1. FLOW3 Security Framework
applied to TYPO3 Phoenix
Andreas Förthner
<andreas.foerthner@netlogix.de>
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
2. Your host
Andreas Förthner
Work: netlogix Media in Nuremberg
Studied computer science in Erlangen
FLOW3/Phoenix Core Team since 2007
Leader of the TYPO3 security team together
with Helmut Hummel
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
3. Agenda
Which security concepts are needed for Phoenix?
Authentication infrastructure
Authorization and how to display all this?
Security for data AKA content security
Security for files AKA secure downloads
Summary and Questions
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
4. WHICH SECURITY CONCEPTS ARE NEEDED?
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
5. Which security concepts are needed?
Authentication
Ensure to talk to the correct partner
Use different mechanisms to validate the identity
Provide an easy to extend infrastructure
Manage user accounts
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
6. Which security concepts are needed?
Authorization
Restrict certain users from accessing functionality
Use a delarative policy to configure those restrictions
Change restrictions or add new ones without changing
the Phoenix core
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
7. Which security concepts are needed?
Protect your stored data
Declarativly describe who should be allowed to read/write your
domain models‘ data
Data you don‘t have access to, should not be loaded
by the persitence layer
Provide an infrastructure for protected files
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
8. Which security concepts are needed?
Protect the communication channel
Encrypt transfered data if needed
Sign transfered data
Gerneral CSRF protection
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
9. Which security concepts are needed?
Validate incoming data
Protection against XSS attacks
No SQL-Injections anymore
Sanitize displayed data
E.g. no XSS code on your website
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
10. Which security concepts are needed?
Protect your system against unwanted requests
Application Firewall based on request filters
Drop unwanted/unauthorized requests as early as possible
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
12. Authentication Infrastructure
TYPO3 is an application with different authentication areas:
„Frontend“
„Backend“
Custom areas, e.g. „Extranet area“
Users might have access to more than one area
Different authentication mechanisms for different areas
Use a different mechanism for connections from your internal
network
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
13. Authentication Infrastructure
security:
authentication:
providers:
DefaultProvider:
providerClass: PersistedUsernamePasswordProvider
requestPatterns:
controllerObjectName: F3TYPO3ControllerBackend.*
entryPoint:
webRedirect:
uri: typo3/login
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
14. AUTHORIZATION AND HOW TO DISPLAY ALL THIS?
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
15. Authorization and how to display all this?
The functionality of TYPO3 has to be protected
E.g. backend controllers should not be callable for everybody
Not every user should have access to the managment tab in the
Phoenix backend
Only specific users should be allowed to create a CE in the left
column
The functionality stays, but policies can change!
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
16. Authorization and how to display all this?
Solution: Declarative policies, decoupled from the PHP code
holding the functionality
resources:
methods:
F3_TYPO3_BackendController:
"method(F3TYPO3ControllerBackendBackendController->.*())"
acls:
Administrator:
methods:
F3_TYPO3_BackendController : GRANT
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
17. Authorization and how to display all this?
Great it‘s protected!
But:
Internal Server Error?!
Nice?!
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
18. Authorization and how to display all this?
Reflect the policy in the view with Fluid
<f:security.ifAccess resource=“F3_TYPO3_BackendController">
This is being shown in case you have access to the backend
</f:security.ifAccess>
<f:security.ifHasRole role="Administrator">
This is being shown in case you are administrator
</f:security.ifHasRole>
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
19. SECURITY FOR DATA AKA CONTENT SECURITY
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
20. Security for data AKA content security
Write a policy for your content
The persistence layer will automatically filter all data, you don‘t
have access to, i.e.:
Your queries are very clean and readable
You can‘t forget to add a needed query constraint
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
21. Security for data AKA content security
Writing policies tailored to your data
resources:
entities:
F3_Blog_Domain_Model_Post:
F3_Blog_Domain_Model_Post_HiddenPosts: this.public == FALSE
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
22. Security for data AKA content security
acls:
Everybody:
entities:
F3_Blog_Domain_Model_Post_HiddenPosts: DENY
Editor:
entities:
F3_Blog_Domain_Model_Post_HiddenPosts: GRANT
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
23. SECURITY FOR FILES AKA SECURE DOWNLOADS
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
24. Security for files AKA secure downloads
Challenge:
Really protect files from beeing downloaded
Support huge files (>>GB)
Support different web servers (Apache2, IIS, …)
Additional features like: expiration date/time for published files
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
25. Security for files AKA secure downloads
Interception for
private resources
Public directory for
files
1. Give me URI!
Image.jpg
Fluid template with
Resource publisher
a file link
2. copies/
3. URI to symlinks file
Image.jpg
public directory!
Private directory for
uploaded/stored
files
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
26. Security for files AKA secure downloads
Publish resource under a private path
Public directory for files Private
Allow from 213.83.33.146 directory for
Directory called like your uploaded/stor
session id ed files
.htaccess
Image.jpg Image.jpg
Symlink/copy
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
27. Security for files AKA secure downloads
Advantages of this solution
Central managment of all files
Publishing is extremly fast, when symlinking is possible
No PHP involved in downloading!
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
28. Security for files AKA secure downloads
Demo
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
29. Summary
Security is more than authentication
Security is centralized
Security is handled by FLOW3 and not the application code
Policies can be changed without a change of the actual
functionality (code)
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share
30. So long and thanks for the fish…
Questions?
T3CON10 Frankfurt – Andreas Förthner Inspiring people to
FLOW3 Security Framework applied to TYPO3 Phoenix share