Weitere ähnliche Inhalte Ähnlich wie Keep It Simple Security (Symfony cafe 28-01-2016) (20) Mehr von Oleg Zinchenko (7) Kürzlich hochgeladen (20) Keep It Simple Security (Symfony cafe 28-01-2016)13. Listener
<?php
namespace AppBundleSecurityFirewall;
use AppBundleSecurityAuthenticationTokenWsseUserToken;
class WsseListener implements ListenerInterface
{
protected $tokenStorage;
protected $authenticationManager;
public function handle(GetResponseEvent $event)
{
$request = $event->getRequest();
$wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([^"]+)", Created="([^"]+)"/';
if (!$request->headers->has('x-wsse') || 1 !== preg_match($wsseRegex, $request->headers->get('x-wsse'), $matches)) {
return;
}
$token = new WsseUserToken(); $token->setUser($matches[1]); ...
try {
$authToken = $this->authenticationManager->authenticate($token);
$this->tokenStorage->setToken($authToken);
return;
} catch (AuthenticationException $failed) { ... }
$response = new Response();
$response->setStatusCode(Response::HTTP_FORBIDDEN);
$event->setResponse($response);
}
}
14. Authentication Manager
<?php
namespace AppBundleSecurityAuthenticationProvider;
use AppBundleSecurityAuthenticationTokenWsseUserToken;
class WsseProvider implements AuthenticationProviderInterface
{
private $userProvider;
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
$authenticatedToken = new WsseUserToken($user->getRoles());
$authenticatedToken->setUser($user);
return $authenticatedToken;
}
throw new AuthenticationException('The WSSE authentication failed.');
}
protected function validateDigest($digest, $nonce, $created, $secret)
{ ... }
public function supports(TokenInterface $token)
{
return $token instanceof WsseUserToken;
}
}
15. Factory
<?php
namespace AppBundleDependencyInjectionSecurityFactory;
use SymfonyBundleSecurityBundleDependencyInjectionSecurityFactorySecurityFactoryInterface;
class WsseFactory implements SecurityFactoryInterface
{
public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
{
$providerId = 'security.authentication.provider.wsse.'.$id;
$container
->setDefinition($providerId, new DefinitionDecorator('wsse.security.authentication.provider'))
->replaceArgument(0, new Reference($userProvider))
;
$listenerId = 'security.authentication.listener.wsse.'.$id;
$listener = $container->setDefinition($listenerId, new DefinitionDecorator('wsse.security.authentication.listener'));
return array($providerId, $listenerId, $defaultEntryPoint);
}
public function getPosition()
{ return 'pre_auth'; }
public function getKey()
{ return 'wsse'; }
public function addConfiguration(NodeDefinition $node)
{
}
}
18. Voter (1)
<?php
namespace AppBundleSecurity;
use SymfonyComponentSecurityCoreAuthorizationVoterVoter;
class PostVoter extends Voter
{
const VIEW = 'view';
const EDIT = 'edit';
protected function supports($attribute, $subject)
{
if (!in_array($attribute, array(self::VIEW, self::EDIT))) { return false; }
if (!$subject instanceof Post) { return false; }
return true;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof User) { return false; }
$post = $subject;
switch($attribute) {
case self::VIEW: return $this->canView($post, $user);
case self::EDIT: return $this->canEdit($post, $user);
}
throw new LogicException('This code should not be reached!');
}
}
19. Voter (2)
<?php
private function canView(Post $post, User $user)
{
if ($this->canEdit($post, $user)) { return true; }
return !$post->isPrivate();
}
private function canEdit(Post $post, User $user)
{
return $user === $post->getOwner();
}
}