Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mastering the Security component's authentication mechanism

Joseph Rouff
December 09, 2013

Mastering the Security component's authentication mechanism

The Security component is hard to tackle for most Symfony developers because it introduces lots of concepts to handle all possible use cases. Some of these use cases or concepts are not essential. The idea behind this presentation will be to focus only on authentication core concepts: Firewall, AuthenticationListener, EntryPoint, AuthenticationProvider.

Joseph Rouff

December 09, 2013
Tweet

More Decks by Joseph Rouff

Other Decks in Technology

Transcript

  1. Symfony2 Security
    Mastering the authentication part of the
    Security component
    By re-implementing the component
    together in ~40 minutes

    View Slide

  2. About me
    R&D developer @ Sensiolabs!
    Since ~2 years — Worked mainly on SensiolabsInsight Product
    25 years old
    Web / Lead developer for web agencies & startups!
    netvibes.com — thefork.com…
    Joseph Rouff
    @rouffj
    github.com/rouffj josephrouff.com

    View Slide

  3. Useful info
    No need to note anything:
    •Video: youtube.com/sensiolabs
    •Slides: speakerdeck.com/rouffj
    The source code is available on Github:
    •github.com/rouffj/HowtoSecurityBundle

    View Slide

  4. Summary
    Facts of use
    Talk’s goals & progression
    Examples (6 user stories)

    View Slide

  5. Facts of use
    Misunderstood component!
    Lots of concepts to assimilate (>15 concepts) — Complex workflow
    Lost beyond simple use cases!
    Apply recipes without understanding — Security part considered as a black box

    View Slide

  6. Summary
    Facts of use
    Talk’s goals & progression
    Examples (6 user stories)

    View Slide

  7. Goals
    What each core concepts are used for!
    Firewall — AuthenticationListener — Token — AuthenticationProvider…
    Knowing…
    When / How to add new implementations
    How to master our work on Security!
    Instead of using it blindly

    View Slide

  8. Goals / How to reach goals?
    Code from scratch the component in < 40min!
    The core concepts (Firewall, AuthenticationListener, Token…)
    Based on a simple but real application!
    with user stories describing the business needs
    +
    =
    Show that each concept originally has a business need

    View Slide

  9. Goals / How to reach goals?
    /howto-security/case1 /howto-security/case1/admin

    View Slide

  10. Summary
    Facts of use
    Talk’s goals & progression
    Examples (6 user stories)

    View Slide

  11. US1. The security of my app should be handled
    by the SimpleSecurity component
    Create an EventSubscriber subscribed to 'kernel.request'
    How to listen to each Request received by a Symfony2 app?
    https://github.com/rouffj/HowtoSecurityBundle/pull/1/files

    View Slide

  12. US1 / Concept
    Firewall
    Intercept and analyze each incoming request.

    View Slide

  13. US1 / Quizz
    My app is using Zend? ✔
    Should I create a new "Firewall" if:
    My app is using CakePHP? ✔
    My app is using Silex? ✘

    View Slide

  14. US2. As a visitor, I should not be able to access
    the admin area
    By creating a URL Pattern which matches all admin's URLs
    How to declare a URL as being part of the admin area?
    https://github.com/rouffj/HowtoSecurityBundle/pull/2/files
    By using the RequestMatcher
    How to know if a Request matches a pattern with Symfony?

    View Slide

  15. US2 / Concept
    Rule
    Associate a URL pattern with one or many
    AuthenticationListener.
    Also known as firewalls in Symfony2 language.

    View Slide

  16. US3. I should be able to authenticate myself via the HTTP
    authentication mecanism
    1. How to retrieve required data for authentication?
    2. How to use retrieved data to try to authenticate the user?

    View Slide

  17. US3a. I want to retrieve required data for HTTP
    Basic authentication
    In the HTTP Request
    Where can I retrieve data for authentication?
    https://github.com/rouffj/HowtoSecurityBundle/pull/3/files
    The header PHP_AUTH_USER should be available
    How to recognize an Authentication Request?
    The login + password (PHP_AUTH_*)
    What data is required to run the authentication process?

    View Slide

  18. US3a / Concept
    Token
    Data set related to authentication.
    Authentication Request
    Request containing Authentication data.
    AuthenticationListener
    Retrieve the data from the Authentication Request to launch
    the authentication process.

    View Slide

  19. US3b. I want to authenticate the Token
    By comparing Token data with the data of a Datastore
    How to check the validity of the Token?
    https://github.com/rouffj/HowtoSecurityBundle/pull/5/files
    Add roles to the Token + add it into the securityContext
    How to declare a Token as authenticated?

    View Slide

  20. US3b / Concept
    AuthenticationProvider
    Attempt to transform the Token into an Authenticated Token
    via a datasource (LDAP, MySQL...).
    SecurityContext
    Contain the Token of the connected user. The
    SecurityContext is accessible anywhere in the application.

    View Slide

  21. US3 / Quizz
    Authentication via Form (Phone/Pass) requires:
    AuthListener | Token | AuthProvider ✔ ✔ ✔
    Authentication via Header (Phone/Pass) requires:
    AuthListener | Token | AuthProvider ✔ ✘ ✘
    Authentication via Google+ requires:
    AuthListener | Token | AuthProvider ✔ ✔ ✔
    Authentication via Facebook requires:
    AuthListener | Token | AuthProvider ✘ ✘ ✔
    +
    +
    +

    View Slide

  22. US4. If I make a mistake while submitting credentials, I
    should be able to retry authentication until they are correct
    https://github.com/rouffj/HowtoSecurityBundle/pull/6/files
    The 401 HTTP code with a "WWW-Authenticate" header
    What response should be returned when submitted
    credentials are wrong?

    View Slide

  23. US4 / Concept
    EntryPoint
    Allow to restart the authentication process. It answers the
    question "What to do if the current user is not authenticated
    or gives wrong credentials?”.

    View Slide

  24. US5. I should be able to authenticate myself by sending my
    credentials via the URL to avoid interactive login
    https://github.com/rouffj/HowtoSecurityBundle/pull/7/files
    The Request query should contains a “username” entry
    How to recognize an Authentication Request?
    The username+password in Request query
    What data is required to run the authentication process?
    AuthListener | Token | AuthProvider
    Does this user story need:
    ✔ ✘ ✘

    View Slide

  25. Thanks for your attention
    ?
    joind.in/10373

    View Slide