SlideShare ist ein Scribd-Unternehmen logo

FLOW3 Security Framework applied to TYPO3 Phoenix

A
Andreas Förthner
Technologie
1 von 31
Downloaden Sie, um offline zu lesen
FLOW3 Security Framework applied to TYPO3 Phoenix Andreas Förthner <andreas.foerthner@netlogix.de> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Your host Andreas Förthner Work: netlogix Media in Nuremberg Studied computer science in Erlangen FLOW3/Phoenix Core Team since 2007 Leader of the TYPO3 security team together with Helmut Hummel T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Agenda Which security concepts are needed for Phoenix? Authentication infrastructure Authorization and how to display all this? Security for data AKA content security Security for files AKA secure downloads Summary and Questions T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
WHICH SECURITY CONCEPTS ARE NEEDED? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Authentication  Ensure to talk to the correct partner  Use different mechanisms to validate the identity  Provide an easy to extend infrastructure  Manage user accounts T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Authorization  Restrict certain users from accessing functionality  Use a delarative policy to configure those restrictions  Change restrictions or add new ones without changing the Phoenix core T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Protect your stored data  Declarativly describe who should be allowed to read/write your domain models‘ data  Data you don‘t have access to, should not be loaded by the persitence layer  Provide an infrastructure for protected files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Protect the communication channel  Encrypt transfered data if needed  Sign transfered data  Gerneral CSRF protection T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Validate incoming data  Protection against XSS attacks  No SQL-Injections anymore Sanitize displayed data  E.g. no XSS code on your website T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Protect your system against unwanted requests  Application Firewall based on request filters  Drop unwanted/unauthorized requests as early as possible T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
AUTHENTICATION INFRASTRUCTURE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authentication Infrastructure TYPO3 is an application with different authentication areas:  „Frontend“  „Backend“  Custom areas, e.g. „Extranet area“ Users might have access to more than one area Different authentication mechanisms for different areas Use a different mechanism for connections from your internal network T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authentication Infrastructure security: authentication: providers: DefaultProvider: providerClass: PersistedUsernamePasswordProvider requestPatterns: controllerObjectName: F3TYPO3ControllerBackend.* entryPoint: webRedirect: uri: typo3/login T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
AUTHORIZATION AND HOW TO DISPLAY ALL THIS? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authorization and how to display all this? The functionality of TYPO3 has to be protected  E.g. backend controllers should not be callable for everybody  Not every user should have access to the managment tab in the Phoenix backend  Only specific users should be allowed to create a CE in the left column The functionality stays, but policies can change! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authorization and how to display all this? Solution: Declarative policies, decoupled from the PHP code holding the functionality resources: methods: F3_TYPO3_BackendController: "method(F3TYPO3ControllerBackendBackendController->.*())" acls: Administrator: methods: F3_TYPO3_BackendController : GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authorization and how to display all this? Great it‘s protected! But: Internal Server Error?! Nice?! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authorization and how to display all this? Reflect the policy in the view with Fluid <f:security.ifAccess resource=“F3_TYPO3_BackendController"> This is being shown in case you have access to the backend </f:security.ifAccess> <f:security.ifHasRole role="Administrator"> This is being shown in case you are administrator </f:security.ifHasRole> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
SECURITY FOR DATA AKA CONTENT SECURITY T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for data AKA content security Write a policy for your content The persistence layer will automatically filter all data, you don‘t have access to, i.e.:  Your queries are very clean and readable  You can‘t forget to add a needed query constraint T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for data AKA content security Writing policies tailored to your data resources: entities: F3_Blog_Domain_Model_Post: F3_Blog_Domain_Model_Post_HiddenPosts: this.public == FALSE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for data AKA content security acls: Everybody: entities: F3_Blog_Domain_Model_Post_HiddenPosts: DENY Editor: entities: F3_Blog_Domain_Model_Post_HiddenPosts: GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
SECURITY FOR FILES AKA SECURE DOWNLOADS T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for files AKA secure downloads Challenge:  Really protect files from beeing downloaded  Support huge files (>>GB)  Support different web servers (Apache2, IIS, …)  Additional features like: expiration date/time for published files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for files AKA secure downloads Interception for private resources Public directory for files 1. Give me URI! Image.jpg Fluid template with Resource publisher a file link 2. copies/ 3. URI to symlinks file Image.jpg public directory! Private directory for uploaded/stored files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for files AKA secure downloads Publish resource under a private path Public directory for files Private Allow from 213.83.33.146 directory for Directory called like your uploaded/stor session id ed files .htaccess Image.jpg Image.jpg Symlink/copy T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for files AKA secure downloads Advantages of this solution  Central managment of all files  Publishing is extremly fast, when symlinking is possible  No PHP involved in downloading! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for files AKA secure downloads Demo T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Summary Security is more than authentication Security is centralized Security is handled by FLOW3 and not the application code Policies can be changed without a change of the actual functionality (code) T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
So long and thanks for the fish… Questions? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
FLOW3 Security Framework applied to TYPO3 Phoenix

Empfohlen

Gus Robots Project
Gus Robots ProjectGus Robots Project
Gus Robots Projecttechwork7
 
Hirose
HiroseHirose
HiroseBudiyantoro SE
 
Boubou
BoubouBoubou
Bouboutechwork7
 
Invitation innovation in action 2010
Invitation innovation in action 2010Invitation innovation in action 2010
Invitation innovation in action 2010Anders Bjers
 
Our business coaching services
Our business coaching servicesOur business coaching services
Our business coaching servicesCelia Couture
 
Emocje w eCommerce
Emocje w eCommerceEmocje w eCommerce
Emocje w eCommerceguestff040
 
God Is Love
God Is LoveGod Is Love
God Is LoveL.D. Wilson
 
Global Warming
Global WarmingGlobal Warming
Global Warmingtechwork7
 

Empfohlen

Gus Robots Project
Gus Robots ProjectGus Robots Project
Gus Robots Projecttechwork7
 
Hirose
HiroseHirose
HiroseBudiyantoro SE
 
Boubou
BoubouBoubou
Bouboutechwork7
 
Invitation innovation in action 2010
Invitation innovation in action 2010Invitation innovation in action 2010
Invitation innovation in action 2010Anders Bjers
 
Our business coaching services
Our business coaching servicesOur business coaching services
Our business coaching servicesCelia Couture
 
Emocje w eCommerce
Emocje w eCommerceEmocje w eCommerce
Emocje w eCommerceguestff040
 
God Is Love
God Is LoveGod Is Love
God Is LoveL.D. Wilson
 
Global Warming
Global WarmingGlobal Warming
Global Warmingtechwork7
 
Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching ServicesCelia Couture
 
Dapatkan promo welcome bonus 10 us$ hirose2
Dapatkan promo welcome bonus 10 us$ hirose2Dapatkan promo welcome bonus 10 us$ hirose2
Dapatkan promo welcome bonus 10 us$ hirose2Budiyantoro SE
 
Rosslyn safaris PDM presentation
Rosslyn safaris PDM presentation Rosslyn safaris PDM presentation
Rosslyn safaris PDM presentation Roland Viedge
 
Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching ServicesCelia Couture
 
Touchless security with FLOW3
Touchless security with FLOW3Touchless security with FLOW3
Touchless security with FLOW3Andreas Förthner
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Vishnu Kesarwani
 
Touch Magazine
Touch MagazineTouch Magazine
Touch Magazineguestf32db
 
Internet History
Internet HistoryInternet History
Internet Historytechwork7
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna) ClubHack
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
Firewall
FirewallFirewall
FirewallSilas Augustine Ntiyamila
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016 Mukesh Pathak
 
Seclore FileSecure IBM Filenet Walkthrough
Seclore FileSecure IBM Filenet WalkthroughSeclore FileSecure IBM Filenet Walkthrough
Seclore FileSecure IBM Filenet Walkthroughsiddarthc
 
Firewall
FirewallFirewall
FirewallShiva Krishna Chandra Shekar
 
Firewall
FirewallFirewall
FirewallShiva Krishna Chandra Shekar
 
Paper id 712019116
Paper id 712019116Paper id 712019116
Paper id 712019116IJRAT
 
Secured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid CloudSecured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid Cloudtheijes
 
E031102034039
E031102034039E031102034039
E031102034039theijes
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...brianberlin
 
PROJECT REVIEW of technical vulnerability 1 (3).pptx
PROJECT REVIEW of technical vulnerability 1 (3).pptxPROJECT REVIEW of technical vulnerability 1 (3).pptx
PROJECT REVIEW of technical vulnerability 1 (3).pptxDHANUSH447825
 

Weitere ähnliche Inhalte

Andere mochten auch

Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching ServicesCelia Couture
 
Dapatkan promo welcome bonus 10 us$ hirose2
Dapatkan promo welcome bonus 10 us$ hirose2Dapatkan promo welcome bonus 10 us$ hirose2
Dapatkan promo welcome bonus 10 us$ hirose2Budiyantoro SE
 
Rosslyn safaris PDM presentation
Rosslyn safaris PDM presentation Rosslyn safaris PDM presentation
Rosslyn safaris PDM presentation Roland Viedge
 
Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching ServicesCelia Couture
 
Touchless security with FLOW3
Touchless security with FLOW3Touchless security with FLOW3
Touchless security with FLOW3Andreas Förthner
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Vishnu Kesarwani
 
Touch Magazine
Touch MagazineTouch Magazine
Touch Magazineguestf32db
 
Internet History
Internet HistoryInternet History
Internet Historytechwork7
 

Andere mochten auch (8)

Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching Services
 
Dapatkan promo welcome bonus 10 us$ hirose2
Dapatkan promo welcome bonus 10 us$ hirose2Dapatkan promo welcome bonus 10 us$ hirose2
Dapatkan promo welcome bonus 10 us$ hirose2
 
Rosslyn safaris PDM presentation
Rosslyn safaris PDM presentation Rosslyn safaris PDM presentation
Rosslyn safaris PDM presentation
 
Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching Services
 
Touchless security with FLOW3
Touchless security with FLOW3Touchless security with FLOW3
Touchless security with FLOW3
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...
 
Touch Magazine
Touch MagazineTouch Magazine
Touch Magazine
 
Internet History
Internet HistoryInternet History
Internet History
 

Ähnlich wie FLOW3 Security Framework applied to TYPO3 Phoenix

Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna) ClubHack
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016 Mukesh Pathak
 
Seclore FileSecure IBM Filenet Walkthrough
Seclore FileSecure IBM Filenet WalkthroughSeclore FileSecure IBM Filenet Walkthrough
Seclore FileSecure IBM Filenet Walkthroughsiddarthc
 
Paper id 712019116
Paper id 712019116Paper id 712019116
Paper id 712019116IJRAT
 
Secured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid CloudSecured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid Cloudtheijes
 
E031102034039
E031102034039E031102034039
E031102034039theijes
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...brianberlin
 
PROJECT REVIEW of technical vulnerability 1 (3).pptx
PROJECT REVIEW of technical vulnerability 1 (3).pptxPROJECT REVIEW of technical vulnerability 1 (3).pptx
PROJECT REVIEW of technical vulnerability 1 (3).pptxDHANUSH447825
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Windows Phone 8 - 11 App to App Communication
Windows Phone 8 - 11 App to App CommunicationWindows Phone 8 - 11 App to App Communication
Windows Phone 8 - 11 App to App CommunicationOliver Scheer
 
IRJET - Virtual Data Auditing at Overcast Environment
IRJET - Virtual Data Auditing at Overcast EnvironmentIRJET - Virtual Data Auditing at Overcast Environment
IRJET - Virtual Data Auditing at Overcast EnvironmentIRJET Journal
 
High security mechanism: Fragmentation and replication in the cloud with auto...
High security mechanism: Fragmentation and replication in the cloud with auto...High security mechanism: Fragmentation and replication in the cloud with auto...
High security mechanism: Fragmentation and replication in the cloud with auto...CSITiaesprime
 

Ähnlich wie FLOW3 Security Framework applied to TYPO3 Phoenix (20)

Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
 
Firewall
FirewallFirewall
Firewall
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016
 
Seclore FileSecure IBM Filenet Walkthrough
Seclore FileSecure IBM Filenet WalkthroughSeclore FileSecure IBM Filenet Walkthrough
Seclore FileSecure IBM Filenet Walkthrough
 
Firewall
FirewallFirewall
Firewall
 
Firewall
FirewallFirewall
Firewall
 
Paper id 712019116
Paper id 712019116Paper id 712019116
Paper id 712019116
 
Secured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid CloudSecured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid Cloud
 
E031102034039
E031102034039E031102034039
E031102034039
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
 
PROJECT REVIEW of technical vulnerability 1 (3).pptx
PROJECT REVIEW of technical vulnerability 1 (3).pptxPROJECT REVIEW of technical vulnerability 1 (3).pptx
PROJECT REVIEW of technical vulnerability 1 (3).pptx
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Windows Phone 8 - 11 App to App Communication
Windows Phone 8 - 11 App to App CommunicationWindows Phone 8 - 11 App to App Communication
Windows Phone 8 - 11 App to App Communication
 
IRJET - Virtual Data Auditing at Overcast Environment
IRJET - Virtual Data Auditing at Overcast EnvironmentIRJET - Virtual Data Auditing at Overcast Environment
IRJET - Virtual Data Auditing at Overcast Environment
 
Cloud computing final show
Cloud computing final showCloud computing final show
Cloud computing final show
 
DDS Security
DDS SecurityDDS Security
DDS Security
 
High security mechanism: Fragmentation and replication in the cloud with auto...
High security mechanism: Fragmentation and replication in the cloud with auto...High security mechanism: Fragmentation and replication in the cloud with auto...
High security mechanism: Fragmentation and replication in the cloud with auto...
 

Kürzlich hochgeladen

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 

Kürzlich hochgeladen (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 

FLOW3 Security Framework applied to TYPO3 Phoenix

  • 1. FLOW3 Security Framework applied to TYPO3 Phoenix Andreas Förthner <andreas.foerthner@netlogix.de> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 2. Your host Andreas Förthner Work: netlogix Media in Nuremberg Studied computer science in Erlangen FLOW3/Phoenix Core Team since 2007 Leader of the TYPO3 security team together with Helmut Hummel T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 3. Agenda Which security concepts are needed for Phoenix? Authentication infrastructure Authorization and how to display all this? Security for data AKA content security Security for files AKA secure downloads Summary and Questions T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 4. WHICH SECURITY CONCEPTS ARE NEEDED? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 5. Which security concepts are needed? Authentication  Ensure to talk to the correct partner  Use different mechanisms to validate the identity  Provide an easy to extend infrastructure  Manage user accounts T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 6. Which security concepts are needed? Authorization  Restrict certain users from accessing functionality  Use a delarative policy to configure those restrictions  Change restrictions or add new ones without changing the Phoenix core T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 7. Which security concepts are needed? Protect your stored data  Declarativly describe who should be allowed to read/write your domain models‘ data  Data you don‘t have access to, should not be loaded by the persitence layer  Provide an infrastructure for protected files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 8. Which security concepts are needed? Protect the communication channel  Encrypt transfered data if needed  Sign transfered data  Gerneral CSRF protection T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 9. Which security concepts are needed? Validate incoming data  Protection against XSS attacks  No SQL-Injections anymore Sanitize displayed data  E.g. no XSS code on your website T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 10. Which security concepts are needed? Protect your system against unwanted requests  Application Firewall based on request filters  Drop unwanted/unauthorized requests as early as possible T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 11. AUTHENTICATION INFRASTRUCTURE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 12. Authentication Infrastructure TYPO3 is an application with different authentication areas:  „Frontend“  „Backend“  Custom areas, e.g. „Extranet area“ Users might have access to more than one area Different authentication mechanisms for different areas Use a different mechanism for connections from your internal network T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 13. Authentication Infrastructure security: authentication: providers: DefaultProvider: providerClass: PersistedUsernamePasswordProvider requestPatterns: controllerObjectName: F3TYPO3ControllerBackend.* entryPoint: webRedirect: uri: typo3/login T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 14. AUTHORIZATION AND HOW TO DISPLAY ALL THIS? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 15. Authorization and how to display all this? The functionality of TYPO3 has to be protected  E.g. backend controllers should not be callable for everybody  Not every user should have access to the managment tab in the Phoenix backend  Only specific users should be allowed to create a CE in the left column The functionality stays, but policies can change! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 16. Authorization and how to display all this? Solution: Declarative policies, decoupled from the PHP code holding the functionality resources: methods: F3_TYPO3_BackendController: "method(F3TYPO3ControllerBackendBackendController->.*())" acls: Administrator: methods: F3_TYPO3_BackendController : GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 17. Authorization and how to display all this? Great it‘s protected! But: Internal Server Error?! Nice?! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 18. Authorization and how to display all this? Reflect the policy in the view with Fluid <f:security.ifAccess resource=“F3_TYPO3_BackendController"> This is being shown in case you have access to the backend </f:security.ifAccess> <f:security.ifHasRole role="Administrator"> This is being shown in case you are administrator </f:security.ifHasRole> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 19. SECURITY FOR DATA AKA CONTENT SECURITY T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 20. Security for data AKA content security Write a policy for your content The persistence layer will automatically filter all data, you don‘t have access to, i.e.:  Your queries are very clean and readable  You can‘t forget to add a needed query constraint T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 21. Security for data AKA content security Writing policies tailored to your data resources: entities: F3_Blog_Domain_Model_Post: F3_Blog_Domain_Model_Post_HiddenPosts: this.public == FALSE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 22. Security for data AKA content security acls: Everybody: entities: F3_Blog_Domain_Model_Post_HiddenPosts: DENY Editor: entities: F3_Blog_Domain_Model_Post_HiddenPosts: GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 23. SECURITY FOR FILES AKA SECURE DOWNLOADS T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 24. Security for files AKA secure downloads Challenge:  Really protect files from beeing downloaded  Support huge files (>>GB)  Support different web servers (Apache2, IIS, …)  Additional features like: expiration date/time for published files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 25. Security for files AKA secure downloads Interception for private resources Public directory for files 1. Give me URI! Image.jpg Fluid template with Resource publisher a file link 2. copies/ 3. URI to symlinks file Image.jpg public directory! Private directory for uploaded/stored files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 26. Security for files AKA secure downloads Publish resource under a private path Public directory for files Private Allow from 213.83.33.146 directory for Directory called like your uploaded/stor session id ed files .htaccess Image.jpg Image.jpg Symlink/copy T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 27. Security for files AKA secure downloads Advantages of this solution  Central managment of all files  Publishing is extremly fast, when symlinking is possible  No PHP involved in downloading! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 28. Security for files AKA secure downloads Demo T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 29. Summary Security is more than authentication Security is centralized Security is handled by FLOW3 and not the application code Policies can be changed without a change of the actual functionality (code) T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 30. So long and thanks for the fish… Questions? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share