New Symfony Tips & Tricks (SymfonyCon Paris 2015)
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Recomendadas
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Quem viu também gostou (20)
Semelhante a Love and Loss: A Symfony Security Play (20)
Mais de Kris Wallsmith (12)
Mais recentes (20)
Love and Loss: A Symfony Security Play
- 1. Love & Loss A Symfony Security Play
- 2. brewcycleportland.com
- 3. @kriswallsmith
- 4. assetic
- 5. Buzz
- 6. Spork
- 7. “…the current implementation of the Security Component is … not easily accessible” http://www.testically.org/2011/03/14/why-i-gave-up-on-the-symfony2-security-component/
- 8. “I would rather see Symfony2 postponed again or the Security Component removed … I don’t think it is even near of being usable to the community outside the core.” http://www.testically.org/2011/03/14/why-i-gave-up-on-the-symfony2-security-component/
- 9. “The past few days I have really be struggling with the Symfony2 security component. It is the most complex component of Symfony2 if you ask me!” http://blog.vandenbrand.org/2012/06/19/symfony2-authentication-provider-authenticate-against-webservice/
- 10. “(I’m) wondering if I should just work around rather than work with the framework” https://groups.google.com/forum/#!msg/symfony2/AZpgbEk4Src/73P99zOmq2YJ
- 11. Enhance your PHPfun!
- 12. http://curiouscomedy.org
- 13. HttpKernel kernel.exception kernel.request kernel.terminatekernel.controller kernel.view kernel.response
- 14. kernel.request kernel.controller kernel.view kernel.response kernel.terminate kernel.exception HttpKernel
- 15. kernel.request kernel.controller kernel.view kernel.response kernel.terminate kernel.exception HttpKernel
- 16. HttpKernel Get the response and get out
- 17. kernel.request Routeretc… Firewall
- 18. Firewall Just another listener
- 19. class YesFirewall { public function handle($event) { // always say yes } }
- 20. use SymfonyComponentHttpFoundationResponse; class NoFirewall { public function handle($event) { // always say no $event->setResponse( new Response('go away', 401) ); } }
- 21. use SymfonyComponentHttpFoundationResponse; class PickyFirewall { public function handle($event) { $request = $event->getRequest(); $user = $request->headers->get('PHP_AUTH_USER'); // only names that start with "Q" if ('Q' == $user[0]) return; $event->setResponse(new Response('go away', 401)); } }
- 22. Security Listeners The firewall’s henchmen
- 23. Firewall Listeners kernel.request
- 24. class Firewall { public $listeners = array(); public function handle($event) { foreach ($this->listeners as $listener) { $listener->handle($event); if ($event->hasResponse()) return; } } }
- 25. class YesListener { public function handle($event) { // always say yes } }
- 26. use SymfonyComponentHttpFoundationResponse; class NoListener { public function handle($event) { // always say no $event->setResponse( new Response('go away', 401) ); } }
- 27. use SymfonyComponentHttpFoundationResponse; class PickyListener { public function handle($event) { $request = $event->getRequest(); $user = $request->headers->get('PHP_AUTH_USER'); // only names that start with "Q" if ('Q' == $user[0]) return; $event->setResponse(new Response('go away', 401)); } }
- 28. Authentication Are you who you say you are?
- 29. Authorization Are you allowed to ____?
- 30. Tokens The Language of Security
- 31. Authentication Listeners Map from request to token
- 32. Request Response (?) Token CoreHTTP
- 33. Authentication Listener A Authentication Listener B Authentication Manager Firewall
- 34. class AuthenticationListener { public $authMan, $context; public function handle($e) { $r = $e->getRequest(); $u = $r->headers->get('PHP_AUTH_USER'); $t = new AnonToken($u); $t = $this->authMan->authenticate($t); $this->context->setToken($t); } }
- 35. class AuthenticationManager { public function authenticate($t) { // always say no } }
- 36. class AuthenticationManager { public function authenticate($t) { // always say yes return new AuthToken($t->getUser()); } }
- 37. class AuthenticationManager { public function authenticate($t) { $u = $t->getUser(); // only names that start with "Q" if ('Q' == $u[0]) { return new AuthToken($u); } } }
- 38. Authentication Manager Responsible for authenticating the token
- 39. Authentication Providers Do the actual authentication work
- 40. User Providers Authentication Providers Authentication Listener A Authentication Listener B Authentication Manager
- 41. User Providers Access the repository of users
- 42. class AuthenticationManager { public $providers = array(); public function authenticate($t) { foreach ($this->providers as $p) { if ($p->supports($t)) { return $p->authenticate($t); } } } }
- 43. class AuthenticationProvider { public $up; public function authenticate($t) { $u = $t->getUser(); $u = $this->up->loadUserByUsername($u); if ($u) return new AuthToken($u); } }
- 44. class UserProvider { public $repo; public function loadUserByUsername($u) { return ($this->repo->find(array( 'username' => $u, ))); } }
- 45. Authentication
- 46. Authentication Listeners • Map client data from request to token • Pass token to authentication manager • Update state of security context
- 47. Authentication Manager • Responsible for authenticating the token • Calls the appropriate authentication provider • Handles exceptions
- 48. Authentication Providers • Performs authentication using client data in the token • Marks the token as authenticated • Attaches the user object to the token
- 49. User Providers • Retrieves the user from the database
- 50. Authorization
- 51. class AuthorizationListener { public function handle($e) { // always say yes } }
- 52. use SymfonyComponentHttpFoundationResponse; class AuthorizationListener { public function handle($e) { // always say no $e->setResponse( new Response('go away', 403) ); } }
- 53. Access Map Looks at a request and determines token requirements
- 54. Access Decision Manager The gatekeeper
- 55. Voters Decision Manager Listener Map
- 56. use SymfonyComponentHttpFoundationResponse; class AccessListener { public $context, $map, $decider; public function handle($e) { $r = $e->getRequest(); $t = $this->context->getToken(); $reqs = $this->map->getRequirements($r); if (!$this->decider->decide($t, $reqs)) { $e->setResponse( new Response('go away', 403) ); } } }
- 57. class AccessMap { public function getRequirements($r) { $path = $r->getPathInfo(); if (0 === strpos($path, '/admin')) { return array('ADMIN'); } } }
- 58. class AccessDecisionManager { public $voters; public function decide($t, $reqs) { foreach ($this->voters as $v) { if ($v->vote($t, null, $reqs)) { return true; } } return false; } }
- 59. class AccessVoter { public function vote($t, $obj, $reqs) { foreach ($reqs as $req) { if (!$t->hasAttribute($req)) { return false; } } return true; } }
- 60. Authorization
- 61. Extension Points
- 62. The firewall has many listeners
- 63. The authentication manager has many authentication providers
- 64. Which MAY rely on user providers
- 65. The access decision manager has many voters Authenticated Roles ACL
- 66. Questions?
- 67. is hiring
- 68. “Horrible” “Worst talk ever” “Go back to high school” https://joind.in/8665
