Improving the FLOW3 Security Framework
Proposed by: Andreas Förthner
Mentor: Robert Lemke / Karsten Dambekalns
Student working on it: -
Level: Medium - Dificult
Overview
Currently the basic infrastructure of the FLOW3 Security Framework is implemented. To make the framework usable in real life a lot functionality is needed. E.g. we will have to provide many authentication mechanisms to integrate FLOW3 applications flawlessly in existing infrastructures.
With the proposed features we will also proceed in our mission to provide a transparent security framework, which supports the developer as much as possible to write secure web applications without the need of being a security specialist.
Impact on TYPO3
Security is one of the most important aspects of an application framework. Implementing these features will help to make FLOW3 - and with that the upcoming TYPO3 5.0 - a maintainable, secure piece of software.
Issues
The main problem of existing web applications (including TYPO3 4.x) is, that security is not centralized or added afterwards. That means it is not maintainable or simply forgotten in many places. Another issue would be, that most developers are no security experts, which ends in missing or wrong implemented security.
Goals / Deliverables
One or more of the following tasks should be done:
- Implement authentication mechanisms like: Certificates, HTTP Basic/Digest, RADIUS, LDAP
- Provide a SSO-Infrastructure (both server and client) for protocols like: Kerberos, MSN Passport OpenID
- Channel Security: automatically/transparently encrypt/authenticate form data and prevent forms data from manipulation or multiple submissions
- Secure session handling (e.g. TAN handling for session IDs)
- transparent encryption layer for data in the Content Repository or files on the file system
Required Skills or Background
- knowledge about FLOW3 and its principles
- Aspect Oriented Programming (AOP)
- Knowledge about the already existing Security Framework architecture
- General knowledge about web application security
