Security and AOP in Symfony2

Security and AOP in Symfony2 Johannes Schmitt Hajime Nagahata (http://www.flickr.com/photos/yakinik/6880492715/)

2 Johannes Schmitt | Security and AOP | 2012-11-23 Agenda
Introduction Authentication Authorization

3 Johannes Schmitt | Security and AOP | 2012-11-23 -
About 10 years experience with PHP - Writing my final thesis at Karlsruhe Institute of Technology (KIT) - one of the main authors behind several Symfony2 Components - particularly contributed to Symfony2 Security, DependencyInjection, and Config Component

5 Johannes Schmitt | Security and AOP | 2012-11-23 The
Security component focuses on two main objectives 2. Authorization 1. Authentication • Goal: Is the user who he claims he is? • Mechanisms: • HTTP-basic/digest • X.509 client certificate • Form-based login • Remember-me cookie • … • Your own authentication system

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners Token

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider

11 Johannes Schmitt | Security and AOP | 2012-11-23 Symfony2
does not implement a user object for you, but instead provides you with an interface giving you full control over your domain objects AccountInterface - getRoles(): Returns an array with roles (e.g. ROLE_USER, ROLE_FOO, etc.) - getPassword() Returns the encoded password - getSalt() Returns a salt - eraseCredentials() Erases credentials from the user

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider Encoder

Security component automatically takes care of hashing submitted credentials before comparing them to the password coming from the database - MessageDigestPasswordEncoder - can use any algorithm supported by the hash() function - can automatically encode passwords using base64 instead of hex - can apply the algorithm multiple times - PlaintextPasswordEncoder - mainly used for testing, and development - does not hash your password

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider Encoder UserChecker

authentication providers not only check the credentials, but also check several flags on the user account itself AdvancedAccountInterface - isEnabled(): Whether the account is enabled, or disabled. - isAccountNonLocked(): Whether the account has been locked, for example because of too many failed login attempts. - isAccountNonExpired(): Whether the account is expired. - isCredentialsNonExpired(): Whether the account’s credentials are expired. If any of the above methods returns false, the user will not be allowed to login

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthFailureHandler AuthenticationProvider Token UserProvider Encoder UserChecker

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy UserProvider Encoder UserChecker

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy UserProvider Encoder UserChecker

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe UserProvider Encoder UserChecker

authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe LogoutHandler LogoutSuccessHandler UserProvider Encoder UserChecker

Security component knows three authentication trust levels - Anonymous Trust Level: - lowest trust level - used for guests which have not actually logged in - Remember-Me Trust Level: - middle trust level - all users who have authenticated using a remember-me cookie - Full-Fledged Trust Level: - highest trust level - all users who have submitted their password, or equivalent credentials to verify their identity The trust level is used to implement multi-tier security.

Introduction Authentication Authorization General Concepts Web-Request Authorization Method Invocation Authorization Object-based Authorization (ACL)

Security component focuses on two main objectives 2. Authorization 1. Authentication • Goal: Is the user who he claims he is? • Mechanisms: • HTTP-basic/digest • X.509 client certificate • Form-based login • Remember-me cookie • … • Your own authentication system • Goal: Is the user allowed to do XYZ? • Mechanisms: • Request Authorization • Controller Actions/Methods Authorization • Class-/Object-based Authorization (ACL)

authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor

authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager

behavior of the AccessDecisionManager varies greatly depending on the voting strategy As soon as multiple voters can vote on the requested attributes or you request a vote on multiple attributes, the voting strategy matters. Affirmative Unanimous Consensus • Least restrictive strategy • Best performance when granting access • Symfony2‘s default voting strategy • Most restrictive strategy • Best performance when denying acess • Compromise between affirmative, and unanimous strategy • Equal performance for granting and denying

authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter

authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter

authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter AclProvider PermissionMap

authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider PermissionMap

authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap

33 Johannes Schmitt | Security and AOP | 2012-11-23 Custom
voters allow you to add more meaning to existing attributes

34 Johannes Schmitt | Security and AOP | 2012-11-23 Expressions
are a viable alternative to the traditional attributes AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap ExpressionVoter - Faster, more Efficient - More Flexible - Extensible

35 Johannes Schmitt | Security and AOP | 2012-11-23 There
are many built-in expressions Variables Functions • hasRole(A) • hasAnyRole(A, B) • isAnonymous() • isAuthenticated() • isFullyAuthenticated() • hasPermission(object, VIEW) • token: current token in the SecurityContext • user: logged in user object • object: object that access is requested for • #paramName: a method parameter • permitAll • denyAll Expressions also support the binary operators && and || to form more complex expressions.

36 Johannes Schmitt | Security and AOP | 2012-11-23 New
Expressions can be added very easily

37 Johannes Schmitt | Security and AOP | 2012-11-23 Expressions
can be use to implement a lightweight ACL-like system for simple use cases

38 Johannes Schmitt | Security and AOP | 2012-11-23 Complex
expressions can be reverse interpreted to find the denying expression

40 Johannes Schmitt | Security and AOP | 2012-11-23 Web-Request
authorization using access control Best used for securing whole areas, but not for securing specific actions.

42 Johannes Schmitt | Security and AOP | 2012-11-23 Securing
Contoller Actions, and Methods

43 Johannes Schmitt | Security and AOP | 2012-11-23 Method
Access Control is implemented via AOP Around Advices Reusable AOP Implementation provided by JMSAopBundle - Pointcut: Finds methods which have associated advices - Interceptors: - called for method invocations - can return early and prevent execution of the original method/additional interceptors - can throw, or catch exceptions - can modify the return value - AOP is useful when implementing concerns which are not related to core application functionality like security checks, logging, caching, etc. - Core Application Logic is not aware of AOP code

44 Johannes Schmitt | Security and AOP | 2012-11-23 An
example for converting procedural code to AOP code @RunAs adds an advice to the fetchFeeds method which does not need to be duplicated in each place where it is necessary.

same functionality, but in procedural code

ACL system is fully decoupled from your domain objects and integrates with them seamlessly Domain Object (Blog Post, Comment, User, etc.) Access Control List (ACL) Roles Users Security Identity have exactly one Access Control Entries (ACEs) may inherit from has many has many Object Identity has exactly one

48 Johannes Schmitt | Security and AOP | 2012-11-23 Class-based
and Object-based Access Control Entries Document „foo“ Document „bar“ Document „???“ Object-based Class-based Object-based ACEs are checked before Class-based ACEs.

49 Johannes Schmitt | Security and AOP | 2012-11-23 Field-based
Access Control Entries Order • product • quantity • shipping address • payment details Anyone with access to the order may access these Requires Special Admin Access

50 Johannes Schmitt | Security and AOP | 2012-11-23 Access
Control Entries Access Control Entry • mask • granting strategy • granting - permissions are stored as bitmasks - up to 31 permissions per class - multiple permissions can be stored effeciently in the same ACE - pre-defined permissions - View - Create - Edit - Delete - Undelete - Owner

Control Entries Access Control Entry • mask • granting strategy • granting Defines the strategy by which bitmasks are compared - Any: $expected & $actual !== 0 - All: $expected & $actual === $actual - Same: $expected === $actual

Control Entries Access Control Entry • mask • granting strategy • granting - Whether the entry allows, or denies access - Useful in scenarios like - „generally allow access to all documents, but to a few specific documents deny access“ - „generally deny access, but allow access to a few specific documents“

Control Entries can be inherited Thread Posts Forum Moderator ACE for EDIT Thread-Starter ACE for EDIT - Post-Creator ACE for EDIT - Thread-Starter ACE for EDIT - Moderator can not only edit forums, but also all threads, and posts - Thread-Starter can edit thread details, but not all posts in the thread - Post-Creator can edit his post

54 Johannes Schmitt | Security and AOP | 2012-11-23 Johannes
Schmitt [email protected] https://github.org/schmittjoh Thanks!

Security and AOP in Symfony2

Security and AOP in Symfony2

More Decks by schmittjoh

Other Decks in Programming

Featured

Transcript