love and loss: a symfony security play
DESCRIPTION
The security component tackles the complex problems of authentication and authorization by spreading concerns across a number of single responsibility objects. This is a flexible design, but difficult for beginners to navigate. This presentation will bring the security component to life for us all to understand! Join us to see some of your favorite members of the Symfony community perform the security component in a series of scenes, interspliced with some technical descriptions of what's going on.TRANSCRIPT
![Page 1: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/1.jpg)
Love & LossA Symfony Security Play
![Page 2: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/2.jpg)
brewcycleportland.com
![Page 3: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/3.jpg)
@kriswallsmith
![Page 4: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/4.jpg)
assetic
![Page 5: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/5.jpg)
Buzz
![Page 6: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/6.jpg)
Spork
![Page 7: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/7.jpg)
![Page 8: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/8.jpg)
![Page 9: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/9.jpg)
“…the current implementation of the Security Component is … not easily accessible”
http://www.testically.org/2011/03/14/why-i-gave-up-on-the-symfony2-security-component/
![Page 10: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/10.jpg)
“I would rather see Symfony2 postponed again or the Security Component removed …
I don’t think it is even near of being usable to the community outside the core.”
http://www.testically.org/2011/03/14/why-i-gave-up-on-the-symfony2-security-component/
![Page 11: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/11.jpg)
“The past few days I have really be struggling with the Symfony2 security component. It is the most complex component of
Symfony2 if you ask me!”
http://blog.vandenbrand.org/2012/06/19/symfony2-authentication-provider-authenticate-against-webservice/
![Page 12: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/12.jpg)
“(I’m) wondering if I should just work around rather than work with the framework”
https://groups.google.com/forum/#!msg/symfony2/AZpgbEk4Src/73P99zOmq2YJ
![Page 13: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/13.jpg)
![Page 14: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/14.jpg)
![Page 15: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/15.jpg)
Enhance yourPHPfun!
![Page 16: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/16.jpg)
http://curiouscomedy.org
![Page 17: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/17.jpg)
![Page 18: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/18.jpg)
![Page 19: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/19.jpg)
HttpKernel
kernel.exception
kernel.request kernel.terminatekernel.controller kernel.view kernel.response
![Page 20: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/20.jpg)
kernel.request kernel.controller kernel.view kernel.response kernel.terminate
kernel.exception
HttpKernel
![Page 21: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/21.jpg)
kernel.request kernel.controller kernel.view kernel.response kernel.terminate
kernel.exception
HttpKernel
![Page 22: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/22.jpg)
HttpKernelGet the response and get out
![Page 23: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/23.jpg)
kernel.request
Routeretc…
Firewall
![Page 24: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/24.jpg)
FirewallJust another listener
![Page 25: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/25.jpg)
class YesFirewall{ public function handle($event) { // always say yes }}
![Page 26: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/26.jpg)
use Symfony\Component\HttpFoundation\Response;
class NoFirewall{ public function handle($event) { // always say no $event->setResponse( new Response('go away', 401) ); }}
![Page 27: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/27.jpg)
use Symfony\Component\HttpFoundation\Response;
class PickyFirewall{ public function handle($event) { $request = $event->getRequest(); $user = $request->headers->get('PHP_AUTH_USER');
// only names that start with "Q" if ('Q' == $user[0]) return;
$event->setResponse(new Response('go away', 401)); }}
![Page 28: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/28.jpg)
Security ListenersThe firewall’s henchmen
![Page 29: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/29.jpg)
Firewall
Listeners
kernel.request
![Page 30: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/30.jpg)
class Firewall{ public $listeners = array();
public function handle($event) { foreach ($this->listeners as $listener) { $listener->handle($event);
if ($event->hasResponse()) return; } }}
![Page 31: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/31.jpg)
class YesListener{ public function handle($event) { // always say yes }}
![Page 32: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/32.jpg)
use Symfony\Component\HttpFoundation\Response;
class NoListener{ public function handle($event) { // always say no $event->setResponse( new Response('go away', 401) ); }}
![Page 33: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/33.jpg)
use Symfony\Component\HttpFoundation\Response;
class PickyListener{ public function handle($event) { $request = $event->getRequest(); $user = $request->headers->get('PHP_AUTH_USER');
// only names that start with "Q" if ('Q' == $user[0]) return;
$event->setResponse(new Response('go away', 401)); }}
![Page 34: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/34.jpg)
AuthenticationAre you who you say you are?
![Page 35: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/35.jpg)
AuthorizationAre you allowed to ____?
![Page 36: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/36.jpg)
TokensThe Language of Security
![Page 37: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/37.jpg)
Authentication ListenersMap from request to token
![Page 38: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/38.jpg)
Request
Response (?) Token
CoreHTTP
![Page 39: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/39.jpg)
![Page 40: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/40.jpg)
![Page 41: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/41.jpg)
AuthenticationListener A
AuthenticationListener B
AuthenticationManager
Firewall
![Page 42: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/42.jpg)
class AuthenticationListener{ public $authMan, $context;
public function handle($e) { $r = $e->getRequest(); $u = $r->headers->get('PHP_AUTH_USER');
$t = new AnonToken($u); $t = $this->authMan->authenticate($t);
$this->context->setToken($t); }}
![Page 43: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/43.jpg)
class AuthenticationManager{ public function authenticate($t) { // always say no }}
![Page 44: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/44.jpg)
class AuthenticationManager{ public function authenticate($t) { // always say yes return new AuthToken($t->getUser()); }}
![Page 45: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/45.jpg)
class AuthenticationManager{ public function authenticate($t) { $u = $t->getUser(); // only names that start with "Q" if ('Q' == $u[0]) { return new AuthToken($u); } }}
![Page 46: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/46.jpg)
Authentication ManagerResponsible for authenticating
the token
![Page 47: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/47.jpg)
Authentication ProvidersDo the actual authentication work
![Page 48: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/48.jpg)
UserProviders
AuthenticationProviders
AuthenticationListener A
AuthenticationListener B
AuthenticationManager
![Page 49: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/49.jpg)
User ProvidersAccess the repository of users
![Page 50: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/50.jpg)
class AuthenticationManager{ public $providers = array();
public function authenticate($t) { foreach ($this->providers as $p) { if ($p->supports($t)) { return $p->authenticate($t); } } }}
![Page 51: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/51.jpg)
class AuthenticationProvider{ public $up;
public function authenticate($t) { $u = $t->getUser(); $u = $this->up->loadUserByUsername($u);
if ($u) return new AuthToken($u); }}
![Page 52: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/52.jpg)
class UserProvider{ public $repo;
public function loadUserByUsername($u) { return ($this->repo->find(array( 'username' => $u, ))); }}
![Page 53: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/53.jpg)
Authentication
![Page 54: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/54.jpg)
Authentication Listeners
• Map client data from request to token
• Pass token to authentication manager
• Update state of security context
![Page 55: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/55.jpg)
Authentication Manager
• Responsible for authenticating the token
• Calls the appropriate authentication provider
• Handles exceptions
![Page 56: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/56.jpg)
Authentication Providers
• Performs authentication using client data in the token
• Marks the token as authenticated
• Attaches the user object to the token
![Page 57: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/57.jpg)
User Providers
• Retrieves the user from the database
![Page 58: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/58.jpg)
Authorization
![Page 59: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/59.jpg)
class AuthorizationListener{ public function handle($e) { // always say yes }}
![Page 60: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/60.jpg)
use Symfony\Component\HttpFoundation\Response;
class AuthorizationListener{ public function handle($e) { // always say no $e->setResponse( new Response('go away', 403) ); }}
![Page 61: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/61.jpg)
Access MapLooks at a request and determines
token requirements
![Page 62: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/62.jpg)
Access Decision ManagerThe gatekeeper
![Page 63: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/63.jpg)
VotersDecisionManager
Listener Map
![Page 64: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/64.jpg)
use Symfony\Component\HttpFoundation\Response;
class AccessListener{ public $context, $map, $decider;
public function handle($e) { $r = $e->getRequest(); $t = $this->context->getToken();
$reqs = $this->map->getRequirements($r);
if (!$this->decider->decide($t, $reqs)) { $e->setResponse( new Response('go away', 403) ); } }}
![Page 65: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/65.jpg)
class AccessMap{ public function getRequirements($r) { $path = $r->getPathInfo(); if (0 === strpos($path, '/admin')) { return array('ADMIN'); } }}
![Page 66: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/66.jpg)
class AccessDecisionManager{ public $voters;
public function decide($t, $reqs) { foreach ($this->voters as $v) { if ($v->vote($t, null, $reqs)) { return true; } }
return false; }}
![Page 67: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/67.jpg)
class AccessVoter{ public function vote($t, $obj, $reqs) { foreach ($reqs as $req) { if (!$t->hasAttribute($req)) { return false; } }
return true; }}
![Page 68: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/68.jpg)
Authorization
![Page 69: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/69.jpg)
Extension Points
![Page 70: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/70.jpg)
The firewall has many listeners
![Page 71: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/71.jpg)
The authentication manager has many authentication providers
![Page 72: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/72.jpg)
Which MAY rely onuser providers
![Page 73: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/73.jpg)
The access decision manager has many voters
Authenticated
Roles
ACL
![Page 74: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/74.jpg)
Questions?
![Page 75: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/75.jpg)
is hiring
![Page 76: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/76.jpg)
![Page 77: Love and Loss: A Symfony Security Play](https://reader036.vdocuments.net/reader036/viewer/2022081513/554f4b86b4c905b9508b4920/html5/thumbnails/77.jpg)
“Horrible”“Worst talk ever”
“Go back to high school”
https://joind.in/8665