[Security] [Bug] User switching is not available for pre-authenticated users

[lisachenko]

I have non-stateless authentication with x509 and want to enable user switching.
Expected that user switching should work.
Actual result: current user remains active

Bug detailed description:
Current user is authenticated with x509 certificate, so in the security context there is a PreAuthenticatedToken and session store it. Next step is to switch user. When user is switching then SwitchUserListener replaces existing PreAuthenticatedToken with UsernamePasswordToken and stores it in the security context and in the session, after that we have redirect to our page. We have valid token on the next request, however x509 authentication listener will be invoked again and it overrides existing UsernamePasswordToken.

How to fix that bug:
AbstractPreAuthenticatedListener class should not override existing authenticated tokens in the security context.

    // AbstractPreAuthenticatedListener:64-68
    if (null !== $token = $this->securityContext->getToken()) {
        if ($token->isAuthenticated()) {
            return;
        }
    }

[ericclemmons]

Is your code snippet the problem or the solution?

For quick reference, here is the file now:

https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Http/Firewall/AbstractPreAuthenticatedListener.php#L65

[lisachenko]

My code snippet is solution, but I'm not sure that everything will be OK with that patch. Why do we need to check that $token is instance of PreAuthenticatedToken only and verify a user name to skip authentication?

[stof]

@schmittjoh ping

[ghost]

There is a fix, but it was never merged? What happened?

[stof]

Well, we are not sure it was a fix. teh guy submitting it closed the PR before it got reviewed, and without explaining why.

[dlancea]

I'm running into this same problem. I tried the code given by lisachenko and the submitted PR, but neither are working for me.

Forgive my naive attempt to fix this, I'm certainly not an expert at the Security Component.

One problem I've found is that the SwitchUserListener only uses UsernamePasswordToken tokens. This seems to mean the token never gets set in the securityContext in the PreAuthenticatedListener. If I change the SwitchUserListener to only produce PreAuthenticatedToken tokens the token at least shows up in the SecurityContext in the AbstractPreAuthenticatedListener handle function.

At this point the problem is that the PreAuthenticatedToken generated by the SwitchUserListener isn't authenticated, so it doesn't get returned by this line of code and accepted by the system as the "real" token.

Long story short, I think the problem is two fold, one being that SwitchUserListener only creates UsernamePasswordToken tokens and that AbstractPreAuthenticatedListener handler function doesn't handle existing tokens that aren't authenticated and don't match the user returned by getPreAuthenticatedData very well.

[daum]

+1

[daum]

FYI - it does appear that @lisachenko solution works still, the lines are slightly different but as far as I can tell it looks like it is working. @stof you see any reason that his solution should not work? I can make an updated PR if you'd like.

[ghost]

This is currently the oldest still open bug of Symfony 😄
@daum Do you like to investigate it?

[pasdeloup]

I worked on it using your different comments but the new behaviour breaks an existing test.
Feedbacks about my solution are welcome.

[pasdeloup]

According to both @stof and @fabpot this issue should not be fixed and closed.
I submitted a PR for documentation about it #6673