Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mastering the Security component's authentication mechanism

Joseph Rouff
December 09, 2013
Technology
4
1.1k

Mastering the Security component's authentication mechanism

The Security component is hard to tackle for most Symfony developers because it introduces lots of concepts to handle all possible use cases. Some of these use cases or concepts are not essential. The idea behind this presentation will be to focus only on authentication core concepts: Firewall, AuthenticationListener, EntryPoint, AuthenticationProvider.

Joseph Rouff

December 09, 2013
Tweet

More Decks by Joseph Rouff

See All by Joseph Rouff
Discovery of Doctrine's UnitOfWork
rouffj
1
130
Bien comprendre le coeur du Composant de Sécurité
rouffj
4
350

Other Decks in Technology

See All in Technology
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
4
1.2k
sue445とOSSと社内ツール #subcul_dev
sue445
PRO
0
450
ひとりでもチームでも! QAエンジニアのGIHOZ 活用方法をご紹介します
honamin09
0
100
新卒入社から1500人規模のCTOに: エンジニアが圧倒的に成長する3つのコツ / 技育祭2023春
carta_engineering
1
720
TryToUseCloudFlareTunnel_20230317.pdf
kenichirokimura
0
130
6G/テラヘルツの取り組み
sbtechnight
PRO
0
410
[k8sjp #56] Kustomize v5 を含む最新機能とテクニックの紹介
koba1t
0
330
Django with PostgreSQL superpowers
pauloxnet
0
110
最先端の質問応答技術の研究開発と迅速な実用化ーStudio Ousiaでの取り組みー
ikuyamada
2
380
DHCPオプションセットって何だろう??
amarelo_n24
1
130
権威DNSサービスへのDDoSと
ハイパフォーマンスなベンチマーカ / DNS Pseudo random subdomain attack and High performance Benchmarker
kazeburo
3
760
失敗例から学ぶAWSセキュリティサービスの導入
yhana
0
3k

Featured

See All Featured
Debugging Ruby Performance
tmm1
67
11k
The Cult of Friendly URLs
andyhume
70
5.2k
Producing Creativity
orderedlist
PRO
335
38k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
22
1.7k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
A better future with KSS
kneath
230
16k
Reflections from 52 weeks, 52 projects
jeffersonlam
339
18k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
24
5.1k
Ruby is Unlike a Banana
tanoku
93
9.6k
How STYLIGHT went responsive
nonsquared
89
4.2k
GraphQLとの向き合い方2022年版
quramy
22
10k

Transcript

  1. Symfony2 Security
    Mastering the authentication part of the
    Security component
    By re-implementing the component
    together in ~40 minutes

    View Slide

  2. About me
    R&D developer @ Sensiolabs!
    Since ~2 years — Worked mainly on SensiolabsInsight Product
    25 years old
    Web / Lead developer for web agencies & startups!
    netvibes.com — thefork.com…
    Joseph Rouff
    @rouffj
    github.com/rouffj josephrouff.com

    View Slide

  3. Useful info
    No need to note anything:
    •Video: youtube.com/sensiolabs
    •Slides: speakerdeck.com/rouffj
    The source code is available on Github:
    •github.com/rouffj/HowtoSecurityBundle

    View Slide

  4. Summary
    Facts of use
    Talk’s goals & progression
    Examples (6 user stories)

    View Slide

  5. Facts of use
    Misunderstood component!
    Lots of concepts to assimilate (>15 concepts) — Complex workflow
    Lost beyond simple use cases!
    Apply recipes without understanding — Security part considered as a black box

    View Slide

  6. Summary
    Facts of use
    Talk’s goals & progression
    Examples (6 user stories)

    View Slide

  7. Goals
    What each core concepts are used for!
    Firewall — AuthenticationListener — Token — AuthenticationProvider…
    Knowing…
    When / How to add new implementations
    How to master our work on Security!
    Instead of using it blindly

    View Slide

  8. Goals / How to reach goals?
    Code from scratch the component in < 40min!
    The core concepts (Firewall, AuthenticationListener, Token…)
    Based on a simple but real application!
    with user stories describing the business needs
    +
    =
    Show that each concept originally has a business need

    View Slide

  9. Goals / How to reach goals?
    /howto-security/case1 /howto-security/case1/admin

    View Slide

  10. Summary
    Facts of use
    Talk’s goals & progression
    Examples (6 user stories)

    View Slide

  11. US1. The security of my app should be handled
    by the SimpleSecurity component
    Create an EventSubscriber subscribed to 'kernel.request'
    How to listen to each Request received by a Symfony2 app?
    https://github.com/rouffj/HowtoSecurityBundle/pull/1/files

    View Slide

  12. US1 / Concept
    Firewall
    Intercept and analyze each incoming request.

    View Slide

  13. US1 / Quizz
    My app is using Zend? ✔
    Should I create a new "Firewall" if:
    My app is using CakePHP? ✔
    My app is using Silex? ✘

    View Slide

  14. US2. As a visitor, I should not be able to access
    the admin area
    By creating a URL Pattern which matches all admin's URLs
    How to declare a URL as being part of the admin area?
    https://github.com/rouffj/HowtoSecurityBundle/pull/2/files
    By using the RequestMatcher
    How to know if a Request matches a pattern with Symfony?

    View Slide

  15. US2 / Concept
    Rule
    Associate a URL pattern with one or many
    AuthenticationListener.
    Also known as firewalls in Symfony2 language.

    View Slide

  16. US3. I should be able to authenticate myself via the HTTP
    authentication mecanism
    1. How to retrieve required data for authentication?
    2. How to use retrieved data to try to authenticate the user?

    View Slide

  17. US3a. I want to retrieve required data for HTTP
    Basic authentication
    In the HTTP Request
    Where can I retrieve data for authentication?
    https://github.com/rouffj/HowtoSecurityBundle/pull/3/files
    The header PHP_AUTH_USER should be available
    How to recognize an Authentication Request?
    The login + password (PHP_AUTH_*)
    What data is required to run the authentication process?

    View Slide

  18. US3a / Concept
    Token
    Data set related to authentication.
    Authentication Request
    Request containing Authentication data.
    AuthenticationListener
    Retrieve the data from the Authentication Request to launch
    the authentication process.

    View Slide

  19. US3b. I want to authenticate the Token
    By comparing Token data with the data of a Datastore
    How to check the validity of the Token?
    https://github.com/rouffj/HowtoSecurityBundle/pull/5/files
    Add roles to the Token + add it into the securityContext
    How to declare a Token as authenticated?

    View Slide

  20. US3b / Concept
    AuthenticationProvider
    Attempt to transform the Token into an Authenticated Token
    via a datasource (LDAP, MySQL...).
    SecurityContext
    Contain the Token of the connected user. The
    SecurityContext is accessible anywhere in the application.

    View Slide

  21. US3 / Quizz
    Authentication via Form (Phone/Pass) requires:
    AuthListener | Token | AuthProvider ✔ ✔ ✔
    Authentication via Header (Phone/Pass) requires:
    AuthListener | Token | AuthProvider ✔ ✘ ✘
    Authentication via Google+ requires:
    AuthListener | Token | AuthProvider ✔ ✔ ✔
    Authentication via Facebook requires:
    AuthListener | Token | AuthProvider ✘ ✘ ✔
    +
    +
    +

    View Slide

  22. US4. If I make a mistake while submitting credentials, I
    should be able to retry authentication until they are correct
    https://github.com/rouffj/HowtoSecurityBundle/pull/6/files
    The 401 HTTP code with a "WWW-Authenticate" header
    What response should be returned when submitted
    credentials are wrong?

    View Slide

  23. US4 / Concept
    EntryPoint
    Allow to restart the authentication process. It answers the
    question "What to do if the current user is not authenticated
    or gives wrong credentials?”.

    View Slide

  24. US5. I should be able to authenticate myself by sending my
    credentials via the URL to avoid interactive login
    https://github.com/rouffj/HowtoSecurityBundle/pull/7/files
    The Request query should contains a “username” entry
    How to recognize an Authentication Request?
    The username+password in Request query
    What data is required to run the authentication process?
    AuthListener | Token | AuthProvider
    Does this user story need:
    ✔ ✘ ✘

    View Slide

  25. Thanks for your attention
    ?
    joind.in/10373

    View Slide