Security Basics

8th November 2011

Sam Jarrett

About me

who is this guy, and how did he get such a cool 'stache?

Sam Jarrett

Open source developer, Symfony contributor & enthusiast.

5 years PHP & web commercial experience,
Zend Certified PHP 5.2 (5.3 in progress).
#melbsf2 event co-organiser.

Lover of all things < 141 characters & you can follow me @sammyjarrett.

What's a Security?

Ideally, this is you right now:

You've started playing with Symfony2 and Doctrine2,
You've looked at Controllers, Annotations, Doctrine Entities, the Entity Manager, etc, and are fairly comfortable working with these concepts. Anyone who's attended some of these previous sessions should be OK.

Maybe some of these could apply to you..

I've read the Security manual online and got confused.
The manual didn't answer my questions
I laugh in the face of manuals! Hah hah hah..
What's a manual? There's a manual for Symfony?

What's in it for me?

Hopefully after tonight, you'll be able to:

Set up restricted URLs of your project to require a user to be logged in,
Restrict some controller actions to authenticated users only,
Change items in a template (view) based on the user being logged in
Log a user in using a simple login form
Access that user entity from any controller or template

And later in the night... Julien will present FOSUserBundle.

Infrastructure

The Symfony2 security component is broken up into two main parts: authentication and authorisation.

Authentication:

logs the user in
verifies credentials
can use many methods (username/password, X.509 certificate, other*)

Authorization Authorisation:

checks if the user has permission to access a resource
roles, ACL, SSL/HTTPS
From the book: “Authorization provides a standard and powerful way to decide if a user can access any resource (a URL, a model object, a method call, ...)”

Itinerary

1. Authentication

Configuring the Firewall, part 1
HTTP basic authentication & some hardcoded users
Configuring the Firewall, part 2
A more real-world use: Using Doctrine & a login form
Expanding our knowledge: Some additional food for thought
Using multiple Entities, the future of authentication

2. Authorization

Securing a controller
Restricting URL patterns, functions & altering logic based on user context
Tweaking twig
Changing template content based on user context
Advanced concepts
Object-based access control, etc

1.1. Configuring the Firewall, part 1

Security configuration happens in app/config/security.yml.
Contents will be explained in detail in following pages
Example security.yml file below

security:
	encoders:
		Symfony\Component\Security\Core\User\User: plaintext
	role_hierarchy:
		ROLE_ADMIN: ROLE_USER
		ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
	providers:
		in_memory:
			users:
				user:  { password: userpass, roles: [ 'ROLE_USER' ] }
				admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
	firewalls:
		secured_area:
			pattern: ^/secure/
			http_basic:
				realm: "Secured Area"
			stateless: true

Encoders

All security entities need to have a password encoder
Handle encoding & comparing passwords for you
PHP function hash_algos() to display available encoding methods
Plaintext means not encoded

security:
	encoders:
		Symfony\Component\Security\Core\User\User: plaintext

Remarks:

Symfony\Component\Security\Core\User\User: Full class name (including namespace) of the user entity; currently set to use in-memory entity
plaintext: This is the encoder used; sha512 is commonly used; you can write your own.

Roles

All users must be assigned to one or more roles.
Roles are prefixed with ROLE_
Users typically obtain ROLE_USER, administrators ROLE_ADMIN.
Roles are hierarchical & user may have multiple roles.

security:
	...
	role_hierarchy:
		ROLE_ADMIN: ROLE_USER
		ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

Remarks:

ROLE_ADMIN: ROLE_USER: Defines ROLE_ADMIN as being an extension of ROLE_USER.
ROLE_SUPER_ADMIN: [ROLE_USER, ...]: ROLE_SUPER_ADMIN is an extension of multiple roles.
ROLE_ALLOWED_TO_SWITCH: Symfony provides a number of reserved role names to provide special functionality. ROLE_ALLOWED_TO_SWITCH allows a user to swap to another user without having to log in as them

User Providers

What your users authenticate against.
Can be in-memory (users are all defined before the application boots),
Doctrine, or
Completely custom entity.

security:
	...
	providers:
		in_memory:
			users:
				user:  { password: userpass, roles: [ 'ROLE_USER' ] }
				admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }

Remarks:

in_memory: This is the name of my provider.
users: List of hard-coded username, password and roles
user: { password: userpass, roles: [ 'ROLE_USER' ] }: Example of a hard-coded user entry.

Firewalls

Defines authenticated/secure areas of application
Application can contain multiple
Each firewall is independent
Config is evaluated top to bottom

security:
	...
	firewalls:
		secured_area:
			pattern: ^/secure/
			http_basic:
				realm: "Secured Area"
			stateless: true

Remarks:

secured_area: The name of my firewall.
pattern: ^/secure/: Regular expression for what URLs are covered.
http_basic: Authentication method in use. Symfony includes HTTP basic & digest, login form, and x.509 certificates. Extensions are available to add other methods.

1.2. Configuring the Firewall, part 2

Doctrine-based
Login form
Simple!
Example security.yml below

security:
	encoders:
		MelbSymfony2\Bundle\SecurityExampleBundle\Entity\User: plaintext
	...
	providers:
			main:
				entity: { class: MelbSymfony2\Bundle\SecurityExampleBundle\Entity\User, property: username }
	...
	firewalls:
		login:
			pattern: ^/secure/login$
			security: false
		secured_area:
			pattern: ^/secure/
			form_login:
				check_path: /secure/login_check
				login_path: /secure/login
			logout:
				path: /secure/logout
				target: /

Introducing our new user provider!

In-memory provider is changed to a Doctrine entity
Entities must implement UserInterface interface
Symfony/Doctrine handle the rest

encoders:
	MelbSymfony2\Bundle\SecurityExampleBundle\Entity\User: plaintext
...
providers:
		main:
			entity: { class: MelbSymfony2\Bundle\SecurityExampleBundle\Entity\User, property: username }

Remarks:

entity: { class: ...: Class name of our Doctrine entity.
Every authenticate-able user object must have an encoder.
property: username: The property used to get the login username. UserInterface requires your class to define a getUsername() method.

Some new firewall rules

You must disable security to your login page
Example below

firewalls:
	login:
		pattern: ^/secure/login$
		security: false

Remarks:

pattern: ^/secure/login$: URL to our application's login page.
security: false: Disables further firewall processing for that URL pattern.

Some more new firewall rules

firewalls:
	...
	secured_area:
		pattern: ^/secure/
		form_login:
			check_path: /secure/login_check
			login_path: /secure/login
		logout:
			path: /secure/logout
			target: /

Remarks:

form_login: Use web form to login.
check_path: URL where the form submits to, to authenticate credentials.
login_path: URL where the login form is, for authentication failures.
logout: Handles users logging out.
Many more options for configuration available. Review Symfony book for more info!

We add a Controller...

// namspace & use declarations

class SecurityController extends Controller
{
	/**
	 * @Route("/secure/login", name="user_login")
	 * @Template
	 */
	public function loginAction()
	{
		$request = $this->getRequest();
		$session = $request->getSession();

		// get the login error if there is one
		if ($request->attributes->has(SecurityContext::AUTHENTICATION_ERROR)) {
			$error = $request->attributes->get(SecurityContext::AUTHENTICATION_ERROR);
		} else {
			$error = $session->get(SecurityContext::AUTHENTICATION_ERROR);
		}

		return array(
			'last_username' => $session->get(SecurityContext::LAST_USERNAME),
			'error' => $error,
		);
	}
}

Our Controller in more detail

/**
 * @Route("/secure/login", name="user_login")
 * @Template
 */

Route for our insecure login form

if ($request->attributes->has(SecurityContext::AUTHENTICATION_ERROR)) {
	$error = $request->attributes->get(SecurityContext::AUTHENTICATION_ERROR);
} else {
	$error = $session->get(SecurityContext::AUTHENTICATION_ERROR);
}

Authentication error message is stored in Session / Request as an attribute.

return array(
	'last_username' => $session->get(SecurityContext::LAST_USERNAME)
	//... 
);

Last username entered.
Template use only
Security lockouts, etc

Some twig magic + a working login form!

Login forms are simple
Can't use forms framework to generate

{% if error %}
	<div>{{ error.message }}</div>
{% endif %}

<form action="{{ path('login_check') }}" method="post">
	<label for="username">Username:</label>
	<input type="text" id="username" name="_username" value="{{ last_username }}" />

	<label for="password">Password:</label>
	<input type="password" id="password" name="_password" />

	<input type="submit" name="login" />
</form>

Remarks:

{% if error %}: If error is present, user has failed authentication.
{{ path('login_check') }}: Form submits to login_check path from security.yml.

1.3. Expanding our knowledge

We've made it here - well done!

We now have a fully functioning authentication system.

Some further thinking...

Symfony supports authenticating on multiple providers. http://symfony.com/.../security.html#using...-providers
We can create a registration process using forms component. Extensions like FOSUserBundle can help.
We can add extensions for 3^rd party login methods, such as Facebook, Google & Twitter.
We can create custom login methods, eg SSO, LDAP, etc

2.1. Securing a controller

Symfony provides multiple methods to secure our controllers.
Your application's layout will help determine which method is best.

security.yml Access Control Lists

Secure controllers by URL pattern.
Can restrict by roles, IP address.
Allows HTTP channel securing - http/https.
Symfony automatically redirects to http/https based upon the requirement.
Example below

security:
	...
	access_control:
		- { path: ^/admin/, roles: ROLE_ADMIN }
		- { path: ^/admin/administrative-cron, ip: 127.0.0.1 }
		- { path: ^/cart/checkout, requires_channel: https }

Remarks:

path: ^/...: A regular expression pattern to match.
roles: ...: Required roles for the user to access this resource.
ip: ...: Required IP address for the user to access this resource.
requires_channel: ...: Required channel to access this resource.

Securing controller actions

Can use pure PHP
Can use JMS SecurityExtraBundle annotations
Example of using PHP & modifying controller logic below

// standard namespace & use statements, plus the below:
use Symfony\Component\Security\Core\Exception\AccessDeniedException;

class SecureController extends Controller
	public function theLongSecureAction()
	{
		if (false === $this->get('security.context')->isGranted('ROLE_ADMIN')) {
			throw new AccessDeniedException();
		}

		// ...
	}
}

Remarks:

$this->get('security.context')->isGranted(): Check if current user has given role.
AccessDeniedException: will direct user to login page, or throw 403 Forbidden.

Securing using the JMS SecurityExtraBundle

Bundle created by @JohannesMS, included with Symfony.
Aspect-orientated approach, doesn't modify controller logic.
Does the same as above.
Revised example below

// standard namespace & use statements, plus the below:
use JMS\SecurityExtraBundle\Annotation\Secure;

class SecureController extends Controller
	/** @Secure(roles="ROLE_USER") */
	public function shorterSecureAction()
	{
		// ...
	}
}

Securing or changing controller logic

We can use the SecurityContext to change business logic.
Example below:

// standard namespace & use statements

class AnotherController extends Controller
	public function indexAction()
	{
		// ...
		
		if ($this->get('security.context')->isGranted('ROLE_ADMIN')) {
			$variableOne = 'some arbitrary value';
		} else {
			$variableTwo = 'something else';
		}

		// ...
	}
}

Useful examples: change forms on page, add security flag to entities, redirect roles to different controllers completely.

2.2. Tweaking twig

The is_granted() twig function is duplicate of isGranted() function in the
security context.
Example below.

{% if is_granted('ROLE_USER') %}
	This text is only shown to users who are logged in. 
	The same can be used for any defined role!
{% endif %}

Twig variable app has reference to user object.
Allows developer to customise display for users.
Example below.

{% if app.user is not empty %}
	Hello {{ app.user.username }}, welcome back!
{% endif %}

2.3. Advanced concepts

Beyond all that I've covered tonight, there were a few other things that those needing deeper authorisation control should check out...

Secure custom services using JMS SecurityExtraBundle.
Check out this Symfony cookbook article: http://symfony.com/.../securing_services.html.
Domain object-level ACL.
Check out this Symfony cookbook article: http://symfony.com/.../security/acl.html.

Finally...

Security component is still more complex:

Contains a voting system for access decisions.
Built in "Remember Me" authentication.
Impersonate users, using switch functionality.
and more? etc.

But documentation is a problem. If possible, contribute to Documentation on Github.

Lastly, recognize..

Big thanks to Flint Interactive for providing our venue tonight & sponsoring our meetup group. <3
I've used a javascript based slideshow plugin called Fathom.js, developed by my coworker & buddy @markdalgleish. It's awesome, so go check it out. Seriously.
Tweet using #melbsf2 about this pres!