New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SecurityBundle] Authentication entry point is only registered with firewall exception listener, not with authentication listeners #12296
Conversation
@fabpot Can you look into this? Is there no dedicated merger/decider for Security? |
@schmittjoh, @fabpot Any chance either of you could tell us what to do to get this handled or (preferably 😉 )merged in? Or is our expectation of the Thanks in advance! |
This looks like a valid fix. Without it, a custom entry point will indeed never be injected into the security listener. However, it would be good to include tests for this. It's probably the best to add some functional tests (see Tests/Functaional in the SecurityBundle). |
Cheers, we'll look into adding the tests. |
I had configured a different firewall entry point for one firewall. However, when authentication had to be performed, it still called BasicAuthenticationEntryPoint::start() instead of my service's start(). My service was instantiated, yet never used. The issue appeared to be that the entry point is registered with the firewall's exception listener, but not with the BasicAuthenticationListener. This means that when the BasicAuthenticationListener determines the user has provided wrong credentials, BasicAuthenticationEntryPoint is still used. Only in case of an exception would my entry point service be used. See #12261.
@jakzal Failing test is unrelated. Can this be merged? |
@rjkip I'll review this weekend. |
@jakzal Did you manage to take a look at this? Thanks in advance! |
@stof, @webmozart, @Tobion, @romainneutron, @nicolas-grekas, @fabpot As far as I can see in http://symfony.com/doc/current/contributing/code/core_team.html#active-core-members there is no "merger" assigned for the SecurityBundle, any chance either of you can take a peek at this? Edit: spelling |
Thank you @rjkip. |
…ered with firewall exception listener, not with authentication listeners (rjkip) This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes #12296). Discussion ---------- [SecurityBundle] Authentication entry point is only registered with firewall exception listener, not with authentication listeners | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | when relying on this configuration behaviour | Deprecations? | no | Tests pass? | yes | Fixed tickets | #12261 | License | MIT | Doc PR | — See #12261. I configured a different firewall entry point for one firewall. However, when authentication had to be performed, it still called BasicAuthenticationEntryPoint::start() instead of my service's start(). My service was instantiated, yet never used. The issue appears to be that the entry point is registered with the firewall's exception listener, but not with the BasicAuthenticationListener. This means that when the BasicAuthenticationListener determines the user has provided wrong credentials, BasicAuthenticationEntryPoint is still used. Only in case of an exception would my entry point service be used. In my opinion, this is not correct behaviour. Can someone confirm this? Are there currently tests that pertain to the `entry_point` configuration on which I can base a test? --- Test setup: ```yaml # security.yml security: firewalls: api: pattern: ^/api/ http_basic: ~ entry_point: my.service default: anonymous: ~ ``` Commits ------- 92c8dfb [SecurityBundle] Authentication entry point is only registered with firewall exception listener, not with authentication listeners
…ured entry point or a default entry point (rjkip) This PR was squashed before being merged into the 2.3 branch (closes #12811). Discussion ---------- Configure firewall's kernel exception listener with configured entry point or a default entry point | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | when relying on buggy behaviour | Deprecations? | no | Tests pass? | yes | Fixed tickets | #12581 #12801 | License | MIT | Doc PR | — The #12296 PR introduced a bug where the firewall's exception listener was sometimes configured with the default entry point returned by `SecurityExtension#createAuthenticationListeners()`. These changes add a regression test and make the configured entry point (if any) always take precedence over a default entry point. If someone can confirm this fix, it would have my preference merging this over reverting #12296 for Symfony 2.6.1. Commits ------- b122262 Configure firewall's kernel exception listener with configured entry point or a default entry point
See #12261.
I configured a different firewall entry point for one firewall. However, when authentication had to be performed, it still called BasicAuthenticationEntryPoint::start() instead of my service's start(). My service was instantiated, yet never used.
The issue appears to be that the entry point is registered with the firewall's exception listener, but not with the BasicAuthenticationListener. This means that when the BasicAuthenticationListener determines the user has provided wrong credentials, BasicAuthenticationEntryPoint is still used. Only in case of an exception would my entry point service be used.
In my opinion, this is not correct behaviour. Can someone confirm this? Are there currently tests that pertain to the
entry_point
configuration on which I can base a test?Test setup: