[Security] Adding providerKey to AnonymousToken #11006

Open
carlalexander opened this Issue May 28, 2014 · 3 comments

3 participants

@carlalexander

I apologize if this is covered elsewhere. I couldn't find any mention in articles, docs or issues. Is there a specific reason why AnonymousToken doesn't get the providerKey while all other AbstractToken subclasses do?

I am trying, programatically, to determine which firewall emitted an AnonymousToken and saw that it was not stored in the token.

I can create a PR to add it. I just wasn't sure if there was a security issue related to it so figured I'd ask first.

@jakzal
Symfony member

Probably related to #10651

@jakzal jakzal added the Security label May 28, 2014
@carlalexander

I saw the issue, but I wasn't sure if they were related. AnonymousAuthenticationProvider doesn't check to validate the providerKey. Just the key used by the firewall configuration.

@jakzal
Symfony member

@carlalexander right. Worth to have them linked anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment