Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and AOP in Symfony2

schmittjoh
November 23, 2012

Security and AOP in Symfony2

Security is a crucial aspect in most, if not all, applications and as such it is a concern that crosses application's functionality.

In the first part of this talk, we will take a deeper look at the Symfony2 Security Component. In the second part, we will then unleash the power of the Dependency Injection container to add AOP capabilities, and see how you can secure your application without changing a single line of application code.

schmittjoh

November 23, 2012
Tweet

More Decks by schmittjoh

Other Decks in Programming

Transcript

  1. Security and AOP in Symfony2
    Johannes Schmitt
    Hajime Nagahata (http://www.flickr.com/photos/yakinik/6880492715/)

    View Slide

  2. 2
    Johannes Schmitt | Security and AOP | 2012-11-23
    Agenda
    Introduction
    Authentication
    Authorization

    View Slide

  3. 3
    Johannes Schmitt | Security and AOP | 2012-11-23
    - About 10 years experience with PHP
    - Writing my final thesis at Karlsruhe Institute of Technology
    (KIT)
    - one of the main authors behind several Symfony2
    Components
    - particularly contributed to Symfony2 Security,
    DependencyInjection, and Config Component

    View Slide

  4. 4
    Johannes Schmitt | Security and AOP | 2012-11-23
    Agenda
    Introduction
    Authentication
    Authorization

    View Slide

  5. 5
    Johannes Schmitt | Security and AOP | 2012-11-23
    The Security component focuses on two main objectives
    2. Authorization
    1. Authentication
    • Goal: Is the user who he claims he is?
    • Mechanisms:
    • HTTP-basic/digest
    • X.509 client certificate
    • Form-based login
    • Remember-me cookie
    • …
    • Your own authentication system

    View Slide

  6. 6
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap

    View Slide

  7. 7
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners

    View Slide

  8. 8
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners
    Token

    View Slide

  9. 9
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners
    AuthenticationProvider
    Token

    View Slide

  10. 10
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners
    AuthenticationProvider
    Token
    UserProvider

    View Slide

  11. 11
    Johannes Schmitt | Security and AOP | 2012-11-23
    Symfony2 does not implement a user object for you, but instead provides you with
    an interface giving you full control over your domain objects
    AccountInterface
    - getRoles():
    Returns an array with roles (e.g. ROLE_USER, ROLE_FOO, etc.)
    - getPassword()
    Returns the encoded password
    - getSalt()
    Returns a salt
    - eraseCredentials()
    Erases credentials from the user

    View Slide

  12. 12
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners
    AuthenticationProvider
    Token
    UserProvider
    Encoder

    View Slide

  13. 13
    Johannes Schmitt | Security and AOP | 2012-11-23
    The Security component automatically takes care of hashing submitted credentials
    before comparing them to the password coming from the database
    - MessageDigestPasswordEncoder
    - can use any algorithm supported by the hash() function
    - can automatically encode passwords using base64 instead of hex
    - can apply the algorithm multiple times
    - PlaintextPasswordEncoder
    - mainly used for testing, and development
    - does not hash your password

    View Slide

  14. 14
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners
    AuthenticationProvider
    Token
    UserProvider
    Encoder
    UserChecker

    View Slide

  15. 15
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication providers not only check the credentials, but also check several
    flags on the user account itself
    AdvancedAccountInterface
    - isEnabled():
    Whether the account is enabled, or disabled.
    - isAccountNonLocked():
    Whether the account has been locked, for example because of too many
    failed login attempts.
    - isAccountNonExpired():
    Whether the account is expired.
    - isCredentialsNonExpired():
    Whether the account’s credentials are expired.
    If any of the above methods returns false, the user will not be allowed to login

    View Slide

  16. 16
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners
    AuthFailureHandler
    AuthenticationProvider
    Token
    UserProvider
    Encoder
    UserChecker

    View Slide

  17. 17
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners
    AuthFailureHandler
    AuthenticationProvider
    Token
    SessionAuthStrategy
    UserProvider
    Encoder
    UserChecker

    View Slide

  18. 18
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners
    AuthSuccessHandler
    AuthFailureHandler
    AuthenticationProvider
    Token
    SessionAuthStrategy
    UserProvider
    Encoder
    UserChecker

    View Slide

  19. 19
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners
    AuthSuccessHandler
    AuthFailureHandler
    AuthenticationProvider
    Token
    SessionAuthStrategy
    RememberMe
    UserProvider
    Encoder
    UserChecker

    View Slide

  20. 20
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authentication system consists of many classes with a distinct purpose
    FirewallListener
    FirewallMap
    Listeners
    AuthSuccessHandler
    AuthFailureHandler
    AuthenticationProvider
    Token
    SessionAuthStrategy
    RememberMe
    LogoutHandler
    LogoutSuccessHandler
    UserProvider
    Encoder
    UserChecker

    View Slide

  21. 21
    Johannes Schmitt | Security and AOP | 2012-11-23
    The Security component knows three authentication trust levels
    - Anonymous Trust Level:
    - lowest trust level
    - used for guests which have not actually logged in
    - Remember-Me Trust Level:
    - middle trust level
    - all users who have authenticated using a remember-me cookie
    - Full-Fledged Trust Level:
    - highest trust level
    - all users who have submitted their password, or equivalent
    credentials to verify their identity
    The trust level is used to implement multi-tier security.

    View Slide

  22. 22
    Johannes Schmitt | Security and AOP | 2012-11-23
    Agenda
    Introduction
    Authentication
    Authorization

    View Slide

  23. 23
    Johannes Schmitt | Security and AOP | 2012-11-23
    Agenda
    Introduction
    Authentication
    Authorization
    General Concepts
    Web-Request Authorization
    Method Invocation Authorization
    Object-based Authorization (ACL)

    View Slide

  24. 24
    Johannes Schmitt | Security and AOP | 2012-11-23
    The Security component focuses on two main objectives
    2. Authorization
    1. Authentication
    • Goal: Is the user who he claims he is?
    • Mechanisms:
    • HTTP-basic/digest
    • X.509 client certificate
    • Form-based login
    • Remember-me cookie
    • …
    • Your own authentication system
    • Goal: Is the user allowed to do XYZ?
    • Mechanisms:
    • Request Authorization
    • Controller Actions/Methods
    Authorization
    • Class-/Object-based
    Authorization (ACL)

    View Slide

  25. 25
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authorization system consists of many classes with a distinct purpose
    AccessListener SecurityContext MethodSecurityInterceptor

    View Slide

  26. 26
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authorization system consists of many classes with a distinct purpose
    AccessListener SecurityContext MethodSecurityInterceptor
    AccessDecisionManager

    View Slide

  27. 27
    Johannes Schmitt | Security and AOP | 2012-11-23
    The behavior of the AccessDecisionManager varies greatly depending on the voting
    strategy
    As soon as multiple voters can vote on the requested attributes or you request a vote on
    multiple attributes, the voting strategy matters.
    Affirmative Unanimous Consensus
    • Least restrictive strategy
    • Best performance when
    granting access
    • Symfony2‘s default voting
    strategy
    • Most restrictive strategy
    • Best performance when
    denying acess
    • Compromise between
    affirmative, and unanimous
    strategy
    • Equal performance for
    granting and denying

    View Slide

  28. 28
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authorization system consists of many classes with a distinct purpose
    AccessListener SecurityContext MethodSecurityInterceptor
    AccessDecisionManager
    Voter

    View Slide

  29. 29
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authorization system consists of many classes with a distinct purpose
    AccessListener SecurityContext MethodSecurityInterceptor
    AccessDecisionManager
    Voter
    AclVoter
    RoleVoter
    AuthenticatedVoter

    View Slide

  30. 30
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authorization system consists of many classes with a distinct purpose
    AccessListener SecurityContext MethodSecurityInterceptor
    AccessDecisionManager
    Voter
    AclVoter
    RoleVoter
    AuthenticatedVoter
    AclProvider
    PermissionMap

    View Slide

  31. 31
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authorization system consists of many classes with a distinct purpose
    AccessListener SecurityContext MethodSecurityInterceptor
    AccessDecisionManager
    Voter
    AclVoter
    RoleVoter
    AuthenticatedVoter
    RoleHierarchy
    AclProvider
    PermissionMap

    View Slide

  32. 32
    Johannes Schmitt | Security and AOP | 2012-11-23
    The authorization system consists of many classes with a distinct purpose
    AccessListener SecurityContext MethodSecurityInterceptor
    AccessDecisionManager
    Voter
    AclVoter
    RoleVoter
    AuthenticatedVoter
    RoleHierarchy
    AclProvider
    AuthenticationTrustResolver
    PermissionMap

    View Slide

  33. 33
    Johannes Schmitt | Security and AOP | 2012-11-23
    Custom voters allow you to add more meaning to existing attributes

    View Slide

  34. 34
    Johannes Schmitt | Security and AOP | 2012-11-23
    Expressions are a viable alternative to the traditional attributes
    AclVoter
    RoleVoter
    AuthenticatedVoter
    RoleHierarchy
    AclProvider AuthenticationTrustResolver
    PermissionMap
    ExpressionVoter
    - Faster, more Efficient
    - More Flexible
    - Extensible

    View Slide

  35. 35
    Johannes Schmitt | Security and AOP | 2012-11-23
    There are many built-in expressions
    Variables Functions
    • hasRole(A)
    • hasAnyRole(A, B)
    • isAnonymous()
    • isAuthenticated()
    • isFullyAuthenticated()
    • hasPermission(object, VIEW)
    • token: current token in the SecurityContext
    • user: logged in user object
    • object: object that access is requested for
    • #paramName: a method parameter
    • permitAll
    • denyAll
    Expressions also support the binary operators && and || to form more complex
    expressions.

    View Slide

  36. 36
    Johannes Schmitt | Security and AOP | 2012-11-23
    New Expressions can be added very easily

    View Slide

  37. 37
    Johannes Schmitt | Security and AOP | 2012-11-23
    Expressions can be use to implement a lightweight ACL-like system for simple use
    cases

    View Slide

  38. 38
    Johannes Schmitt | Security and AOP | 2012-11-23
    Complex expressions can be reverse interpreted to find the denying expression

    View Slide

  39. 39
    Johannes Schmitt | Security and AOP | 2012-11-23
    Agenda
    Introduction
    Authentication
    Authorization
    General Concepts
    Web-Request Authorization
    Method Invocation Authorization
    Object-based Authorization (ACL)

    View Slide

  40. 40
    Johannes Schmitt | Security and AOP | 2012-11-23
    Web-Request authorization using access control
    Best used for securing whole areas, but not for securing specific actions.

    View Slide

  41. 41
    Johannes Schmitt | Security and AOP | 2012-11-23
    Agenda
    Introduction
    Authentication
    Authorization
    General Concepts
    Web-Request Authorization
    Method Invocation Authorization
    Object-based Authorization (ACL)

    View Slide

  42. 42
    Johannes Schmitt | Security and AOP | 2012-11-23
    Securing Contoller Actions, and Methods

    View Slide

  43. 43
    Johannes Schmitt | Security and AOP | 2012-11-23
    Method Access Control is implemented via AOP Around Advices
    Reusable AOP Implementation provided by JMSAopBundle
    - Pointcut: Finds methods which have associated advices
    - Interceptors:
    - called for method invocations
    - can return early and prevent execution of the original method/additional
    interceptors
    - can throw, or catch exceptions
    - can modify the return value
    - AOP is useful when implementing concerns which are not related to core
    application functionality like security checks, logging, caching, etc.
    - Core Application Logic is not aware of AOP code

    View Slide

  44. 44
    Johannes Schmitt | Security and AOP | 2012-11-23
    An example for converting procedural code to AOP code
    @RunAs adds an advice to the fetchFeeds method which does not need to be
    duplicated in each place where it is necessary.

    View Slide

  45. 45
    Johannes Schmitt | Security and AOP | 2012-11-23
    The same functionality, but in procedural code

    View Slide

  46. 46
    Johannes Schmitt | Security and AOP | 2012-11-23
    Agenda
    Introduction
    Authentication
    Authorization
    General Concepts
    Web-Request Authorization
    Method Invocation Authorization
    Object-based Authorization (ACL)

    View Slide

  47. 47
    Johannes Schmitt | Security and AOP | 2012-11-23
    The ACL system is fully decoupled from your domain objects and integrates with
    them seamlessly
    Domain Object
    (Blog Post, Comment,
    User, etc.)
    Access Control List
    (ACL)
    Roles
    Users
    Security Identity
    have exactly one
    Access Control Entries
    (ACEs)
    may inherit from
    has many
    has many
    Object Identity
    has exactly one

    View Slide

  48. 48
    Johannes Schmitt | Security and AOP | 2012-11-23
    Class-based and Object-based Access Control Entries
    Document „foo“
    Document „bar“
    Document „???“
    Object-based
    Class-based
    Object-based ACEs are checked before Class-based ACEs.

    View Slide

  49. 49
    Johannes Schmitt | Security and AOP | 2012-11-23
    Field-based Access Control Entries
    Order
    • product
    • quantity
    • shipping address
    • payment details
    Anyone with access to the order may access these
    Requires Special Admin Access

    View Slide

  50. 50
    Johannes Schmitt | Security and AOP | 2012-11-23
    Access Control Entries
    Access Control Entry
    • mask
    • granting strategy
    • granting
    - permissions are stored as bitmasks
    - up to 31 permissions per class
    - multiple permissions can be stored
    effeciently in the same ACE
    - pre-defined permissions
    - View
    - Create
    - Edit
    - Delete
    - Undelete
    - Owner

    View Slide

  51. 51
    Johannes Schmitt | Security and AOP | 2012-11-23
    Access Control Entries
    Access Control Entry
    • mask
    • granting strategy
    • granting
    Defines the strategy by which bitmasks are
    compared
    - Any: $expected & $actual !== 0
    - All: $expected & $actual === $actual
    - Same: $expected === $actual

    View Slide

  52. 52
    Johannes Schmitt | Security and AOP | 2012-11-23
    Access Control Entries
    Access Control Entry
    • mask
    • granting strategy
    • granting
    - Whether the entry allows, or denies
    access
    - Useful in scenarios like
    - „generally allow access to all
    documents, but to a few specific
    documents deny access“
    - „generally deny access, but allow
    access to a few specific documents“

    View Slide

  53. 53
    Johannes Schmitt | Security and AOP | 2012-11-23
    Access Control Entries can be inherited
    Thread
    Posts
    Forum
    Moderator ACE for
    EDIT
    Thread-Starter ACE
    for EDIT
    - Post-Creator ACE
    for EDIT
    - Thread-Starter ACE
    for EDIT
    - Moderator can not only edit forums, but also all
    threads, and posts
    - Thread-Starter can edit thread details, but not all
    posts in the thread
    - Post-Creator can edit his post

    View Slide

  54. 54
    Johannes Schmitt | Security and AOP | 2012-11-23
    Johannes Schmitt
    [email protected]
    https://github.org/schmittjoh
    Thanks!

    View Slide