[security] "security.authentication.success" event should be fired on every request? #21571
Comments
|
Actually this event is fired only when submitting credentials, no matter if the firewall is stateless or not. Related to #20305. |
|
@MacDada in your config here you don't have any authorization enforcing authentication, not even an anonymous enforcer (commented out). If you add that, does it work? |
@iltar So what? Authentication !== Authorization. Why would I need any "authorization" check for "security.authentication.success" event to work? BTW, I actually do have authorization configured – but on the controller level, not on the firewall level.
If I required ROLE_USER, ROLE_ADMIN, etc on every path, then I'd need to uncomment that for login form to work. But I don't. Anyway, I did a bit more debugging. It really is "strange". Notice that I use memcached to store sessions and do testing while being authenticated from remember me cookie. I check if the event is fired with a breakpoint here. Scenario one: no authorization requirements in firewall and controller.
So… I need to dump both Symfony cache and sessions storage for the event to fire. But dumping one of them is not enough… Scenario two: IS_AUTHENTICATED_ANONYMOUSLY role required in firewall authorization. #security.yml
security:
access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }Test and result same as above. Scenario three: IS_AUTHENTICATED_ANONYMOUSLY role required in controller authorization. <?php
namespace AppBundle\Controller;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
class HomepageController extends Controller
{
/**
* @Route("/", name="homepage")
* @Security("is_granted('IS_AUTHENTICATED_ANONYMOUSLY')")
*
* @param Request $request
* @return \Symfony\Component\HttpFoundation\Response
*/
public function homepageAction(Request $request)
{Test and result same as above. Scenario four: IS_AUTHENTICATED_ANONYMOUSLY role required both in firewall and controller authorization. Test and result same as above. ??? |
|
I also ran into this issue. Are there any news about this? Is the documentation wrong, or should the symfony code be changed? |
|
Ran into this issue today on 2.7.x
authenticate is called from
, ONLY when authenticated=false
Documentation is saying
Which is not quite true. |
|
I've also hit this problem.. The documentation says that My workaround was to use a |
|
what's the status of this ? |
- updated AbstractToken to compare Roles - Updated isEqualTo method to match roles as default User implements EquatableInterface - added test case
|
Same problem on 4.3.3 |
|
This seems to be resloved by changing the documentation in symfony/symfony-docs#11457 |
|
So, if I want to modify user session status then should use the request listener instead ? |
|
Authentication happens when an authentication listener proceeds an incoming request i.e. only when credentials are submitted. If one comes with a common enough use case, we could consider dispatching a new event when the token is read from the session. |
…ged (oleg-andreyev) This PR was merged into the 4.4 branch. Discussion ---------- #21571 Comparing roles to detected that users has changed | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | License | MIT | Fixed tickets | #21571 (comment) | Docs | symfony/symfony-docs#11457 **Case 1:** User A has roles `foo, bar and admin`, User A is signed-in into application and token is persisted, later another User B with role `admin`, decided to restrict role `admin` for User A, so User A won't lose it's privileges until session is expired or logout, because token is persisted with `roles` and `authenticated=true` and roles are not compared. Ref. to the previous attempt: #27121 Commits ------- 4f4c30d - updated AbstractToken to compare Roles - Updated isEqualTo method to match roles as default User implements EquatableInterface - added test case - bumped symfony/security-core to 4.4
…s" section (oleg-andreyev) This PR was merged into the 4.4 branch. Discussion ---------- #21571 updated "Authentication Success and Failure Events" section Updated "Authentication Success and Failure Events" `security.authentication.success` can be dispatched in the following cases: - if `always_authenticate_before_granting` is enabled and `isGranted` is called - if a token is not authenticated before `AccessListener` is invoked - if customer submitted credentials (actual authentication) symfony/symfony#21571 Commits ------- dc91bfd #21571 updated "Authentication Success and Failure Events" section
At least that's what the docs say: https://symfony.com/doc/2.8/components/security/authentication.html#authentication-success-and-failure-events
The problem is, it doesn't fire for me (?) on Symfony 2.8.12.
Not sure if this is a problem with Symfony, with my code/configuration or just the documentation.
My config (I've cut off what I think are irrelevant parts):
The text was updated successfully, but these errors were encountered: