Hi, if I do not add the SecurityBundle to the kernel is there still anything security related active in the framework? Or can I be sure that Symfony2 does not use anything from the Security component? AFAIK everything is implemented by events so it should be safe to simply not use the bundle, isn't it?
To be honest I think about not using the Security system of Symfony2 at all as it looks "over classed", over complicated to me. 150 files to secure my application? ..while on the other hand I will probably only use 10 % of it and need to change and add several implementations to fit my needs. I maintain a library of 25 sf 1.4 plugins that provide a "rich project foundation" for building our projects on it. I plan to migrate most of them to Symfony2 in the next months and to make most of them public on Github. I was happy reading that the form system refactorings will finally make it into master next week but the security system is something that still really scares me! I need a security solution that I can use to extend it to my needs. I don't need thousands of features. All I need is to clearly understand what's going on. It's really hard to understand the security concepts of Symfony2 to hook into them and change/enhance things so I can sleep well.. Some examples that confuse me: - "loadByUsername()": Is this really intended to load a user by username? Or can username also be the ID ? Loading users by username will make the system instable if users have the possibility to change their usernames. - putting the username into the rememberMe cookie has the same issues and even worse you put private/personal data into a cookie, a cookie should never contain any personal data. The username could also be a customer id or an email address and I don't want any cookie to contain such data. It should only contain a signed random id and all sensible data should be stored anywhere on the server. - performance: has anyone tested the performance of all the nice security features? I'm afraid it will slow down my application if I have to deal with 200 roles or so.. why do we need so much classes/objects? - what I miss is a way to prevent brute force attacks: block IPs or usernames on too many login attempts, hundrets of files.. but the most important feature the framework could provide to make applications much more secure is missing.. :-( - also there is no way to define roles/rights in a bundle, I don't understand how you want to handle this when a user needs some roles or ACL rights to use a bundle Ok.. probably not all my problems fit into Symfony's security component, but on the other hand I think it would make things much easier if the security stuff was stripped down to the essential things. Currently it's way too much.. Strange.. I really want less.. this is the first time, I'm sorry.. ;-) regards, Matthias -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
