Security and AOP in Symfony2

Security and AOP in Symfony2
Johannes Schmitt
Hajime Nagahata (http://www.flickr.com/photos/yakinik/6880492715/)

View Slide

2
Johannes Schmitt | Security and AOP | 2012-11-23
Agenda
Introduction
Authentication
Authorization

View Slide

3
- About 10 years experience with PHP
- Writing my final thesis at Karlsruhe Institute of Technology
(KIT)
- one of the main authors behind several Symfony2
Components
- particularly contributed to Symfony2 Security,
DependencyInjection, and Config Component

View Slide

4
Agenda
Introduction
Authentication
Authorization

View Slide

5
The Security component focuses on two main objectives
2. Authorization
1. Authentication
• Goal: Is the user who he claims he is?
• Mechanisms:
• HTTP-basic/digest
• X.509 client certificate
• Form-based login
• Remember-me cookie
• …
• Your own authentication system

View Slide

6
The authentication system consists of many classes with a distinct purpose
FirewallListener
FirewallMap

View Slide

7
FirewallListener
FirewallMap
Listeners

View Slide

8
FirewallListener
FirewallMap
Listeners
Token

View Slide

9
FirewallListener
FirewallMap
Listeners
AuthenticationProvider
Token

View Slide

10
FirewallListener
FirewallMap
Listeners
Token
UserProvider

View Slide

11
Symfony2 does not implement a user object for you, but instead provides you with
an interface giving you full control over your domain objects
AccountInterface
- getRoles():
Returns an array with roles (e.g. ROLE_USER, ROLE_FOO, etc.)
- getPassword()
Returns the encoded password
- getSalt()
Returns a salt
- eraseCredentials()
Erases credentials from the user

View Slide

12
FirewallListener
FirewallMap
Listeners
Token
UserProvider
Encoder

View Slide

13
The Security component automatically takes care of hashing submitted credentials
before comparing them to the password coming from the database
- MessageDigestPasswordEncoder
- can use any algorithm supported by the hash() function
- can automatically encode passwords using base64 instead of hex
- can apply the algorithm multiple times
- PlaintextPasswordEncoder
- mainly used for testing, and development
- does not hash your password

View Slide

14
FirewallListener
FirewallMap
Listeners
Token
UserProvider
Encoder
UserChecker

View Slide

15
The authentication providers not only check the credentials, but also check several
flags on the user account itself
AdvancedAccountInterface
- isEnabled():
Whether the account is enabled, or disabled.
- isAccountNonLocked():
Whether the account has been locked, for example because of too many
failed login attempts.
- isAccountNonExpired():
Whether the account is expired.
- isCredentialsNonExpired():
Whether the account’s credentials are expired.
If any of the above methods returns false, the user will not be allowed to login

View Slide

16
FirewallListener
FirewallMap
Listeners
AuthFailureHandler
Token
UserProvider
Encoder
UserChecker

View Slide

17
FirewallListener
FirewallMap
Listeners
AuthFailureHandler
Token
SessionAuthStrategy
UserProvider
Encoder
UserChecker

View Slide

18
FirewallListener
FirewallMap
Listeners
AuthSuccessHandler
AuthFailureHandler
Token
SessionAuthStrategy
UserProvider
Encoder
UserChecker

View Slide

19
FirewallListener
FirewallMap
Listeners
AuthSuccessHandler
AuthFailureHandler
Token
SessionAuthStrategy
RememberMe
UserProvider
Encoder
UserChecker

View Slide

20
FirewallListener
FirewallMap
Listeners
AuthSuccessHandler
AuthFailureHandler
Token
SessionAuthStrategy
RememberMe
LogoutHandler
LogoutSuccessHandler
UserProvider
Encoder
UserChecker

View Slide

21
The Security component knows three authentication trust levels
- Anonymous Trust Level:
- lowest trust level
- used for guests which have not actually logged in
- Remember-Me Trust Level:
- middle trust level
- all users who have authenticated using a remember-me cookie
- Full-Fledged Trust Level:
- highest trust level
- all users who have submitted their password, or equivalent
credentials to verify their identity
The trust level is used to implement multi-tier security.

View Slide

22
Agenda
Introduction
Authentication
Authorization

View Slide

23
Agenda
Introduction
Authentication
Authorization
General Concepts
Web-Request Authorization
Method Invocation Authorization
Object-based Authorization (ACL)

View Slide

24
The Security component focuses on two main objectives
2. Authorization
1. Authentication
• Goal: Is the user who he claims he is?
• Mechanisms:
• HTTP-basic/digest
• X.509 client certificate
• Form-based login
• Remember-me cookie
• …
• Your own authentication system
• Goal: Is the user allowed to do XYZ?
• Mechanisms:
• Request Authorization
• Controller Actions/Methods
Authorization
• Class-/Object-based
Authorization (ACL)

View Slide

25
The authorization system consists of many classes with a distinct purpose
AccessListener SecurityContext MethodSecurityInterceptor

View Slide

26
AccessDecisionManager

View Slide

27
The behavior of the AccessDecisionManager varies greatly depending on the voting
strategy
As soon as multiple voters can vote on the requested attributes or you request a vote on
multiple attributes, the voting strategy matters.
Affirmative Unanimous Consensus
• Least restrictive strategy
• Best performance when
granting access
• Symfony2‘s default voting
strategy
• Most restrictive strategy
• Best performance when
denying acess
• Compromise between
affirmative, and unanimous
strategy
• Equal performance for
granting and denying

View Slide

28
Voter

View Slide

29
Voter
AclVoter
RoleVoter
AuthenticatedVoter

View Slide

30
Voter
AclVoter
RoleVoter
AuthenticatedVoter
AclProvider
PermissionMap

View Slide

31
Voter
AclVoter
RoleVoter
AuthenticatedVoter
RoleHierarchy
AclProvider
PermissionMap

View Slide

32
Voter
AclVoter
RoleVoter
AuthenticatedVoter
RoleHierarchy
AclProvider
AuthenticationTrustResolver
PermissionMap

View Slide

33
Custom voters allow you to add more meaning to existing attributes

View Slide

34
Expressions are a viable alternative to the traditional attributes
AclVoter
RoleVoter
AuthenticatedVoter
RoleHierarchy
AclProvider AuthenticationTrustResolver
PermissionMap
ExpressionVoter
- Faster, more Efficient
- More Flexible
- Extensible

View Slide

35
There are many built-in expressions
Variables Functions
• hasRole(A)
• hasAnyRole(A, B)
• isAnonymous()
• isAuthenticated()
• isFullyAuthenticated()
• hasPermission(object, VIEW)
• token: current token in the SecurityContext
• user: logged in user object
• object: object that access is requested for
• #paramName: a method parameter
• permitAll
• denyAll
Expressions also support the binary operators && and || to form more complex
expressions.

View Slide

36
New Expressions can be added very easily

View Slide

37
Expressions can be use to implement a lightweight ACL-like system for simple use
cases

View Slide

38
Complex expressions can be reverse interpreted to find the denying expression

View Slide

39
Agenda
Introduction
Authentication
Authorization
General Concepts

View Slide

40
Web-Request authorization using access control
Best used for securing whole areas, but not for securing specific actions.

View Slide

41
Agenda
Introduction
Authentication
Authorization
General Concepts

View Slide

42
Securing Contoller Actions, and Methods

View Slide

43
Method Access Control is implemented via AOP Around Advices
Reusable AOP Implementation provided by JMSAopBundle
- Pointcut: Finds methods which have associated advices
- Interceptors:
- called for method invocations
- can return early and prevent execution of the original method/additional
interceptors
- can throw, or catch exceptions
- can modify the return value
- AOP is useful when implementing concerns which are not related to core
application functionality like security checks, logging, caching, etc.
- Core Application Logic is not aware of AOP code

View Slide

44
An example for converting procedural code to AOP code
@RunAs adds an advice to the fetchFeeds method which does not need to be
duplicated in each place where it is necessary.

View Slide

45
The same functionality, but in procedural code

View Slide

46
Agenda
Introduction
Authentication
Authorization
General Concepts

View Slide

47
The ACL system is fully decoupled from your domain objects and integrates with
them seamlessly
Domain Object
(Blog Post, Comment,
User, etc.)
Access Control List
(ACL)
Roles
Users
Security Identity
have exactly one
Access Control Entries
(ACEs)
may inherit from
has many
has many
Object Identity
has exactly one

View Slide

48
Class-based and Object-based Access Control Entries
Document „foo“
Document „bar“
Document „???“
Object-based
Class-based
Object-based ACEs are checked before Class-based ACEs.

View Slide

49
Field-based Access Control Entries
Order
• product
• quantity
• shipping address
• payment details
Anyone with access to the order may access these
Requires Special Admin Access

View Slide

50
Access Control Entry
• mask
• granting strategy
• granting
- permissions are stored as bitmasks
- up to 31 permissions per class
- multiple permissions can be stored
effeciently in the same ACE
- pre-defined permissions
- View
- Create
- Edit
- Delete
- Undelete
- Owner

View Slide

51
• mask
• granting
Defines the strategy by which bitmasks are
compared
- Any: $expected & $actual !== 0
- All: $expected & $actual === $actual
- Same: $expected === $actual

View Slide

52
• mask
• granting
- Whether the entry allows, or denies
access
- Useful in scenarios like
- „generally allow access to all
documents, but to a few specific
documents deny access“
- „generally deny access, but allow
access to a few specific documents“

View Slide

53
Access Control Entries can be inherited
Thread
Posts
Forum
Moderator ACE for
EDIT
Thread-Starter ACE
for EDIT
- Post-Creator ACE
for EDIT
- Thread-Starter ACE
for EDIT
- Moderator can not only edit forums, but also all
threads, and posts
- Thread-Starter can edit thread details, but not all
posts in the thread
- Post-Creator can edit his post

View Slide

54
Johannes Schmitt
[email protected]
https://github.org/schmittjoh
Thanks!

View Slide

Security and AOP in Symfony2

Security and AOP in Symfony2

schmittjoh

More Decks by schmittjoh

Other Decks in Programming

Featured

Transcript