Skip to content

Commit

Permalink
feature #24335 [Security][SecurityBundle] Deprecate the HTTP digest a…
Browse files Browse the repository at this point in the history 
…uth (ogizanagi)

This PR was merged into the 3.4 branch.

Discussion
----------

[Security][SecurityBundle] Deprecate the HTTP digest auth

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | no
| New feature?  | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks?    | no
| Deprecations? | yes <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass?   | yes
| Fixed tickets | #24325  <!-- #-prefixed issue number(s), if any -->
| License       | MIT
| Doc PR        | N/A

See #24336 for the removal PR on master.

Commits
-------

11fe79d [Security][SecurityBundle] Deprecate the HTTP digest auth
  • Loading branch information
@fabpot
fabpot committed Sep 26, 2017
2 parents 084e49f + 11fe79d commit b5103a2
Show file tree
Hide file tree
Showing 22 changed files with 453 additions and 9 deletions.
10 changes: 10 additions & 0 deletions UPGRADE-3.4.md
View file
Expand Up @@ -270,6 +270,13 @@ Profiler

* The `profiler.matcher` option has been deprecated.

Security
--------

* Deprecated the HTTP digest authentication: `NonceExpiredException`,
`DigestAuthenticationListener` and `DigestAuthenticationEntryPoint` will be
removed in 4.0. Use another authentication system like `http_basic` instead.

SecurityBundle
--------------

Expand All @@ -290,6 +297,9 @@ SecurityBundle
* Added `logout_on_user_change` to the firewall options. This config item will
trigger a logout when the user has changed. Should be set to true to avoid
deprecations in the configuration.

* Deprecated the HTTP digest authentication: `HttpDigestFactory` will be removed in 4.0.
Use another authentication system like `http_basic` instead.

Translation
-----------
Expand Down
7 changes: 7 additions & 0 deletions UPGRADE-4.0.md
View file
Expand Up @@ -652,6 +652,10 @@ Security
* Calling `ContextListener::setLogoutOnUserChange(false)` won't have any
effect anymore.

* Removed the HTTP digest authentication system. The `NonceExpiredException`,
`DigestAuthenticationListener` and `DigestAuthenticationEntryPoint` classes
have been removed. Use another authentication system like `http_basic` instead.

SecurityBundle
--------------

Expand All @@ -672,6 +676,9 @@ SecurityBundle

* The firewall option `logout_on_user_change` is now always true, which will
trigger a logout if the user changes between requests.

* Removed the HTTP digest authentication system. The `HttpDigestFactory` class
has been removed. Use another authentication system like `http_basic` instead.

Serializer
----------
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
View file
Expand Up @@ -16,6 +16,7 @@ CHANGELOG
* Added `logout_on_user_change` to the firewall options. This config item will
trigger a logout when the user has changed. Should be set to true to avoid
deprecations in the configuration.
* deprecated HTTP digest authentication

3.3.0
-----
Expand Down
10 changes: 10 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpDigestFactory.php
View file
Expand Up @@ -20,9 +20,18 @@
* HttpDigestFactory creates services for HTTP digest authentication.
*
* @author Fabien Potencier <fabien@symfony.com>
*
* @deprecated since 3.4, to be removed in 4.0
*/
class HttpDigestFactory implements SecurityFactoryInterface
{
public function __construct($triggerDeprecation = true)
{
if ($triggerDeprecation) {
@trigger_error(sprintf('The %s class and the whole HTTP digest authentication system is deprecated since 3.4 and will be removed in 4.0.', __CLASS__), E_USER_DEPRECATED);
}
}

public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
{
$provider = 'security.authentication.provider.dao.'.$id;
Expand Down Expand Up @@ -59,6 +68,7 @@ public function getKey()
public function addConfiguration(NodeDefinition $node)
{
$node
->setDeprecated('The HTTP digest authentication is deprecated since 3.4 and will be removed in 4.0.')
->children()
->scalarNode('provider')->end()
->scalarNode('realm')->defaultValue('Secured Area')->end()
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
View file
Expand Up @@ -47,7 +47,7 @@ public function build(ContainerBuilder $container)
$extension->addSecurityListenerFactory(new JsonLoginFactory());
$extension->addSecurityListenerFactory(new HttpBasicFactory());
$extension->addSecurityListenerFactory(new HttpBasicLdapFactory());
$extension->addSecurityListenerFactory(new HttpDigestFactory());
$extension->addSecurityListenerFactory(new HttpDigestFactory(false));
$extension->addSecurityListenerFactory(new RememberMeFactory());
$extension->addSecurityListenerFactory(new X509Factory());
$extension->addSecurityListenerFactory(new RemoteUserFactory());
Expand Down
125 changes: 125 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
View file
Expand Up @@ -86,6 +86,131 @@ public function testFirewalls()
$configs[0][2] = strtolower($configs[0][2]);
$configs[2][2] = strtolower($configs[2][2]);

$this->assertEquals(array(
array(
'simple',
'security.user_checker',
'security.request_matcher.6tndozi',
false,
),
array(
'secure',
'security.user_checker',
null,
true,
true,
'security.user.provider.concrete.default',
null,
'security.authentication.form_entry_point.secure',
null,
null,
array(
'logout',
'switch_user',
'x509',
'remote_user',
'form_login',
'http_basic',
'remember_me',
'anonymous',
),
array(
'parameter' => '_switch_user',
'role' => 'ROLE_ALLOWED_TO_SWITCH',
),
),
array(
'host',
'security.user_checker',
'security.request_matcher.and0kk1',
true,
false,
'security.user.provider.concrete.default',
'host',
'security.authentication.basic_entry_point.host',
null,
null,
array(
'http_basic',
'anonymous',
),
null,
),
array(
'with_user_checker',
'app.user_checker',
null,
true,
false,
'security.user.provider.concrete.default',
'with_user_checker',
'security.authentication.basic_entry_point.with_user_checker',
null,
null,
array(
'http_basic',
'anonymous',
),
null,
),
), $configs);

$this->assertEquals(array(
array(),
array(
'security.channel_listener',
'security.logout_listener.secure',
'security.authentication.listener.x509.secure',
'security.authentication.listener.remote_user.secure',
'security.authentication.listener.form.secure',
'security.authentication.listener.basic.secure',
'security.authentication.listener.rememberme.secure',
'security.authentication.listener.anonymous.secure',
'security.authentication.switchuser_listener.secure',
'security.access_listener',
),
array(
'security.channel_listener',
'security.context_listener.0',
'security.authentication.listener.basic.host',
'security.authentication.listener.anonymous.host',
'security.access_listener',
),
array(
'security.channel_listener',
'security.context_listener.1',
'security.authentication.listener.basic.with_user_checker',
'security.authentication.listener.anonymous.with_user_checker',
'security.access_listener',
),
), $listeners);

$this->assertFalse($container->hasAlias('Symfony\Component\Security\Core\User\UserCheckerInterface', 'No user checker alias is registered when custom user checker services are registered'));
}

/**
* @group legacy
*/
public function testFirewallsWithDigest()
{
$container = $this->getContainer('container1_with_digest');
$arguments = $container->getDefinition('security.firewall.map')->getArguments();
$listeners = array();
$configs = array();
foreach (array_keys($arguments[1]->getValues()) as $contextId) {
$contextDef = $container->getDefinition($contextId);
$arguments = $contextDef->getArguments();
$listeners[] = array_map('strval', $arguments['index_0']->getValues());

$configDef = $container->getDefinition((string) $arguments['index_2']);
$configs[] = array_values($configDef->getArguments());
}

// the IDs of the services are case sensitive or insensitive depending on
// the Symfony version. Transform them to lowercase to simplify tests.
$configs[0][2] = strtolower($configs[0][2]);
$configs[2][2] = strtolower($configs[2][2]);

$this->assertEquals(array(
array(
'simple',
Expand Down
1 change: 0 additions & 1 deletion src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php
View file
Expand Up @@ -64,7 +64,6 @@
'simple' => array('pattern' => '/login', 'security' => false),
'secure' => array('stateless' => true,
'http_basic' => true,
'http_digest' => array('secret' => 'TheSecret'),
'form_login' => true,
'anonymous' => true,
'switch_user' => true,
Expand Down
105 changes: 105 additions & 0 deletions ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_digest.php
View file
@@ -0,0 +1,105 @@
<?php

$container->loadFromExtension('security', array(
'acl' => array(),
'encoders' => array(
'JMS\FooBundle\Entity\User1' => 'plaintext',
'JMS\FooBundle\Entity\User2' => array(
'algorithm' => 'sha1',
'encode_as_base64' => false,
'iterations' => 5,
),
'JMS\FooBundle\Entity\User3' => array(
'algorithm' => 'md5',
),
'JMS\FooBundle\Entity\User4' => array(
'id' => 'security.encoder.foo',
),
'JMS\FooBundle\Entity\User5' => array(
'algorithm' => 'pbkdf2',
'hash_algorithm' => 'sha1',
'encode_as_base64' => false,
'iterations' => 5,
'key_length' => 30,
),
'JMS\FooBundle\Entity\User6' => array(
'algorithm' => 'bcrypt',
'cost' => 15,
),
),
'providers' => array(
'default' => array(
'memory' => array(
'users' => array(
'foo' => array('password' => 'foo', 'roles' => 'ROLE_USER'),
),
),
),
'digest' => array(
'memory' => array(
'users' => array(
'foo' => array('password' => 'foo', 'roles' => 'ROLE_USER, ROLE_ADMIN'),
),
),
),
'basic' => array(
'memory' => array(
'users' => array(
'foo' => array('password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => 'ROLE_SUPER_ADMIN'),
'bar' => array('password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => array('ROLE_USER', 'ROLE_ADMIN')),
),
),
),
'service' => array(
'id' => 'user.manager',
),
'chain' => array(
'chain' => array(
'providers' => array('service', 'basic'),
),
),
),

'firewalls' => array(
'simple' => array('pattern' => '/login', 'security' => false),
'secure' => array('stateless' => true,
'http_basic' => true,
'http_digest' => array('secret' => 'TheSecret'),
'form_login' => true,
'anonymous' => true,
'switch_user' => true,
'x509' => true,
'remote_user' => true,
'logout' => true,
'remember_me' => array('secret' => 'TheSecret'),
'user_checker' => null,
'logout_on_user_change' => true,
),
'host' => array(
'pattern' => '/test',
'host' => 'foo\\.example\\.org',
'methods' => array('GET', 'POST'),
'anonymous' => true,
'http_basic' => true,
'logout_on_user_change' => true,
),
'with_user_checker' => array(
'user_checker' => 'app.user_checker',
'anonymous' => true,
'http_basic' => true,
'logout_on_user_change' => true,
),
),

'access_control' => array(
array('path' => '/blog/524', 'role' => 'ROLE_USER', 'requires_channel' => 'https', 'methods' => array('get', 'POST')),
array('path' => '/blog/.*', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY'),
array('path' => '/blog/524', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY', 'allow_if' => "token.getUsername() matches '/^admin/'"),
),

'role_hierarchy' => array(
'ROLE_ADMIN' => 'ROLE_USER',
'ROLE_SUPER_ADMIN' => array('ROLE_USER', 'ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'),
'ROLE_REMOTE' => 'ROLE_USER,ROLE_ADMIN',
),
));
1 change: 0 additions & 1 deletion ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/no_custom_user_checker.php
View file
Expand Up @@ -15,7 +15,6 @@
'secure' => array(
'stateless' => true,
'http_basic' => true,
'http_digest' => array('secret' => 'TheSecret'),
'form_login' => true,
'anonymous' => true,
'switch_user' => true,
Expand Down
1 change: 0 additions & 1 deletion src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml
View file
Expand Up @@ -49,7 +49,6 @@

<firewall name="secure" stateless="true">
<http-basic />
<http-digest secret="TheSecret" />
<form-login />
<anonymous />
<switch-user />
Expand Down

0 comments on commit b5103a2

Please sign in to comment.