Added rough version of Security Component Documentation,

about firewall, firewall map, firewall listeners, authentication manager,
password encoder factory, password encoders, user providers

Author: matthiasnoback

components/index.rst

@@ -17,6 +17,7 @@ The Components
     locale
     process
     routing/index
+    security/index
     serializer
     templating
     yaml

components/map.rst.inc

@@ -65,6 +65,10 @@
 
   * :doc:`/components/serializer`
 
+* **Security**
+
+  * :doc:`/components/security/index`
+
 * **Templating**
 
   * :doc:`/components/templating`

components/security/authentication.rst

@@ -0,0 +1,198 @@
+.. index::
+   single: Security, Authentication Manager
+
+Authentication
+==============
+
+When a request points to a secured area, and one of the listeners from the
+firewall map is able to extract the user's credentials from the current
+:class:`Symfony\\Component\\HttpFoundation\\Request` object, it should create
+a token, containing these credentials. The next thing the listener should
+do is ask the authentication manager to validate the given token, and return
+an authenticated token when the supplied credentials were found to be valid.
+The listener should then store the authenticated token in the security context:
+
+.. code-block:: php
+
+    use Symfony\Component\Security\Http\Firewall\ListenerInterface;
+    use Symfony\Component\Security\Core\SecurityContextInterface;
+    use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
+    use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+    use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+
+    class SomeAuthenticationListener implements ListenerInterface
+    {
+        /* @var SecurityContextInterface */
+        private $securityContext;
+
+        /* @var AuthenticationManagerInterface */
+        private $authenticationManager;
+
+        // string Uniquely identifies the secured area
+        private $providerKey;
+
+        // ...
+
+        public function handle(GetResponseEvent $event)
+        {
+            $request = $event->getRequest();
+
+            $unauthenticatedToken = new UsernamePasswordToken(
+                $username,
+                $password,
+                $this->providerKey);
+
+            $authenticatedToken = $this
+                ->authenticationManager
+                ->authenticate($unauthenticatedToken);
+
+            $this->securityContext->setToken($authenticatedToken);
+        }
+    }
+
+.. note::
+
+    A token can be of any class, as long as it implements
+    :class:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\TokenInterface`.
+
+The authentication manager
+--------------------------
+
+The default authentication manager is an instance of :class:`Symfony\\Component\\Security\\Core\\Authentication\\AuthenticationProviderManager`:
+
+.. code-block:: php
+
+    use Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager;
+
+    $providers = array(
+        // instances of Symfony\Component\Security\Core\Authentication\AuthenticationProviderInterface
+    );
+
+    $authenticationManager = new AuthenticationProviderManager($providers);
+
+    try {
+        $authenticatedToken = $authenticationManager
+            ->authenticate($unauthenticatedToken);
+    } catch (AuthenticationException $failed) {
+        // authentication failed
+    }
+
+The ``AuthenticationProviderManager``, when instantiated, receives several
+authentication providers, each supporting a different type of token.
+
+.. note::
+
+    You may of course write your own authentication manager, it only has
+    to implement :class:`Symfony\\Component\\Security\\Core\\Authentication\\AuthenticationManagerInterface`.
+
+Authentication providers
+------------------------
+
+Each provider (since it implements
+:class:`Symfony\\Component\\Security\\Core\\Authentication\\Provider\\AuthenticationProviderInterface`)
+has a method ``supports()`` by which the ``AuthenticationProviderManager``
+can determine if it supports the given token. If this is the case, the
+manager then calls the provider's method ``authenticate()``. This method
+should return an authenticated token or throw an :class:`Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException`
+(or any other exception extending it).
+
+Authenticating users by their username and password
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+An authentication provider will attempt to authenticate a user based on
+the credentials he provided. Usually these are a username and a password.
+Most web applications store their user's username and a hash of the user's
+password combined with a randomly generated salt. This means that the average
+authentication would consist of fetching the salt and the hashed password
+from the user data storage, hash the password the user has just provided
+(e.g. using a login form) with the salt and compare both to determine if
+the given password is valid.
+
+This functionality is offered by the :class:`Symfony\\Component\\Security\\Core\\Authentication\\Provider\\DaoAuthenticationProvider`.
+It fetches the user's data from a ``UserProvider``, uses a ``PasswordEncoder``
+to create a hash of the password and returns an authenticated token if the
+password was valid.
+
+.. code-block:: php
+
+    use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
+    use Symfony\Component\Security\Core\User\UserChecker;
+    use Symfony\Component\Security\Core\User\InMemoryUserProvider;
+    use Symfony\Component\Security\Core\Encoder\EncoderFactory;
+
+    $userProvider = new InMemoryUserProvider(
+        array('admin' => array(
+            // password is "foo"
+            'password' => '5FZ2Z8QIkA7UTZ4BYkoC+GsReLf569mSKDsfods6LYQ8t+a8EW9oaircfMpmaLbPBh4FOBiiFyLfuZmTSUwzZg==',
+            'roles' => array('ROLE_ADMIN'),
+        ),
+    );
+
+    // for some extra checks: is account enabled, locked, expired, etc.?
+    $userChecker = new UserChecker();
+
+    $encoderFactory = new EncoderFactory(/* ... encoders */);
+
+    $provider = new DaoAuthenticationProvider(
+        $userProvider,
+        $userChecker,
+        'secured_area',
+        $encoderFactory
+    );
+
+    $provider->authenticate($unauthenticatedToken);
+
+.. note::
+
+    The example above demonstrates the use of the "in-memory" user provider,
+    but you may use any user provider, as long as it implements
+    :class:`Symfony\\Component\\Security\\Core\\User\\UserProviderInterface`.
+    It is also possible to let multiple user providers try to find the user's
+    data, using the :class:`Symfony\\Component\\Security\\Core\\User\\ChainUserProvider`.
+
+The password encoder factory
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``DaoAuthenticationProvider`` uses an encoder factory to create a password
+encoder for a given type of user. This allows you to use different encoding
+strategies for different types of users.
+The default :class:`Symfony\\Component\\Security\\Core\\Encoder\\EncoderFactory`
+receives an array of encoders:
+
+.. code-block:: php
+
+    use Symfony\Component\Security\Core\Encoder\EncoderFactory;
+    use Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder;
+
+    $defaultEncoder = new MessageDigestPasswordEncoder('sha512', true, 5000);
+    $weakEncoder = new MessageDigestPasswordEncoder('md5', true, 1);
+
+    $encoderFactory = new EncoderFactory(array(
+        'Symfony\\Component\\Security\\Core\\User\\User' => $defaultEncoder,
+        'Acme\\Entity\\LegacyUser' => $weakEncoder,
+    ));
+
+Password encoders
+~~~~~~~~~~~~~~~~~
+
+When the ``getEncoder()`` method of the password encoder factory is called
+with the user object as its first argument, it will return an encoder of
+type :class:`Symfony\\Component\\Security\\Core\\Encoder\\PasswordEncoderInterface`
+which should be used to encode this user's password:
+
+.. code-block:: php
+
+    $user = // ... fetch a user of type Acme\Entity\LegacyUser
+
+    $encoder = $encoderFactory->getEncoder($user);
+
+    // will return $weakEncoder (see above)
+
+    $encodedPassword = $encoder->encodePassword($password, $user->getSalt());
+
+    // or check if the password is valid:
+
+    $validPassword = $encoder->isPasswordValid(
+        $user->getPassword(),
+        $password,
+        $user->getSalt());

components/security/firewall.rst

@@ -0,0 +1,112 @@
+.. index::
+   single: Security, Firewall
+
+The Security Context
+====================
+
+Central to the Security Component is the security context, which is an instance
+of :class:`Symfony\\Component\\Security\\Core\\SecurityContext`. When all
+steps in the process of authenticating the user have been taken successfully,
+the security context may be asked if the authenticated user has access
+to a certain action or resource of the application.
+
+.. code-block:: php
+
+    use Symfony\Component\Security\SecurityContext;
+    use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+    $context = new SecurityContext();
+
+    // authenticate the user...
+
+    if (!$context->isGranted('ROLE_ADMIN')) {
+        throw new AccessDeniedException();
+    }
+
+A firewall for HTTP requests
+============================
+
+Authenticating a user is done by the firewall. An application may have
+multiple secured areas, so the firewall is configured using a map of these
+secured areas. For each of these areas, the map contains a request matcher
+and a collection of listeners. The request matcher gives the firewall the
+ability to find out if the current request points to a secured area.
+The listeners are then asked if the current request can be used to authenticate
+the user.
+
+.. code-block:: php
+
+    use Symfony\Component\Security\Http\FirewallMap;
+    use Symfony\Component\HttpFoundation\RequestMatcher;
+    use Symfony\Component\Security\Http\Firewall\ExceptionListener;
+
+    $map = new FirewallMap();
+
+    $requestMatcher = new RequestMatcher('^/secured-area/');
+
+    $listeners = array(
+        // ...
+    );
+    $exceptionListener = new ExceptionListener(/* ... */);
+
+    $map->add($requestMatcher, $listeners, $exceptionListener);
+
+The firewall map will be given to the firewall as it's first argument, together
+with the event dispatcher that is used by the :class:`Symfony\\Component\\HttpKernel\\HttpKernel`.
+
+.. code-block:: php
+
+    use Symfony\Component\Security\Http\Firewall;
+    use Symfony\Component\HttpKernel\KernelEvents;
+
+    // $dispatcher is the EventDispatcher used by the HttpKernel
+
+    $firewall = new Firewall($map, $dispatcher);
+
+    $dispatcher->register(KernelEvents::REQUEST, array($firewall, 'onKernelRequest');
+
+The firewall is registered to listen to the ``kernel.request`` event that
+will be dispatched by the ``HttpKernel`` at the beginning of each request
+it processes. This way, the firewall may prevent the user from going any
+further than allowed.
+
+Firewall listeners
+------------------
+
+When the firewall gets notified of the ``kernel.request`` event, it asks
+the firewall map if the request matches any of the secured areas. If it
+does, the corresponding listeners (who each implement
+:class:`Symfony\\Component\\Security\\Http\\Firewall\\ListenerInterface`)
+will be asked to handle the current request. This basically means: find
+out if the current request contains any information by which the user might
+be authenticated (for instance the Basic HTTP authentication listener checks
+if the request has a header called "PHP_AUTH_USER").
+
+Exception listener
+------------------
+
+If any of the listeners throws an :class:`Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException`
+(or any exception extending this exception), the exception listener that
+was provided when adding secured areas to the firewall map will jump in.
+
+The exception listener determines what happens next, based on the arguments
+it received when it was created. It may start the authentication procedure,
+maybe ask the user to supply his credentials again (when he has only been
+authenticated based on a "remember-me" cookie), or transform the exception
+into an :class:`Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException`,
+which will eventually result in an "HTTP/1.1 401: Access Denied" response.
+
+Entry points
+------------
+
+When the user is not authenticated at all (i.e. when the security context
+has no token yet), the firewall's entry point will be called to "start"
+the authentication process. An entry point should implement
+:class:`Symfony\\Component\\Security\\Http\\EntryPoint\\AuthenticationEntryPointInterface`,
+which has only one method: ``start()``. This method receives the
+current :class:`Symfony\\Component\\HttpFoundation\\Request` object and
+the exception by which the exception listener was triggered. The method
+should return a :class:`Symfony\\Component\\HttpFoundation\\Response` object,
+for instance the page containing the login form, or in the case of Basic
+HTTP authentication a response with a "WWW-Authenticate" header, which will
+prompt the user to supply his username and password.

components/security/index.rst

@@ -0,0 +1,10 @@
+Security
+========
+
+.. toctree::
+    :maxdepth: 2
+
+    introduction
+    firewall
+    authentication
+    authorization

components/security/introduction.rst

@@ -0,0 +1,30 @@
+.. index::
+   single: Security
+
+The Security Component
+======================
+
+Introduction
+------------
+
+The Security Component provides a complete security system for your web
+application. It ships with facilities for authenticating using HTTP basic
+or digest authentication, interactive form login or X.509 certificate login,
+but also allows you to implement your own authentication strategies.
+Furthermore, the component provides ways to authorize authenticated users
+based on their roles, and it contains an advanced ACL system.
+
+Installation
+------------
+
+You can install the component in many different ways:
+
+* Use the official Git repository (https://github.com/symfony/Security);
+* Install it via PEAR ( `pear.symfony.com/Security`);
+* Install it via Composer (`symfony/security` on Packagist).
+
+Sections
+--------
+
+* :doc:`/components/security/firewall`
+* :doc:`/components/security/authentication`