[FLOW3-general] How to secure a controller?

Steffen Wickham steffen at gaming-inc.de
Fri Jan 11 10:38:56 CET 2013 

Hello Alex,

I don't follow your meaning. You have to configure the access rights
manually in every aspect of programming. One way is to write checks in
each head part of your php file or you can use the way Flow provides:
Policy.yaml.

Maybe there is an other way to reach your goal, but it is more
restrictive and not as good as the Policy.yaml way: restrict all calls
to your controller except login in the Flow firewall layer as described
at
http://flow.typo3.org/documentation/guide/partiii/security.html#application-firewall

You "only" have to make some configuration in your Settings.yaml file.
The following settings haven't been tested by me:

TYPO3:
  Flow:
    security:
      firewall:
        rejectAll: FALSE

        filters:
          -
            patternType:  'URI'
            patternValue: '/login/.*'
            interceptor:  'AccessGrant'
          -
            patternType:  'URI'
            patternValue: '/.*'
            interceptor:  'RequireAuthentication'



But as mentioned in the documentation, the prefered way is to use the
Policy.yaml. There are no security concerns about it as its not
accessable through the browser and can't be modified by another user.
So you should have a look in the AOP part of the documentation. There is
an excellent explanation of the pointcut syntax which is used by
Policy.yaml to define method calls. To achieve your desired security
level you just have to define only two resources and two acls as follows
(as well not tested by me):

resources:
  entities: []
  methods:
    Login: 'method(VENDOR\PACKAGE\Controller\LoginController->.*Action())'
    SecuredArea: 'method(VENDOR\PACKAGE\Controller\.*->.*Action())'

roles:
  Administrator: []

acls:
  Everybody:
    methods:
      Login: GRANT

  Administrator:
    methods:
      SecuredArea: GRANT


So everybody is allowed to perform actions on your LoginController
action methods (named "Login" in resource part) but the access to all
other controller calls (defined as SecuredArea) without authentication
(and without Administrator role) would be restricted. Don't worry about
the "missing" Login definition for Administrator role, its inherited
from the Everybody role.

Greetings
Steffen





Am 11.01.13 09:21, schrieb Qbus | Axel Wüstemann:
> Thank you Steffen,
>
> of course I read the documentation. Mayby the authors could decide to
> illustrate at firts the most simple solution case and go then further
> to all possible details... so the documentation might become more
> understandable.
>
> I will write a little tutorial, if I've got to run this.
>
> What you wrote was a bit my assumtion, that this could be the
> solution. But by this, my security depends on the existence of the
> policy.yaml file! Why then encrypted passwords in the database an all
> that stuff, if it would be enough to drop the policy.yaml to kick off
> all my security stuff?
>
> ----
>
> 'method(Vendor\Package\Controller\StandardController->.*Action())'
>
> What does this realy mean?
>
> Do I need write this for each controller? All of my controller are
> behind of the login. Is there a or simple solution?
>
> Thank you for further assistance!
>
>
> Am 10.01.2013 22:15, schrieb Steffen Wickham:
>> Hi Axel,
>>
>> it's not enough to define roles. You also have to define resources and
>> acls in your Policy.yaml as well.
>> Resources are name-value-pairs where the value is a pointcut expression,
>> that's where you define the controller. In the acls part you set, that
>> role "Administrator" has access to a named resource.
>>
>> Your Policy.yaml have to look like this:
>> resources:
>>    entities: []
>>    methods:
>>      StandardController:
>> 'method(Vendor\Package\Controller\StandardController->.*Action())'
>>
>> # The security policy roles configuration
>> roles:
>>    Administrator: []
>>
>> # The security policy acls configuration connects the resources with the
>> roles by assigning
>> # privileges. Here is an example configuration array:
>> acls:
>>    Administrator:
>>      methods:
>>        StandardController: GRANT
>>
>> With these settings, you get redirected to the login page when there is
>> no authenticated token set.
>> Please have a look at further documentation:
>> http://flow.typo3.org/documentation/guide/partiii/security.html#policies-aka-access-control-lists-acls
>>
>>
>> Best regards
>> Steffen
>>
>>
>>
>> Am 10.01.2013 21:46, schrieb Qbus | Axel Wüstemann:
>>> Hello,
>>>
>>> I simply want to redirect from the standard controller to the login
>>> controller if I'm not yet logged in. How to achive that? Or more
>>> generaly: How to secure a controller?
>>>
>>> What I did:
>>>
>>> 1. I made the appropriate settings
>>>
>>>      security:
>>>        authentication:
>>>          providers:
>>>            DefaultProvider:
>>>              provider: PersistedUsernamePasswordProvider
>>>              requestPatterns:
>>>                controllerObjectName: QBUS\BestDesQ\Controller\.*
>>>              entryPoint: 'WebRedirect'
>>>              entryPointOptions:
>>>                uri: login
>>>
>>> 2. I bult a policy
>>>
>>> roles:
>>>    Administrator: []
>>>
>>> If I call my standard controller by http:://bestdesq it shows the
>>> index action. Instead I would exepect it redirects to
>>> http:://bestdesq/login
>>>
>>> What code I have probably additional add to my controller(s)?
>>>
>>> Thank you
>>> Axel
>>> _______________________________________________
>>> FLOW3-general mailing list
>>> FLOW3-general at lists.typo3.org
>>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>>
>> _______________________________________________
>> FLOW3-general mailing list
>> FLOW3-general at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>>
>
>

More information about the Flow mailing list