✔ ✔ ✔ Authentication via Header (Phone/Pass) requires: AuthListener | Token | AuthProvider ✔ ✘ ✘ Authentication via Google+ requires: AuthListener | Token | AuthProvider ✔ ✔ ✔ Authentication via Facebook requires: AuthListener | Token | AuthProvider ✘ ✘ ✔ + + +
  22. US4. If I make a mistake while submitting credentials, I

    should be able to retry authentication until they are correct https://github.com/rouffj/HowtoSecurityBundle/pull/6/files The 401 HTTP code with a "WWW-Authenticate" header What response should be returned when submitted credentials are wrong?
  23. US4 / Concept EntryPoint Allow to restart the authentication process.

    It answers the question "What to do if the current user is not authenticated or gives wrong credentials?”.
  24. US5. I should be able to authenticate myself by sending

    my credentials via the URL to avoid interactive login https://github.com/rouffj/HowtoSecurityBundle/pull/7/files The Request query should contains a “username” entry How to recognize an Authentication Request? The username+password in Request query What data is required to run the authentication process? AuthListener | Token | AuthProvider Does this user story need: ✔ ✘ ✘
  25. Thanks for your attention ? joind.in/10373