flow3 security framework applied to typo3 phoenix
TRANSCRIPT
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
FLOW3 Security Framework applied to TYPO3 Phoenix
Andreas Förthner<[email protected]>
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Your host
Andreas Förthner
Work: netlogix Media in Nuremberg
Studied computer science in Erlangen
FLOW3/Phoenix Core Team since 2007
Leader of the TYPO3 security team together with Helmut Hummel
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Agenda
Which security concepts are needed for Phoenix?
Authentication infrastructure
Authorization and how to display all this?
Security for data AKA content security
Security for files AKA secure downloads
Summary and Questions
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
WHICH SECURITY CONCEPTS ARE NEEDED?
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Which security concepts are needed?
Authentication
Ensure to talk to the correct partner
Use different mechanisms to validate the identity
Provide an easy to extend infrastructure
Manage user accounts
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Which security concepts are needed?
Authorization
Restrict certain users from accessing functionality
Use a delarative policy to configure those restrictions
Change restrictions or add new ones without changing
the Phoenix core
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Which security concepts are needed?
Protect your stored data
Declarativly describe who should be allowed to read/write your
domain models‘ data
Data you don‘t have access to, should not be loaded
by the persitence layer
Provide an infrastructure for protected files
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Which security concepts are needed?
Protect the communication channel
Encrypt transfered data if needed
Sign transfered data
Gerneral CSRF protection
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Which security concepts are needed?
Validate incoming data
Protection against XSS attacks
No SQL-Injections anymore
Sanitize displayed data
E.g. no XSS code on your website
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Which security concepts are needed?
Protect your system against unwanted requests
Application Firewall based on request filters
Drop unwanted/unauthorized requests as early as possible
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
AUTHENTICATION INFRASTRUCTURE
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Authentication Infrastructure
TYPO3 is an application with different authentication areas:
„Frontend“
„Backend“
Custom areas, e.g. „Extranet area“
Users might have access to more than one area
Different authentication mechanisms for different areas
Use a different mechanism for connections from your internalnetwork
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Authentication Infrastructuresecurity:
authentication:
providers:
DefaultProvider:
providerClass: PersistedUsernamePasswordProvider
requestPatterns:
controllerObjectName: F3\TYPO3\ControllerBackend\.*
entryPoint:
webRedirect:
uri: typo3/login
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
AUTHORIZATION AND HOW TO DISPLAY ALL THIS?
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Authorization and how to display all this?
The functionality of TYPO3 has to be protected
E.g. backend controllers should not be callable for everybody
Not every user should have access to the managment tab in the
Phoenix backend
Only specific users should be allowed to create a CE in the left
column
The functionality stays, but policies can change!
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Authorization and how to display all this?
Solution: Declarative policies, decoupled from the PHP codeholding the functionality
resources:
methods:
F3_TYPO3_BackendController:
"method(F3\TYPO3\Controller\Backend\BackendController->.*())"
acls:
Administrator:
methods:
F3_TYPO3_BackendController : GRANT
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Authorization and how to display all this?
Great it‘s protected!
But: Internal Server Error?! Nice?!
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Authorization and how to display all this?
Reflect the policy in the view with Fluid
<f:security.ifAccess resource=“F3_TYPO3_BackendController">
This is being shown in case you have access to the backend
</f:security.ifAccess>
<f:security.ifHasRole role="Administrator">
This is being shown in case you are administrator
</f:security.ifHasRole>
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
SECURITY FOR DATA AKA CONTENT SECURITY
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Security for data AKA content security
Write a policy for your content
The persistence layer will automatically filter all data, you don‘thave access to, i.e.:
Your queries are very clean and readable
You can‘t forget to add a needed query constraint
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Security for data AKA content security
Writing policies tailored to your data
resources:
entities:
F3_Blog_Domain_Model_Post:
F3_Blog_Domain_Model_Post_HiddenPosts: this.public == FALSE
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Security for data AKA content security
acls:
Everybody:
entities:
F3_Blog_Domain_Model_Post_HiddenPosts: DENY
Editor:
entities:
F3_Blog_Domain_Model_Post_HiddenPosts: GRANT
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
SECURITY FOR FILES AKA SECURE DOWNLOADS
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Security for files AKA secure downloads
Challenge:
Really protect files from beeing downloaded
Support huge files (>>GB)
Support different web servers (Apache2, IIS, …)
Additional features like: expiration date/time for published files
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Security for files AKA secure downloads
Private directory foruploaded/stored
files
Fluid template witha file link
Resource publisher
Public directory forfiles
Image.jpg
Image.jpg
2. copies/symlinks file
1. Give me URI!
3. URI topublic directory!
Interception forprivate resources
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Security for files AKA secure downloads
Publish resource under a private path
Private directory for
uploaded/stored files
Public directory for files
Image.jpg
Directory called like yoursession id
.htaccess
Image.jpg
Allow from 213.83.33.146
Symlink/copy
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Security for files AKA secure downloads
Advantages of this solution
Central managment of all files
Publishing is extremly fast, when symlinking is possible
No PHP involved in downloading!
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Security for files AKA secure downloads
Demo
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
Summary
Security is more than authentication
Security is centralized
Security is handled by FLOW3 and not the application code
Policies can be changed without a change of the actualfunctionality (code)
Inspiring people to
shareT3CON10 Frankfurt – Andreas Förthner
FLOW3 Security Framework applied to TYPO3 Phoenix
So long and thanks for the fish…
Questions?