Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security - In Real Life

Avatar for schmittjoh schmittjoh
June 09, 2012
2
4.7k

Security - In Real Life

Avatar for schmittjoh

schmittjoh

June 09, 2012
Tweet

More Decks by schmittjoh

See All by schmittjoh
Improving Code Quality continuously
Avatar for schmittjoh schmittjoh
2
1k
Security and AOP in Symfony2
Avatar for schmittjoh schmittjoh
12
4.1k
twig.js: The Templating Engine for the Client-Side
Avatar for schmittjoh schmittjoh
4
7.9k

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
30
2.1k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
299
21k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
69
4.7k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
77
5.8k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
54
6.4k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
54
11k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
126
17k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
94
14k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
2.9k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
270
20k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
720

Transcript

  1. Security In Real Life

  2. 2 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Agenda Introduction Authentication System Authorization System Real Life Use Cases

  3. 3 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Agenda Introduction Authentication System Authorization System Real Life Use Cases

  4. 4 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap

  5. 5 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners

  6. 6 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners Token

  7. 7 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token

  8. 8 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider

  9. 9 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider Encoder

  10. 10 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider Encoder UserChecker

  11. 11 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthFailureHandler AuthenticationProvider Token UserProvider Encoder UserChecker

  12. 12 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy UserProvider Encoder UserChecker

  13. 13 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy UserProvider Encoder UserChecker

  14. 14 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe UserProvider Encoder UserChecker

  15. 15 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe LogoutHandler LogoutSuccessHandler UserProvider Encoder UserChecker

  16. 16 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Agenda Introduction Authentication System Authorization System Real Life Use Cases

  17. 17 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor

  18. 18 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager

  19. 19 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter

  20. 20 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter

  21. 21 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter AclProvider PermissionMap

  22. 22 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider PermissionMap

  23. 23 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap

  24. 24 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap ExpressionVoter

  25. 25 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Agenda Introduction Authentication System Authorization System Real Life Use Cases

  26. 26 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #1: I want to functionally test my application. How can I test parts that need a logged-in user?

  27. 27 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #2: In my application, I want to customize what happens when access is denied.

  28. 28 Johannes Schmitt | Security: In Real Life | 07.06.2012

    ExceptionListener The exception listener can be invoked from any part of your code EntryPoint AccessDeniedHandler Do not write your own exception listener which handles AccessDeniedExceptions! AuthenticationException AccessDeniedException

  29. 29 Johannes Schmitt | Security: In Real Life | 07.06.2012

    We only need to adjust specific parts of the security system - AccessDeniedHandler - Configuration

  30. 30 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #3: In my application, I want to use the ACL system. Are there best practices for integrating it?

  31. 31 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #4: In my application, I do not want to use an ORM, but receive all user details via an API.

  32. 32 Johannes Schmitt | Security: In Real Life | 07.06.2012

    We only need to adjust specific parts of the security system - AuthenticationProvider - Configuration

  33. 33 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #5: In my application, I want to allow login via AJAX.

  34. 34 Johannes Schmitt | Security: In Real Life | 07.06.2012

    We only need to adjust specific parts of the security system - AuthenticationSuccessHandler - AuthenticationFailureHandler - Configuration

  35. 35 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #6: In my application, I want to have localized paths for login.

  36. 36 Johannes Schmitt | Security: In Real Life | 07.06.2012

    What needs to be changed? Configuration only!

  37. 37 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #7: In my application, I want to offer multiple login options like Twitter, Facebook, etc. in addition to form login.

  38. 38 Johannes Schmitt | Security: In Real Life | 07.06.2012

    We are going to assume the following database schema

  39. 39 Johannes Schmitt | Security: In Real Life | 07.06.2012

    We only need to adjust specific parts of the security system - EntryPoint - User Providers - Github User Provider - Twitter User Provider - Id-based User Provider - Email-based User Provider - Configuration

  40. 40 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Thanks! Twitter: @JohannesMS Github: schmittjoh http://jmsyst.com/

  41. 41 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe LogoutHandler LogoutSuccessHandler UserProvider Encoder UserChecker

  42. 42 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap ExpressionVoter

  43. 43 Johannes Schmitt | Security: In Real Life | 07.06.2012

    ExceptionListener The exception listener can be invoked from any part of your code EntryPoint AccessDeniedHandler AuthenticationException AccessDeniedException