Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and AOP in Symfony2

schmittjoh
November 23, 2012

Security and AOP in Symfony2

Security is a crucial aspect in most, if not all, applications and as such it is a concern that crosses application's functionality.

In the first part of this talk, we will take a deeper look at the Symfony2 Security Component. In the second part, we will then unleash the power of the Dependency Injection container to add AOP capabilities, and see how you can secure your application without changing a single line of application code.

schmittjoh

November 23, 2012
Tweet

More Decks by schmittjoh

Other Decks in Programming

Transcript

  1. 2 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda

    Introduction Authentication Authorization
  2. 3 Johannes Schmitt | Security and AOP | 2012-11-23 -

    About 10 years experience with PHP - Writing my final thesis at Karlsruhe Institute of Technology (KIT) - one of the main authors behind several Symfony2 Components - particularly contributed to Symfony2 Security, DependencyInjection, and Config Component
  3. 4 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda

    Introduction Authentication Authorization
  4. 5 Johannes Schmitt | Security and AOP | 2012-11-23 The

    Security component focuses on two main objectives 2. Authorization 1. Authentication • Goal: Is the user who he claims he is? • Mechanisms: • HTTP-basic/digest • X.509 client certificate • Form-based login • Remember-me cookie • … • Your own authentication system
  5. 6 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap
  6. 7 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners
  7. 8 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners Token
  8. 9 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token
  9. 10 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider
  10. 11 Johannes Schmitt | Security and AOP | 2012-11-23 Symfony2

    does not implement a user object for you, but instead provides you with an interface giving you full control over your domain objects AccountInterface - getRoles(): Returns an array with roles (e.g. ROLE_USER, ROLE_FOO, etc.) - getPassword() Returns the encoded password - getSalt() Returns a salt - eraseCredentials() Erases credentials from the user
  11. 12 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider Encoder
  12. 13 Johannes Schmitt | Security and AOP | 2012-11-23 The

    Security component automatically takes care of hashing submitted credentials before comparing them to the password coming from the database - MessageDigestPasswordEncoder - can use any algorithm supported by the hash() function - can automatically encode passwords using base64 instead of hex - can apply the algorithm multiple times - PlaintextPasswordEncoder - mainly used for testing, and development - does not hash your password
  13. 14 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider Encoder UserChecker
  14. 15 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication providers not only check the credentials, but also check several flags on the user account itself AdvancedAccountInterface - isEnabled(): Whether the account is enabled, or disabled. - isAccountNonLocked(): Whether the account has been locked, for example because of too many failed login attempts. - isAccountNonExpired(): Whether the account is expired. - isCredentialsNonExpired(): Whether the account’s credentials are expired. If any of the above methods returns false, the user will not be allowed to login
  15. 16 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthFailureHandler AuthenticationProvider Token UserProvider Encoder UserChecker
  16. 17 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy UserProvider Encoder UserChecker
  17. 18 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy UserProvider Encoder UserChecker
  18. 19 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe UserProvider Encoder UserChecker
  19. 20 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe LogoutHandler LogoutSuccessHandler UserProvider Encoder UserChecker
  20. 21 Johannes Schmitt | Security and AOP | 2012-11-23 The

    Security component knows three authentication trust levels - Anonymous Trust Level: - lowest trust level - used for guests which have not actually logged in - Remember-Me Trust Level: - middle trust level - all users who have authenticated using a remember-me cookie - Full-Fledged Trust Level: - highest trust level - all users who have submitted their password, or equivalent credentials to verify their identity The trust level is used to implement multi-tier security.
  21. 22 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda

    Introduction Authentication Authorization
  22. 23 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda

    Introduction Authentication Authorization General Concepts Web-Request Authorization Method Invocation Authorization Object-based Authorization (ACL)
  23. 24 Johannes Schmitt | Security and AOP | 2012-11-23 The

    Security component focuses on two main objectives 2. Authorization 1. Authentication • Goal: Is the user who he claims he is? • Mechanisms: • HTTP-basic/digest • X.509 client certificate • Form-based login • Remember-me cookie • … • Your own authentication system • Goal: Is the user allowed to do XYZ? • Mechanisms: • Request Authorization • Controller Actions/Methods Authorization • Class-/Object-based Authorization (ACL)
  24. 25 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor
  25. 26 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager
  26. 27 Johannes Schmitt | Security and AOP | 2012-11-23 The

    behavior of the AccessDecisionManager varies greatly depending on the voting strategy As soon as multiple voters can vote on the requested attributes or you request a vote on multiple attributes, the voting strategy matters. Affirmative Unanimous Consensus • Least restrictive strategy • Best performance when granting access • Symfony2‘s default voting strategy • Most restrictive strategy • Best performance when denying acess • Compromise between affirmative, and unanimous strategy • Equal performance for granting and denying
  27. 28 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter
  28. 29 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter
  29. 30 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter AclProvider PermissionMap
  30. 31 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider PermissionMap
  31. 32 Johannes Schmitt | Security and AOP | 2012-11-23 The

    authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap
  32. 33 Johannes Schmitt | Security and AOP | 2012-11-23 Custom

    voters allow you to add more meaning to existing attributes
  33. 34 Johannes Schmitt | Security and AOP | 2012-11-23 Expressions

    are a viable alternative to the traditional attributes AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap ExpressionVoter - Faster, more Efficient - More Flexible - Extensible
  34. 35 Johannes Schmitt | Security and AOP | 2012-11-23 There

    are many built-in expressions Variables Functions • hasRole(A) • hasAnyRole(A, B) • isAnonymous() • isAuthenticated() • isFullyAuthenticated() • hasPermission(object, VIEW) • token: current token in the SecurityContext • user: logged in user object • object: object that access is requested for • #paramName: a method parameter • permitAll • denyAll Expressions also support the binary operators && and || to form more complex expressions.
  35. 36 Johannes Schmitt | Security and AOP | 2012-11-23 New

    Expressions can be added very easily
  36. 37 Johannes Schmitt | Security and AOP | 2012-11-23 Expressions

    can be use to implement a lightweight ACL-like system for simple use cases
  37. 38 Johannes Schmitt | Security and AOP | 2012-11-23 Complex

    expressions can be reverse interpreted to find the denying expression
  38. 39 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda

    Introduction Authentication Authorization General Concepts Web-Request Authorization Method Invocation Authorization Object-based Authorization (ACL)
  39. 40 Johannes Schmitt | Security and AOP | 2012-11-23 Web-Request

    authorization using access control Best used for securing whole areas, but not for securing specific actions.
  40. 41 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda

    Introduction Authentication Authorization General Concepts Web-Request Authorization Method Invocation Authorization Object-based Authorization (ACL)
  41. 43 Johannes Schmitt | Security and AOP | 2012-11-23 Method

    Access Control is implemented via AOP Around Advices Reusable AOP Implementation provided by JMSAopBundle - Pointcut: Finds methods which have associated advices - Interceptors: - called for method invocations - can return early and prevent execution of the original method/additional interceptors - can throw, or catch exceptions - can modify the return value - AOP is useful when implementing concerns which are not related to core application functionality like security checks, logging, caching, etc. - Core Application Logic is not aware of AOP code
  42. 44 Johannes Schmitt | Security and AOP | 2012-11-23 An

    example for converting procedural code to AOP code @RunAs adds an advice to the fetchFeeds method which does not need to be duplicated in each place where it is necessary.
  43. 45 Johannes Schmitt | Security and AOP | 2012-11-23 The

    same functionality, but in procedural code
  44. 46 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda

    Introduction Authentication Authorization General Concepts Web-Request Authorization Method Invocation Authorization Object-based Authorization (ACL)
  45. 47 Johannes Schmitt | Security and AOP | 2012-11-23 The

    ACL system is fully decoupled from your domain objects and integrates with them seamlessly Domain Object (Blog Post, Comment, User, etc.) Access Control List (ACL) Roles Users Security Identity have exactly one Access Control Entries (ACEs) may inherit from has many has many Object Identity has exactly one
  46. 48 Johannes Schmitt | Security and AOP | 2012-11-23 Class-based

    and Object-based Access Control Entries Document „foo“ Document „bar“ Document „???“ Object-based Class-based Object-based ACEs are checked before Class-based ACEs.
  47. 49 Johannes Schmitt | Security and AOP | 2012-11-23 Field-based

    Access Control Entries Order • product • quantity • shipping address • payment details Anyone with access to the order may access these Requires Special Admin Access
  48. 50 Johannes Schmitt | Security and AOP | 2012-11-23 Access

    Control Entries Access Control Entry • mask • granting strategy • granting - permissions are stored as bitmasks - up to 31 permissions per class - multiple permissions can be stored effeciently in the same ACE - pre-defined permissions - View - Create - Edit - Delete - Undelete - Owner
  49. 51 Johannes Schmitt | Security and AOP | 2012-11-23 Access

    Control Entries Access Control Entry • mask • granting strategy • granting Defines the strategy by which bitmasks are compared - Any: $expected & $actual !== 0 - All: $expected & $actual === $actual - Same: $expected === $actual
  50. 52 Johannes Schmitt | Security and AOP | 2012-11-23 Access

    Control Entries Access Control Entry • mask • granting strategy • granting - Whether the entry allows, or denies access - Useful in scenarios like - „generally allow access to all documents, but to a few specific documents deny access“ - „generally deny access, but allow access to a few specific documents“
  51. 53 Johannes Schmitt | Security and AOP | 2012-11-23 Access

    Control Entries can be inherited Thread Posts Forum Moderator ACE for EDIT Thread-Starter ACE for EDIT - Post-Creator ACE for EDIT - Thread-Starter ACE for EDIT - Moderator can not only edit forums, but also all threads, and posts - Thread-Starter can edit thread details, but not all posts in the thread - Post-Creator can edit his post