O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Love and Loss: A Symfony Security Play

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Carregando em…3
×

Confira estes a seguir

1 de 77 Anúncio

Love and Loss: A Symfony Security Play

Baixar para ler offline

The security component tackles the complex problems of authentication and authorization by spreading concerns across a number of single responsibility objects. This is a flexible design, but difficult for beginners to navigate. This presentation will bring the security component to life for us all to understand! Join us to see some of your favorite members of the Symfony community perform the security component in a series of scenes, interspliced with some technical descriptions of what's going on.

The security component tackles the complex problems of authentication and authorization by spreading concerns across a number of single responsibility objects. This is a flexible design, but difficult for beginners to navigate. This presentation will bring the security component to life for us all to understand! Join us to see some of your favorite members of the Symfony community perform the security component in a series of scenes, interspliced with some technical descriptions of what's going on.

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (20)

Anúncio

Semelhante a Love and Loss: A Symfony Security Play (20)

Anúncio

Mais recentes (20)

Love and Loss: A Symfony Security Play

  1. 1. Love & Loss A Symfony Security Play
  2. 2. brewcycleportland.com
  3. 3. @kriswallsmith
  4. 4. assetic
  5. 5. Buzz
  6. 6. Spork
  7. 7. “…the current implementation of the Security Component is … not easily accessible” http://www.testically.org/2011/03/14/why-i-gave-up-on-the-symfony2-security-component/
  8. 8. “I would rather see Symfony2 postponed again or the Security Component removed … I don’t think it is even near of being usable to the community outside the core.” http://www.testically.org/2011/03/14/why-i-gave-up-on-the-symfony2-security-component/
  9. 9. “The past few days I have really be struggling with the Symfony2 security component. It is the most complex component of Symfony2 if you ask me!” http://blog.vandenbrand.org/2012/06/19/symfony2-authentication-provider-authenticate-against-webservice/
  10. 10. “(I’m) wondering if I should just work around rather than work with the framework” https://groups.google.com/forum/#!msg/symfony2/AZpgbEk4Src/73P99zOmq2YJ
  11. 11. Enhance your PHPfun!
  12. 12. http://curiouscomedy.org
  13. 13. HttpKernel kernel.exception kernel.request kernel.terminatekernel.controller kernel.view kernel.response
  14. 14. kernel.request kernel.controller kernel.view kernel.response kernel.terminate kernel.exception HttpKernel
  15. 15. kernel.request kernel.controller kernel.view kernel.response kernel.terminate kernel.exception HttpKernel
  16. 16. HttpKernel Get the response and get out
  17. 17. kernel.request Routeretc… Firewall
  18. 18. Firewall Just another listener
  19. 19. class YesFirewall { public function handle($event) { // always say yes } }
  20. 20. use SymfonyComponentHttpFoundationResponse; class NoFirewall { public function handle($event) { // always say no $event->setResponse( new Response('go away', 401) ); } }
  21. 21. use SymfonyComponentHttpFoundationResponse; class PickyFirewall { public function handle($event) { $request = $event->getRequest(); $user = $request->headers->get('PHP_AUTH_USER'); // only names that start with "Q" if ('Q' == $user[0]) return; $event->setResponse(new Response('go away', 401)); } }
  22. 22. Security Listeners The firewall’s henchmen
  23. 23. Firewall Listeners kernel.request
  24. 24. class Firewall { public $listeners = array(); public function handle($event) { foreach ($this->listeners as $listener) { $listener->handle($event); if ($event->hasResponse()) return; } } }
  25. 25. class YesListener { public function handle($event) { // always say yes } }
  26. 26. use SymfonyComponentHttpFoundationResponse; class NoListener { public function handle($event) { // always say no $event->setResponse( new Response('go away', 401) ); } }
  27. 27. use SymfonyComponentHttpFoundationResponse; class PickyListener { public function handle($event) { $request = $event->getRequest(); $user = $request->headers->get('PHP_AUTH_USER'); // only names that start with "Q" if ('Q' == $user[0]) return; $event->setResponse(new Response('go away', 401)); } }
  28. 28. Authentication Are you who you say you are?
  29. 29. Authorization Are you allowed to ____?
  30. 30. Tokens The Language of Security
  31. 31. Authentication Listeners Map from request to token
  32. 32. Request Response (?) Token CoreHTTP
  33. 33. Authentication Listener A Authentication Listener B Authentication Manager Firewall
  34. 34. class AuthenticationListener { public $authMan, $context; public function handle($e) { $r = $e->getRequest(); $u = $r->headers->get('PHP_AUTH_USER'); $t = new AnonToken($u); $t = $this->authMan->authenticate($t); $this->context->setToken($t); } }
  35. 35. class AuthenticationManager { public function authenticate($t) { // always say no } }
  36. 36. class AuthenticationManager { public function authenticate($t) { // always say yes return new AuthToken($t->getUser()); } }
  37. 37. class AuthenticationManager { public function authenticate($t) { $u = $t->getUser(); // only names that start with "Q" if ('Q' == $u[0]) { return new AuthToken($u); } } }
  38. 38. Authentication Manager Responsible for authenticating the token
  39. 39. Authentication Providers Do the actual authentication work
  40. 40. User Providers Authentication Providers Authentication Listener A Authentication Listener B Authentication Manager
  41. 41. User Providers Access the repository of users
  42. 42. class AuthenticationManager { public $providers = array(); public function authenticate($t) { foreach ($this->providers as $p) { if ($p->supports($t)) { return $p->authenticate($t); } } } }
  43. 43. class AuthenticationProvider { public $up; public function authenticate($t) { $u = $t->getUser(); $u = $this->up->loadUserByUsername($u); if ($u) return new AuthToken($u); } }
  44. 44. class UserProvider { public $repo; public function loadUserByUsername($u) { return ($this->repo->find(array( 'username' => $u, ))); } }
  45. 45. Authentication
  46. 46. Authentication Listeners • Map client data from request to token • Pass token to authentication manager • Update state of security context
  47. 47. Authentication Manager • Responsible for authenticating the token • Calls the appropriate authentication provider • Handles exceptions
  48. 48. Authentication Providers • Performs authentication using client data in the token • Marks the token as authenticated • Attaches the user object to the token
  49. 49. User Providers • Retrieves the user from the database
  50. 50. Authorization
  51. 51. class AuthorizationListener { public function handle($e) { // always say yes } }
  52. 52. use SymfonyComponentHttpFoundationResponse; class AuthorizationListener { public function handle($e) { // always say no $e->setResponse( new Response('go away', 403) ); } }
  53. 53. Access Map Looks at a request and determines token requirements
  54. 54. Access Decision Manager The gatekeeper
  55. 55. Voters Decision Manager Listener Map
  56. 56. use SymfonyComponentHttpFoundationResponse; class AccessListener { public $context, $map, $decider; public function handle($e) { $r = $e->getRequest(); $t = $this->context->getToken(); $reqs = $this->map->getRequirements($r); if (!$this->decider->decide($t, $reqs)) { $e->setResponse( new Response('go away', 403) ); } } }
  57. 57. class AccessMap { public function getRequirements($r) { $path = $r->getPathInfo(); if (0 === strpos($path, '/admin')) { return array('ADMIN'); } } }
  58. 58. class AccessDecisionManager { public $voters; public function decide($t, $reqs) { foreach ($this->voters as $v) { if ($v->vote($t, null, $reqs)) { return true; } } return false; } }
  59. 59. class AccessVoter { public function vote($t, $obj, $reqs) { foreach ($reqs as $req) { if (!$t->hasAttribute($req)) { return false; } } return true; } }
  60. 60. Authorization
  61. 61. Extension Points
  62. 62. The firewall has many listeners
  63. 63. The authentication manager has many authentication providers
  64. 64. Which MAY rely on user providers
  65. 65. The access decision manager has many voters Authenticated Roles ACL
  66. 66. Questions?
  67. 67. is hiring
  68. 68. “Horrible” “Worst talk ever” “Go back to high school” https://joind.in/8665

×