This document contains code snippets related to implementing WSSE authentication in Symfony. It includes code for a WSSE token, listener, authentication manager/provider, and factory class. The token holds user details extracted from the HTTP header. The listener extracts credentials from the header and passes them to the manager. The manager authenticates by validating the credentials against the user provider. The factory registers these classes with the security component. The document also mentions voters and ACL as other Symfony security topics.

2. cystbear
Erlanger
Symfony expert
MongoDB adept
OSS doer
https://twitter.com/1cdecoder
https://github.com/cystbear
http://trinity.ck.ua/

7. + = ❤

9. security.yml
security:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
login_path: /login
check_path: /login_check
provider: fos_userbundle
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/user, role: ROLE_USER }
- { path: ^/admin/, role: ROLE_ADMIN }

10. http://www.xml.com/pub/a/2003/12/17/dive.html
http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

11. Good Parts
Token
Listener
Authentication Manager/Provider
Factory

12. Token
<?php
namespace AppBundleSecurityAuthenticationToken;
use SymfonyComponentSecurityCoreAuthenticationTokenAbstractToken;
class WsseUserToken extends AbstractToken
{
public $created;
public $digest;
public $nonce;
public function __construct(array $roles = array())
{
parent::__construct($roles);
// If the user has roles, consider it authenticated
$this->setAuthenticated(count($roles) > 0);
}
public function getCredentials()
{
return '';
}
}

13. Listener
<?php
namespace AppBundleSecurityFirewall;
use AppBundleSecurityAuthenticationTokenWsseUserToken;
class WsseListener implements ListenerInterface
{
protected $tokenStorage;
protected $authenticationManager;
public function handle(GetResponseEvent $event)
{
$request = $event->getRequest();
$wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([^"]+)", Created="([^"]+)"/';
if (!$request->headers->has('x-wsse') || 1 !== preg_match($wsseRegex, $request->headers->get('x-wsse'), $matches)) {
return;
}
$token = new WsseUserToken(); $token->setUser($matches[1]); ...
try {
$authToken = $this->authenticationManager->authenticate($token);
$this->tokenStorage->setToken($authToken);
return;
} catch (AuthenticationException $failed) { ... }
$response = new Response();
$response->setStatusCode(Response::HTTP_FORBIDDEN);
$event->setResponse($response);
}
}

14. Authentication Manager
<?php
namespace AppBundleSecurityAuthenticationProvider;
use AppBundleSecurityAuthenticationTokenWsseUserToken;
class WsseProvider implements AuthenticationProviderInterface
{
private $userProvider;
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
$authenticatedToken = new WsseUserToken($user->getRoles());
$authenticatedToken->setUser($user);
return $authenticatedToken;
}
throw new AuthenticationException('The WSSE authentication failed.');
}
protected function validateDigest($digest, $nonce, $created, $secret)
{ ... }
public function supports(TokenInterface $token)
{
return $token instanceof WsseUserToken;
}
}

15. Factory
<?php
namespace AppBundleDependencyInjectionSecurityFactory;
use SymfonyBundleSecurityBundleDependencyInjectionSecurityFactorySecurityFactoryInterface;
class WsseFactory implements SecurityFactoryInterface
{
public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
{
$providerId = 'security.authentication.provider.wsse.'.$id;
$container
->setDefinition($providerId, new DefinitionDecorator('wsse.security.authentication.provider'))
->replaceArgument(0, new Reference($userProvider))
;
$listenerId = 'security.authentication.listener.wsse.'.$id;
$listener = $container->setDefinition($listenerId, new DefinitionDecorator('wsse.security.authentication.listener'));
return array($providerId, $listenerId, $defaultEntryPoint);
}
public function getPosition()
{ return 'pre_auth'; }
public function getKey()
{ return 'wsse'; }
public function addConfiguration(NodeDefinition $node)
{
}
}

16. ACE
http://symfony.com/doc/current/cookbook/security/acl.html

17. Voters
http://symfony.com/doc/current/cookbook/security/voters.html
https://www.youtube.com/watch?v=e7HfW4TgnUY

18. Voter (1)
<?php
namespace AppBundleSecurity;
use SymfonyComponentSecurityCoreAuthorizationVoterVoter;
class PostVoter extends Voter
{
const VIEW = 'view';
const EDIT = 'edit';
protected function supports($attribute, $subject)
{
if (!in_array($attribute, array(self::VIEW, self::EDIT))) { return false; }
if (!$subject instanceof Post) { return false; }
return true;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof User) { return false; }
$post = $subject;
switch($attribute) {
case self::VIEW: return $this->canView($post, $user);
case self::EDIT: return $this->canEdit($post, $user);
}
throw new LogicException('This code should not be reached!');
}
}

19. Voter (2)
<?php
private function canView(Post $post, User $user)
{
if ($this->canEdit($post, $user)) { return true; }
return !$post->isPrivate();
}
private function canEdit(Post $post, User $user)
{
return $user === $post->getOwner();
}
}