SlideShare a Scribd company logo

FLOW3 Security Framework applied to TYPO3 Phoenix

A
Andreas Förthner
Technology
1 of 31
Download to read offline
FLOW3 Security Framework applied to TYPO3 Phoenix Andreas Förthner <andreas.foerthner@netlogix.de> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Your host Andreas Förthner Work: netlogix Media in Nuremberg Studied computer science in Erlangen FLOW3/Phoenix Core Team since 2007 Leader of the TYPO3 security team together with Helmut Hummel T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Agenda Which security concepts are needed for Phoenix? Authentication infrastructure Authorization and how to display all this? Security for data AKA content security Security for files AKA secure downloads Summary and Questions T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
WHICH SECURITY CONCEPTS ARE NEEDED? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Authentication  Ensure to talk to the correct partner  Use different mechanisms to validate the identity  Provide an easy to extend infrastructure  Manage user accounts T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Authorization  Restrict certain users from accessing functionality  Use a delarative policy to configure those restrictions  Change restrictions or add new ones without changing the Phoenix core T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Protect your stored data  Declarativly describe who should be allowed to read/write your domain models‘ data  Data you don‘t have access to, should not be loaded by the persitence layer  Provide an infrastructure for protected files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Protect the communication channel  Encrypt transfered data if needed  Sign transfered data  Gerneral CSRF protection T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Validate incoming data  Protection against XSS attacks  No SQL-Injections anymore Sanitize displayed data  E.g. no XSS code on your website T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Which security concepts are needed? Protect your system against unwanted requests  Application Firewall based on request filters  Drop unwanted/unauthorized requests as early as possible T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
AUTHENTICATION INFRASTRUCTURE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authentication Infrastructure TYPO3 is an application with different authentication areas:  „Frontend“  „Backend“  Custom areas, e.g. „Extranet area“ Users might have access to more than one area Different authentication mechanisms for different areas Use a different mechanism for connections from your internal network T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authentication Infrastructure security: authentication: providers: DefaultProvider: providerClass: PersistedUsernamePasswordProvider requestPatterns: controllerObjectName: F3TYPO3ControllerBackend.* entryPoint: webRedirect: uri: typo3/login T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
AUTHORIZATION AND HOW TO DISPLAY ALL THIS? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authorization and how to display all this? The functionality of TYPO3 has to be protected  E.g. backend controllers should not be callable for everybody  Not every user should have access to the managment tab in the Phoenix backend  Only specific users should be allowed to create a CE in the left column The functionality stays, but policies can change! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authorization and how to display all this? Solution: Declarative policies, decoupled from the PHP code holding the functionality resources: methods: F3_TYPO3_BackendController: "method(F3TYPO3ControllerBackendBackendController->.*())" acls: Administrator: methods: F3_TYPO3_BackendController : GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authorization and how to display all this? Great it‘s protected! But: Internal Server Error?! Nice?! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Authorization and how to display all this? Reflect the policy in the view with Fluid <f:security.ifAccess resource=“F3_TYPO3_BackendController"> This is being shown in case you have access to the backend </f:security.ifAccess> <f:security.ifHasRole role="Administrator"> This is being shown in case you are administrator </f:security.ifHasRole> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
SECURITY FOR DATA AKA CONTENT SECURITY T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for data AKA content security Write a policy for your content The persistence layer will automatically filter all data, you don‘t have access to, i.e.:  Your queries are very clean and readable  You can‘t forget to add a needed query constraint T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for data AKA content security Writing policies tailored to your data resources: entities: F3_Blog_Domain_Model_Post: F3_Blog_Domain_Model_Post_HiddenPosts: this.public == FALSE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for data AKA content security acls: Everybody: entities: F3_Blog_Domain_Model_Post_HiddenPosts: DENY Editor: entities: F3_Blog_Domain_Model_Post_HiddenPosts: GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
SECURITY FOR FILES AKA SECURE DOWNLOADS T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for files AKA secure downloads Challenge:  Really protect files from beeing downloaded  Support huge files (>>GB)  Support different web servers (Apache2, IIS, …)  Additional features like: expiration date/time for published files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for files AKA secure downloads Interception for private resources Public directory for files 1. Give me URI! Image.jpg Fluid template with Resource publisher a file link 2. copies/ 3. URI to symlinks file Image.jpg public directory! Private directory for uploaded/stored files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for files AKA secure downloads Publish resource under a private path Public directory for files Private Allow from 213.83.33.146 directory for Directory called like your uploaded/stor session id ed files .htaccess Image.jpg Image.jpg Symlink/copy T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for files AKA secure downloads Advantages of this solution  Central managment of all files  Publishing is extremly fast, when symlinking is possible  No PHP involved in downloading! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Security for files AKA secure downloads Demo T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
Summary Security is more than authentication Security is centralized Security is handled by FLOW3 and not the application code Policies can be changed without a change of the actual functionality (code) T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
So long and thanks for the fish… Questions? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
FLOW3 Security Framework applied to TYPO3 Phoenix

Recommended

Gus Robots Project
Gus Robots ProjectGus Robots Project
Gus Robots Project
techwork7
 
Hirose
HiroseHirose
Hirose
Budiyantoro SE
 
Boubou
BoubouBoubou
Boubou
techwork7
 
Invitation innovation in action 2010
Invitation innovation in action 2010Invitation innovation in action 2010
Invitation innovation in action 2010
Anders Bjers
 
Our business coaching services
Our business coaching servicesOur business coaching services
Our business coaching services
Celia Couture
 
Emocje w eCommerce
Emocje w eCommerceEmocje w eCommerce
Emocje w eCommerce
guestff040
 
God Is Love
God Is LoveGod Is Love
God Is Love
L.D. Wilson
 
Global Warming
Global WarmingGlobal Warming
Global Warming
techwork7
 

Recommended

Gus Robots Project
Gus Robots ProjectGus Robots Project
Gus Robots Project
techwork7
 
Hirose
HiroseHirose
Hirose
Budiyantoro SE
 
Boubou
BoubouBoubou
Boubou
techwork7
 
Invitation innovation in action 2010
Invitation innovation in action 2010Invitation innovation in action 2010
Invitation innovation in action 2010
Anders Bjers
 
Our business coaching services
Our business coaching servicesOur business coaching services
Our business coaching services
Celia Couture
 
Emocje w eCommerce
Emocje w eCommerceEmocje w eCommerce
Emocje w eCommerce
guestff040
 
God Is Love
God Is LoveGod Is Love
God Is Love
L.D. Wilson
 
Global Warming
Global WarmingGlobal Warming
Global Warming
techwork7
 
Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching Services
Celia Couture
 
Dapatkan promo welcome bonus 10 us$ hirose2
Dapatkan promo welcome bonus 10 us$ hirose2Dapatkan promo welcome bonus 10 us$ hirose2
Dapatkan promo welcome bonus 10 us$ hirose2
Budiyantoro SE
 
Rosslyn safaris PDM presentation
Rosslyn safaris PDM presentation Rosslyn safaris PDM presentation
Rosslyn safaris PDM presentation
Roland Viedge
 
Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching Services
Celia Couture
 
Touchless security with FLOW3
Touchless security with FLOW3Touchless security with FLOW3
Touchless security with FLOW3
Andreas Förthner
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Vishnu Kesarwani
 
Touch Magazine
Touch MagazineTouch Magazine
Touch Magazine
guestf32db
 
Internet History
Internet HistoryInternet History
Internet History
techwork7
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
ClubHack
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
Igor Korkin
 
Firewall
FirewallFirewall
Firewall
Silas Augustine Ntiyamila
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016
Mukesh Pathak
 
Seclore FileSecure IBM Filenet Walkthrough
Seclore FileSecure IBM Filenet WalkthroughSeclore FileSecure IBM Filenet Walkthrough
Seclore FileSecure IBM Filenet Walkthrough
siddarthc
 
Firewall
FirewallFirewall
Firewall
Shiva Krishna Chandra Shekar
 
Firewall
FirewallFirewall
Firewall
Shiva Krishna Chandra Shekar
 
Paper id 712019116
Paper id 712019116Paper id 712019116
Paper id 712019116
IJRAT
 
Secured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid CloudSecured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid Cloud
theijes
 
E031102034039
E031102034039E031102034039
E031102034039
theijes
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Trend Micro
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
Aditya K Sood
 
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
brianberlin
 
PROJECT REVIEW of technical vulnerability 1 (3).pptx
PROJECT REVIEW of technical vulnerability 1 (3).pptxPROJECT REVIEW of technical vulnerability 1 (3).pptx
PROJECT REVIEW of technical vulnerability 1 (3).pptx
DHANUSH447825
 

More Related Content

Viewers also liked

Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching Services
Celia Couture
 
Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching Services
Celia Couture
 
Touchless security with FLOW3
Touchless security with FLOW3Touchless security with FLOW3
Touchless security with FLOW3
Andreas Förthner
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Vishnu Kesarwani
 
Touch Magazine
Touch MagazineTouch Magazine
Touch Magazine
guestf32db
 
Internet History
Internet HistoryInternet History
Internet History
techwork7
 

Viewers also liked (8)

Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching Services
 
Dapatkan promo welcome bonus 10 us$ hirose2
Dapatkan promo welcome bonus 10 us$ hirose2Dapatkan promo welcome bonus 10 us$ hirose2
Dapatkan promo welcome bonus 10 us$ hirose2
 
Rosslyn safaris PDM presentation
Rosslyn safaris PDM presentation Rosslyn safaris PDM presentation
Rosslyn safaris PDM presentation
 
Our Business Coaching Services
Our Business Coaching ServicesOur Business Coaching Services
Our Business Coaching Services
 
Touchless security with FLOW3
Touchless security with FLOW3Touchless security with FLOW3
Touchless security with FLOW3
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...
 
Touch Magazine
Touch MagazineTouch Magazine
Touch Magazine
 
Internet History
Internet HistoryInternet History
Internet History
 

Similar to FLOW3 Security Framework applied to TYPO3 Phoenix

Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
ClubHack
 
Secured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid CloudSecured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid Cloud
theijes
 
E031102034039
E031102034039E031102034039
E031102034039
theijes
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
Aditya K Sood
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Windows Phone 8 - 11 App to App Communication
Windows Phone 8 - 11 App to App CommunicationWindows Phone 8 - 11 App to App Communication
Windows Phone 8 - 11 App to App Communication
Oliver Scheer
 
High security mechanism: Fragmentation and replication in the cloud with auto...
High security mechanism: Fragmentation and replication in the cloud with auto...High security mechanism: Fragmentation and replication in the cloud with auto...
High security mechanism: Fragmentation and replication in the cloud with auto...
CSITiaesprime
 

Similar to FLOW3 Security Framework applied to TYPO3 Phoenix (20)

Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
 
Firewall
FirewallFirewall
Firewall
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016
 
Seclore FileSecure IBM Filenet Walkthrough
Seclore FileSecure IBM Filenet WalkthroughSeclore FileSecure IBM Filenet Walkthrough
Seclore FileSecure IBM Filenet Walkthrough
 
Firewall
FirewallFirewall
Firewall
 
Firewall
FirewallFirewall
Firewall
 
Paper id 712019116
Paper id 712019116Paper id 712019116
Paper id 712019116
 
Secured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid CloudSecured Authorized Deduplication Based Hybrid Cloud
Secured Authorized Deduplication Based Hybrid Cloud
 
E031102034039
E031102034039E031102034039
E031102034039
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
Introducing FileLocker, Secure Enterprise File Sharing, Syncing and Collabora...
 
PROJECT REVIEW of technical vulnerability 1 (3).pptx
PROJECT REVIEW of technical vulnerability 1 (3).pptxPROJECT REVIEW of technical vulnerability 1 (3).pptx
PROJECT REVIEW of technical vulnerability 1 (3).pptx
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Windows Phone 8 - 11 App to App Communication
Windows Phone 8 - 11 App to App CommunicationWindows Phone 8 - 11 App to App Communication
Windows Phone 8 - 11 App to App Communication
 
IRJET - Virtual Data Auditing at Overcast Environment
IRJET - Virtual Data Auditing at Overcast EnvironmentIRJET - Virtual Data Auditing at Overcast Environment
IRJET - Virtual Data Auditing at Overcast Environment
 
Cloud computing final show
Cloud computing final showCloud computing final show
Cloud computing final show
 
DDS Security
DDS SecurityDDS Security
DDS Security
 
High security mechanism: Fragmentation and replication in the cloud with auto...
High security mechanism: Fragmentation and replication in the cloud with auto...High security mechanism: Fragmentation and replication in the cloud with auto...
High security mechanism: Fragmentation and replication in the cloud with auto...
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

FLOW3 Security Framework applied to TYPO3 Phoenix

  • 1. FLOW3 Security Framework applied to TYPO3 Phoenix Andreas Förthner <andreas.foerthner@netlogix.de> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 2. Your host Andreas Förthner Work: netlogix Media in Nuremberg Studied computer science in Erlangen FLOW3/Phoenix Core Team since 2007 Leader of the TYPO3 security team together with Helmut Hummel T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 3. Agenda Which security concepts are needed for Phoenix? Authentication infrastructure Authorization and how to display all this? Security for data AKA content security Security for files AKA secure downloads Summary and Questions T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 4. WHICH SECURITY CONCEPTS ARE NEEDED? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 5. Which security concepts are needed? Authentication  Ensure to talk to the correct partner  Use different mechanisms to validate the identity  Provide an easy to extend infrastructure  Manage user accounts T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 6. Which security concepts are needed? Authorization  Restrict certain users from accessing functionality  Use a delarative policy to configure those restrictions  Change restrictions or add new ones without changing the Phoenix core T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 7. Which security concepts are needed? Protect your stored data  Declarativly describe who should be allowed to read/write your domain models‘ data  Data you don‘t have access to, should not be loaded by the persitence layer  Provide an infrastructure for protected files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 8. Which security concepts are needed? Protect the communication channel  Encrypt transfered data if needed  Sign transfered data  Gerneral CSRF protection T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 9. Which security concepts are needed? Validate incoming data  Protection against XSS attacks  No SQL-Injections anymore Sanitize displayed data  E.g. no XSS code on your website T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 10. Which security concepts are needed? Protect your system against unwanted requests  Application Firewall based on request filters  Drop unwanted/unauthorized requests as early as possible T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 11. AUTHENTICATION INFRASTRUCTURE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 12. Authentication Infrastructure TYPO3 is an application with different authentication areas:  „Frontend“  „Backend“  Custom areas, e.g. „Extranet area“ Users might have access to more than one area Different authentication mechanisms for different areas Use a different mechanism for connections from your internal network T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 13. Authentication Infrastructure security: authentication: providers: DefaultProvider: providerClass: PersistedUsernamePasswordProvider requestPatterns: controllerObjectName: F3TYPO3ControllerBackend.* entryPoint: webRedirect: uri: typo3/login T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 14. AUTHORIZATION AND HOW TO DISPLAY ALL THIS? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 15. Authorization and how to display all this? The functionality of TYPO3 has to be protected  E.g. backend controllers should not be callable for everybody  Not every user should have access to the managment tab in the Phoenix backend  Only specific users should be allowed to create a CE in the left column The functionality stays, but policies can change! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 16. Authorization and how to display all this? Solution: Declarative policies, decoupled from the PHP code holding the functionality resources: methods: F3_TYPO3_BackendController: "method(F3TYPO3ControllerBackendBackendController->.*())" acls: Administrator: methods: F3_TYPO3_BackendController : GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 17. Authorization and how to display all this? Great it‘s protected! But: Internal Server Error?! Nice?! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 18. Authorization and how to display all this? Reflect the policy in the view with Fluid <f:security.ifAccess resource=“F3_TYPO3_BackendController"> This is being shown in case you have access to the backend </f:security.ifAccess> <f:security.ifHasRole role="Administrator"> This is being shown in case you are administrator </f:security.ifHasRole> T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 19. SECURITY FOR DATA AKA CONTENT SECURITY T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 20. Security for data AKA content security Write a policy for your content The persistence layer will automatically filter all data, you don‘t have access to, i.e.:  Your queries are very clean and readable  You can‘t forget to add a needed query constraint T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 21. Security for data AKA content security Writing policies tailored to your data resources: entities: F3_Blog_Domain_Model_Post: F3_Blog_Domain_Model_Post_HiddenPosts: this.public == FALSE T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 22. Security for data AKA content security acls: Everybody: entities: F3_Blog_Domain_Model_Post_HiddenPosts: DENY Editor: entities: F3_Blog_Domain_Model_Post_HiddenPosts: GRANT T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 23. SECURITY FOR FILES AKA SECURE DOWNLOADS T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 24. Security for files AKA secure downloads Challenge:  Really protect files from beeing downloaded  Support huge files (>>GB)  Support different web servers (Apache2, IIS, …)  Additional features like: expiration date/time for published files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 25. Security for files AKA secure downloads Interception for private resources Public directory for files 1. Give me URI! Image.jpg Fluid template with Resource publisher a file link 2. copies/ 3. URI to symlinks file Image.jpg public directory! Private directory for uploaded/stored files T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 26. Security for files AKA secure downloads Publish resource under a private path Public directory for files Private Allow from 213.83.33.146 directory for Directory called like your uploaded/stor session id ed files .htaccess Image.jpg Image.jpg Symlink/copy T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 27. Security for files AKA secure downloads Advantages of this solution  Central managment of all files  Publishing is extremly fast, when symlinking is possible  No PHP involved in downloading! T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 28. Security for files AKA secure downloads Demo T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 29. Summary Security is more than authentication Security is centralized Security is handled by FLOW3 and not the application code Policies can be changed without a change of the actual functionality (code) T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share
  • 30. So long and thanks for the fish… Questions? T3CON10 Frankfurt – Andreas Förthner Inspiring people to FLOW3 Security Framework applied to TYPO3 Phoenix share