[2.3.22]AuthenticationEntryPoint does not work in Symfony 2.3.22

[zacharyzh]

I am not good at english and I will do my best to articulate..

Yestoday, I have upgrade my Symfony framework from 2.3.18 to 2.3.22. Everything is good, except my AuthenticationEntryPoint class.

Code here:

class AuthenticationEntryPoint implements AuthenticationEntryPointInterface
{
    private $router;

    public function __construct(Router $router)
    {
        $this->router = $router;
    }

    public function start(Request $request, AuthenticationException $exception)
    {
        if ($request->isXmlHttpRequest()) {
            return new JsonResponse(array('status' => 'login_required'));
        }
        return new RedirectResponse('/my/login');
    }
}

services:
    my_entry_point:
        class: My\Bundle\Security\AuthenticationEntryPoint
        arguments: [ "@router" ]

security:
    firewalls:
        secured:
            pattern: .*
            entry_point: my_entry_point
            form_login:
                check_path: /my/login/check

The question is, if remove form_login from security.yml, AuthenticationEntryPoint running and got this exception:

Unable to find the controller for path "/my/login/check". 
Maybe you forgot to add the matching route in your routing configuration?

if leave form_login in security.yml, AuthenticationEntryPoint does not work, and the default login_path will be used:

No route found for "GET /login"
404 Not Found - NotFoundHttpException

Thanks very much.

[zacharyzh]

Changelog:

bug #12296 [SecurityBundle] Authentication entry point is only registered with 
firewall exception listener, not with authentication listeners.

This bug fixed and the code below has been removed:

# Symfony\Bundle\SecurityBundle\DependencyInjection\SecurityExtension.php @ Line 351
if (isset($firewall['entry_point'])) {
    $defaultEntryPoint = $firewall['entry_point'];
}

Does it means AuthenticationEntryPointInterface not working without access listeners ?

[imunhatep]

Same problem here on 2.5.7 (as expected). Probably if some authentication listener have it's own default entry point it will overwrite the one provided by the configuration.

[zacharyzh]

I have a Kernel.EXCEPTION event listener instead of this before recovered.

[fabpot]

@rjkip Can you have a look at this issue? We should probably add a test case and a fix to avoid any future regression. That's critical as it currently breaks all versions of Symfony.

[fabpot]

As 2.6.1 should be released very soon, I propose to revert the PR to have more time to figure out a proper fix. What do you think? ping @symfony/deciders

[rjkip]

Hi @fabpot. Looking into this. This is not how I want my first contribution to Symfony to be remembered. 😢

[rjkip]

if leave form_login in security.yml, AuthenticationEntryPoint does not work, and the default login_path will be used:

No route found for "GET /login"
404 Not Found - NotFoundHttpException

• @zacharyzh has configured the default entry point (that logic was moved, not removed).
• The FormLoginFactory ignores the default entry point (unlike HttpBasicFactory and HttpDigestFactory) and registers its own. The custom entry point, thus, is never called.
• The user, being unauthorised, is redirected to the default login route login by the FormAuthenticationEntryPoint.

This sounds logical to me thus far.

Previously, when no credentials were provided, an AuthenticationCredentialsNotFoundException was thrown by the AccessListener. The Firewall's exception listener then called the configured entry point's start() method. In this issue's case, it caused a redirect to /my/login.

---

[Fix]: I've added @zacharyzh's case to the functional test. Also, I've applied a fix that makes both test cases pass. It is closer to the original behaviour of SecurityExtension::createFirewall(), where the $defaultEntryPoint returned from createAuthenticationListeners() was used for the ExceptionListener, as seen here. However, the Security bundle extension being a beast, I need someone to confirm this fix.

[rjkip]

Ping @fabpot.