hdabo_sf: vendor/bundles/JMS/SecurityExtraBundle/Resources/doc/index.rst@1df556b2c0f9 (annotated)

0 7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	1	========
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	2	Overview
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	3	========
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	4
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	5	This bundle allows you to secure method invocations on your service layer with
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	6	annotations.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	7
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	8	Generally, you can secure all public, or protected methods which are non-static,
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	9	and non-final. Private methods cannot be secured this way.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	10
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	11	Annotations can also be declared on abstract methods, parent classes, or
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	12	interfaces.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	13
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	14	How does it work?
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	15	-----------------
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	16	The bundle will first collect all available security metadata for your services
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	17	from annotations. The metadata will then be used to build proxy classes which
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	18	have the requested security checks built-in. These proxy classes will replace
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	19	your original service classes. All of that is done automatically for you, you
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	20	don't need to manually clear any cache if you make changes to the metadata.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	21
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	22
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	23	Performance
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	24	-----------
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	25	While there will be virtually no performance difference in your production
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	26	environment, the performance in the development environment significantly
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	27	depends on your configuration (see the configuration section).
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	28
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	29	Generally, you will find that when you change the files of a secure service
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	30	the first page load after changing the file will increase. This is because
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	31	the cache for this service will need to be rebuilt, and a proxy class possibly
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	32	needs to be generated. Subsequent page loads will be very fast.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	33
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	34
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	35	Installation
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	36	------------
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	37	Checkout a copy of the code::
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	38
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	39	git submodule add https://github.com/schmittjoh/SecurityExtraBundle.git vendor/bundles/JMS/SecurityExtraBundle
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	40
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	41	Then register the bundle with your kernel::
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	42
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	43	// in AppKernel::registerBundles()
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	44	$bundles = array(
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	45	// ...
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	46	new JMS\SecurityExtraBundle\JMSSecurityExtraBundle(),
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	47	// ...
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	48	);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	49
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	50	This bundle also requires the Metadata library::
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	51
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	52	git submodule add https://github.com/schmittjoh/metadata.git vendor/metadata
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	53
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	54	Make sure that you also register the namespaces with the autoloader::
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	55
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	56	// app/autoload.php
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	57	$loader->registerNamespaces(array(
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	58	// ...
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	59	'JMS' => __DIR__.'/../vendor/bundles',
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	60	'Metadata' => __DIR__.'/../vendor/metadata/src',
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	61	// ...
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	62	));
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	63
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	64
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	65	Configuration
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	66	-------------
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	67
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	68	Below, you find the default configuration::
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	69
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	70	# app/config/config.yml
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	71	jms_security_extra:
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	72	# If you set-up your controllers as services, you must set this to false;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	73	# otherwise your security checks will be performed twice.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	74	secure_controllers: true
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	75
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	76	# Whether you want to secure all services (true), or only secure specific
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	77	# services (false); see also below
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	78	secure_all_services: false
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	79
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	80	# Enabling this setting will add an additional special attribute "IS_IDDQD".
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	81	# Anybody with this attribute will effectively bypass all security checks.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	82	enable_iddqd_attribute: false
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	83
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	84
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	85	By default, security checks are not enabled for any service. You can turn on
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	86	security for your services either by securing all services as shown above, or
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	87	only for specific services by adding a tag to these services::
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	88
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	89	<service id="foo" class="Bar">
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	90	<tag name="security.secure_service"/>
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	91	</service>
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	92
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	93	If you enable security for all services, be aware that the first page load will
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	94	be very slow depending on how many services you have defined.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	95
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	96	Annotations
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	97	-----------
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	98
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	99	@Secure
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	100	~~~~~~~
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	101	This annotation lets you define who is allowed to invoke a method::
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	102
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	103	<?php
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	104
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	105	use JMS\SecurityExtraBundle\Annotation\Secure;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	106
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	107	class MyService
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	108	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	109	/**
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	110	* @Secure(roles="ROLE_USER, ROLE_FOO, ROLE_ADMIN")
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	111	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	112	public function secureMethod()
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	113	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	114	// ...
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	115	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	116	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	117
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	118	@SecureParam
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	119	~~~~~~~~~~~~
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	120	This annotation lets you define restrictions for parameters which are passed to
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	121	the method. This is only useful if the parameters are domain objects::
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	122
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	123	<?php
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	124
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	125	use JMS\SecurityExtraBundle\Annotation\SecureParam;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	126
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	127	class MyService
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	128	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	129	/**
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	130	* @SecureParam(name="comment", permissions="EDIT, DELETE")
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	131	* @SecureParam(name="post", permissions="OWNER")
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	132	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	133	public function secureMethod($comment, $post)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	134	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	135	// ...
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	136	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	137	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	138
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	139	@SecureReturn
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	140	~~~~~~~~~~~~~
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	141	This annotation lets you define restrictions for the value which is returned by
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	142	the method. This is also only useful if the returned value is a domain object::
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	143
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	144	<?php
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	145
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	146	use JMS\SecurityExtraBundle\Annotation\SecureReturn;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	147
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	148	class MyService
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	149	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	150	/**
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	151	* @SecureReturn(permissions="VIEW")
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	152	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	153	public function secureMethod()
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	154	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	155	// ...
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	156
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	157	return $domainObject;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	158	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	159	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	160
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	161	@RunAs
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	162	~~~~~~
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	163	This annotation lets you specifiy roles which are added only for the duration
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	164	of the method invocation. These roles will not be taken into consideration
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	165	for before, or after invocation access decisions.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	166
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	167	This is typically used to implement a two-tier service layer where you have
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	168	public and private services, and private services are only to be invoked
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	169	through a specific public service::
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	170
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	171	<?php
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	172
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	173	use JMS\SecurityExtraBundle\Annotation\Secure;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	174	use JMS\SecurityExtraBundle\Annotation\RunAs;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	175
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	176	class MyPrivateService
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	177	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	178	/**
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	179	* @Secure(roles="ROLE_PRIVATE_SERVICE")
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	180	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	181	public function aMethodOnlyToBeInvokedThroughASpecificChannel()
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	182	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	183	// ...
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	184	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	185	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	186
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	187	class MyPublicService
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	188	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	189	protected $myPrivateService;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	190
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	191	/**
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	192	* @Secure(roles="ROLE_USER")
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	193	* @RunAs(roles="ROLE_PRIVATE_SERVICE")
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	194	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	195	public function canBeInvokedFromOtherServices()
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	196	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	197	return $this->myPrivateService->aMethodOnlyToBeInvokedThroughASpecificChannel();
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	198	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	199	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	200
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	201	@SatisfiesParentSecurityPolicy
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	202	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	203	This must be defined on a method that overrides a method which has security metadata.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	204	It is there to ensure that you are aware the security of the overridden method cannot
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	205	be enforced anymore, and that you must copy over all annotations if you want to keep
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	206	them.

author	ymh <ymh.work@gmail.com>
	Sun, 06 Nov 2011 23:44:37 +0100
changeset 27	1df556b2c0f9
parent 0	7f95f8617b0b
permissions	-rwxr-xr-x