通过
搜索
搜索rezzza / security-bundle
签名请求检查
v2.3.2
2017-09-06 14:03 UTC
Requires
- php: >=5.3.2
- doctrine/common: ~2.2
- symfony/framework-bundle: ~2.6|~3.0
- symfony/security-bundle: ~2.6|~3.0
Requires (Dev)
- atoum/atoum: ~2.0
- behat/behat: ~3.0
- behat/mink-extension: ~2.0
- behat/mink-goutte-driver: ~1.1
- behat/symfony2-extension: ~2.0
Suggests
- psr/http-message: Required by \Rezzza\SecurityBundle\Request\Psr7RequestSigner
README
安装
使用Composer
"require": { 'rezzza/security-bundle': '~2.0', }
启用Bundle
在AppKernel
$bundles = array( //.... new Rezzza\SecurityBundle\RezzzaSecurityBundle(), //.... );
在symfony 2.0上
在security.yml中添加工厂
security: factories: - "%kernel.root_dir%/../vendor/bundles/Rezzza/SecurityBundle/Resources/config/services/security.xml"
请求签名检查器
验证客户端通过查询字符串发送的签名,此签名可以有有效期。
标准包括
- 签名发送的时间(如果启用了重放保护)
- 请求方法
- http主机
- 路径信息
- 内容 - RAW_DATA(已提交字段)
它将使用在security.yml中定义的秘密对所有这些标准进行哈希,例如
# security.yml firewalls: api: pattern: ^/api/.* request_signature: algorithm: SHA1 # you can easily ignore this when use functional tests by example ignore: %request_signature.ignore% # secret of symfony application or an other one secret: %secret% # http://.............?_signature=.... parameter: _signature # Do you want to add a lifetime criteria ? By this way the signature will be transitory replay_protection: enabled: true lifetime: 600 parameter: _signature_ttl
构建签名
$signatureConfig = new SignatureConfig(true, 'sha1', 's3cr3t'); $signedRequest = new SignedRequest( 'GET', 'subdomain.domain.tld', '/path/to/resources', 'content', $signatureTime // if needed ); $signature = $signedRequest->buildSignature($signatureConfig);
您可以在配置中定义远程防火墙
rezzza_security: firewalls: my_firewall: # algorithm: 'SHA1' default secret: 'IseeDeadPeopleEverywhere' # replay_protection: true # default
然后
$signatureConfig = $this->container->get('rezzza.security.signature_config.my_firewall'); $signedRequest = new SignedRequest( 'GET', 'subdomain.domain.tld', '/path/to/resources', 'content', $signatureTime // if needed ); $signature = $signedRequest->buildSignature($signatureConfig);
您使用PSR7请求吗?
$signatureConfig = $this->container->get('rezzza.security.signature_config.my_firewall'); $url = 'http://domain.tld/api/uri.json?foo= bar'; // example with guzzle psr7 implementation. $request = new \GuzzleHttp\Psr7\Request('GET', $url); $signer = new \Rezzza\SecurityBundle\Request\Psr7RequestSigner($signatureConfig); $request = $signer->sign($request); $response = (new \GuzzleHttp\Client())->send($request);
混淆请求
如果您有敏感数据传入您的应用程序,您可能不希望将它们暴露在symfony分析器中。您可以在每个路由上轻松定义哪些数据不会出现在此中。
rezzza_security:
request_obfuscator:
enabled: 1
在您的路由中
use \Rezzza\SecurityBundle\Controller\Annotations\ObfuscateRequest;
/**
* @ObfuscateRequest()
*/
public function indexAction(Request $request)
{
}
将混淆symfony分析器上的所有数据。
@obfuscate("content=*") // obfuscate $request->getContent()
@obfuscate("headers={'foobar'}") // obfuscate $request->headers->get('foobar')
@obfuscate("request_request={"customer[password]"}") // obfuscate $request->request->get('customer')['password']
混淆的键包括
- 格式
- 内容
- 内容类型
- 状态文本
- 状态码
- 请求查询($_GET)
- 请求请求($_POST)
- 请求头($_HEADER)
- 请求服务器($_SERVER)
- 请求Cookies($_COOKIES)
- 请求属性($request->attributes)
- 响应头
- 会话元数据
- 会话属性
- 闪存
- 路径信息
- 控制器
- 区域设置
愿望清单
- 查询字符串或HTTP头
- 使用atoum进行单元测试