flow3 security framework applied to typo3 phoenix

Inspiring people to

shareT3CON10 Frankfurt – Andreas Förthner

FLOW3 Security Framework applied to TYPO3 Phoenix


Andreas Förthner<[email protected]>

Inspiring people to



Your host

Andreas Förthner

Work: netlogix Media in Nuremberg

Studied computer science in Erlangen

FLOW3/Phoenix Core Team since 2007

Leader of the TYPO3 security team together with Helmut Hummel

Inspiring people to



Agenda

Which security concepts are needed for Phoenix?

Authentication infrastructure

Authorization and how to display all this?

Security for data AKA content security

Security for files AKA secure downloads

Summary and Questions

Inspiring people to



WHICH SECURITY CONCEPTS ARE NEEDED?

Inspiring people to



Which security concepts are needed?

Authentication

Ensure to talk to the correct partner

Use different mechanisms to validate the identity

Provide an easy to extend infrastructure

Manage user accounts

Inspiring people to




Authorization

Restrict certain users from accessing functionality

Use a delarative policy to configure those restrictions

Change restrictions or add new ones without changing

the Phoenix core

Inspiring people to




Protect your stored data

Declarativly describe who should be allowed to read/write your

domain models‘ data

Data you don‘t have access to, should not be loaded

by the persitence layer

Provide an infrastructure for protected files

Inspiring people to




Protect the communication channel

Encrypt transfered data if needed

Sign transfered data

Gerneral CSRF protection

Inspiring people to




Validate incoming data

Protection against XSS attacks

No SQL-Injections anymore

Sanitize displayed data

E.g. no XSS code on your website

Inspiring people to




Protect your system against unwanted requests

Application Firewall based on request filters

Drop unwanted/unauthorized requests as early as possible

Inspiring people to



AUTHENTICATION INFRASTRUCTURE

Inspiring people to



Authentication Infrastructure

TYPO3 is an application with different authentication areas:

„Frontend“

„Backend“

Custom areas, e.g. „Extranet area“

Users might have access to more than one area

Different authentication mechanisms for different areas

Use a different mechanism for connections from your internalnetwork

Inspiring people to



Authentication Infrastructuresecurity:

authentication:

providers:

DefaultProvider:

providerClass: PersistedUsernamePasswordProvider

requestPatterns:

controllerObjectName: F3\TYPO3\ControllerBackend\.*

entryPoint:

webRedirect:

uri: typo3/login

Inspiring people to



AUTHORIZATION AND HOW TO DISPLAY ALL THIS?

Inspiring people to




The functionality of TYPO3 has to be protected

E.g. backend controllers should not be callable for everybody

Not every user should have access to the managment tab in the

Phoenix backend

Only specific users should be allowed to create a CE in the left

column

The functionality stays, but policies can change!

Inspiring people to




Solution: Declarative policies, decoupled from the PHP codeholding the functionality

resources:

methods:

F3_TYPO3_BackendController:

"method(F3\TYPO3\Controller\Backend\BackendController->.*())"

acls:

Administrator:

methods:

F3_TYPO3_BackendController : GRANT

Inspiring people to




Great it‘s protected!

But: Internal Server Error?! Nice?!

Inspiring people to




Reflect the policy in the view with Fluid

<f:security.ifAccess resource=“F3_TYPO3_BackendController">

This is being shown in case you have access to the backend

</f:security.ifAccess>

<f:security.ifHasRole role="Administrator">

This is being shown in case you are administrator

</f:security.ifHasRole>

Inspiring people to



SECURITY FOR DATA AKA CONTENT SECURITY

Inspiring people to




Write a policy for your content

The persistence layer will automatically filter all data, you don‘thave access to, i.e.:

Your queries are very clean and readable

You can‘t forget to add a needed query constraint

Inspiring people to




Writing policies tailored to your data

resources:

entities:

F3_Blog_Domain_Model_Post:

F3_Blog_Domain_Model_Post_HiddenPosts: this.public == FALSE

Inspiring people to




acls:

Everybody:

entities:

F3_Blog_Domain_Model_Post_HiddenPosts: DENY

Editor:

entities:

F3_Blog_Domain_Model_Post_HiddenPosts: GRANT

Inspiring people to



SECURITY FOR FILES AKA SECURE DOWNLOADS

Inspiring people to




Challenge:

Really protect files from beeing downloaded

Support huge files (>>GB)

Support different web servers (Apache2, IIS, …)

Additional features like: expiration date/time for published files

Inspiring people to




Private directory foruploaded/stored

files

Fluid template witha file link

Resource publisher

Public directory forfiles

Image.jpg

Image.jpg

2. copies/symlinks file

1. Give me URI!

3. URI topublic directory!

Interception forprivate resources

Inspiring people to




Publish resource under a private path

Private directory for

uploaded/stored files

Public directory for files

Image.jpg

Directory called like yoursession id

.htaccess

Image.jpg

Allow from 213.83.33.146

Symlink/copy

Inspiring people to




Advantages of this solution

Central managment of all files

Publishing is extremly fast, when symlinking is possible

No PHP involved in downloading!

Inspiring people to




Demo

Inspiring people to



Summary

Security is more than authentication

Security is centralized

Security is handled by FLOW3 and not the application code

Policies can be changed without a change of the actualfunctionality (code)

Inspiring people to



So long and thanks for the fish…

Questions?

flow3 security framework applied to typo3 phoenix

Technology

security concepts

typo3 security team

typo3 phoenixshare

functionality of typo3

host andreas frthner

different authentication

domain models data data

incoming data protection