Skip to content

[cookbook] Error in "custom Authentication Provider" listener code (and proposed fix) #3212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
romaricdrigon opened this issue Nov 20, 2013 · 6 comments
Closed

[cookbook] Error in "custom Authentication Provider" listener code (and proposed fix) #3212

romaricdrigon opened this issue Nov 20, 2013 · 6 comments
Labels
bug Security

Comments

@romaricdrigon
Copy link
Contributor

Hi,

I've just followed this cookbook entry.

However I'm encountering an issue when pretty much exactly following it: an AuthenticationCredentialsNotFoundException is raised.

In my understanding the issue is that we should be doing something, returning prematurely in the listener is relevant only if another firewall is enabled, otherwise we end up having a 500 error.

This is not the case of the tutorial (the firewall is set for a very precise URL pattern): I guess we should be returning a 403 error, isn't it? And eventually adding a note to explain it.

I'm ok about submitting a PR if we agree upon the fix.
@cordoval
Copy link
Contributor

cordoval commented Dec 3, 2013

maybe we can ask @matthiasnoback about this since he wrote the security documentation

@wouterj
Copy link
Member

wouterj commented Dec 3, 2013

I think you are checking for isGranted when not in a page under the firewall, am I correct? Then, it indeed do not work and it's also wanted to fail in that case.

The listener is only executed when in the firewall, so that can't cause the error afaics.

@romaricdrigon
Copy link
Contributor Author

In my case, I was sticking to using it as authentication provider for a firewall. So yes the page where the errors happened was actually covered by a firewall. Only thing for this firewall anonymous users were disabled.

I guess you'll need more details. Now my code diverged a little bit, if that is needed tomorrow I'll try to post some code snippets.

@wouterj
Copy link
Member

wouterj commented Dec 3, 2013

Yeah, that will be more than helpfull (you can also push it to github or email me a zip if that's easier for you)

@romaricdrigon
Copy link
Contributor Author

Hi,

Sorry I took some time, as I could not post my original code, I've made a fresh Symfony-StandardEdition test case:
https://github.com/romaricdrigon/AuthFailExample

Just clone the repo, composer install, and go to /demo/hello/wouter: you have a AuthenticationCredentialsNotFoundException exception (alternatively you could launch PhpUnit tests)

@romaricdrigon
Copy link
Contributor Author

So now I'm pretty sure we should add a not to the cookbook entry, something like this:

Returning prematurely from the listener is relevant only if you want to chain authentication 
providers (for example to allow anonymous users). If you want to forbid access to 
anonymous users and have a nice 403 error, you should set it before returning.

@cordoval cordoval mentioned this issue Jan 4, 2014
Merged
weaverryan added a commit that referenced this issue Jan 9, 2014
@weaverryan
minor #3422 [Cookbook][Custom Authentication Provider] add a note of …
2be3f52 
…warning for when forbidding anonymous users (cordoval)

This PR was merged into the 2.3 branch.

Discussion
----------

[Cookbook][Custom Authentication Provider] add a note of warning for when forbidding anonymous users

| Q             | A                   |
| ---           | ---                 |
| Doc fix?      | yes                 |
| New docs?     | no                  |
| Applies to    | 2.3+                |
| Fixed tickets | #3212               |
| License       | CC-ASA 3.0 Unported |

 Sent using [Gush](https://github.com/cordoval/gush)

Commits
-------

244d756 add note when forbidding access to anonymous users on custom authentication provider
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@weaverryan @cordoval @wouterj @romaricdrigon