Exception on _switch_user when not logged in.

| Q                | A
| ---------------- | -----
| Bug report?      | yes
| Feature request? | no
| BC Break report? | no
| RFC?             | no
| Symfony version  | any (tested on 3.2.8 and older versions)

The following problem appears on all my Symfony projects.

I set up a firewall on `^/admin` with `switch_user` enabled. Everything works fine except one thing: any anonymous user can throw an Error 500 by visiting any `/admin/xxx` existing URL if they pass the `_switch_user=_exit` parameter in the URL.

For instance, when I am **not** logged in, if I visit:

https://www.mydomainnameforthisproject.com/app_dev.php/admin/index?_switch_user=_exit

I obtain this stack trace:

```
[1] Symfony\Component\Debug\Exception\FatalThrowableError: Type error: Argument 1 passed to Symfony\Component\Security\Http\Firewall\SwitchUserListener::getOriginalToken()
        must be an instance of Symfony\Component\Security\Core\Authentication\Token\TokenInterface, null given, called in
        /data/web/project1/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php on line 164
    at n/a
        in /data/web/project1/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php line 184
    at Symfony\Component\Security\Http\Firewall\SwitchUserListener->getOriginalToken(null)
        in /data/web/project1/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php line 164
    at Symfony\Component\Security\Http\Firewall\SwitchUserListener->attemptExitUser(object(Request))
        in /data/web/project1/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php line 84
    at Symfony\Component\Security\Http\Firewall\SwitchUserListener->handle(object(GetResponseEvent))
        in /data/web/project1/var/cache/dev/classes.php line 5393
    at Symfony\Component\Security\Http\Firewall->onKernelRequest(object(GetResponseEvent), 'kernel.request', object(TraceableEventDispatcher))
        in  line 
    at call_user_func(array(object(Firewall), 'onKernelRequest'), object(GetResponseEvent), 'kernel.request', object(TraceableEventDispatcher))
        in /data/web/project1/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php line 106
    at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke(object(GetResponseEvent), 'kernel.request', object(ContainerAwareEventDispatcher))
        in  line 
    at call_user_func(object(WrappedListener), object(GetResponseEvent), 'kernel.request', object(ContainerAwareEventDispatcher))
        in /data/web/project1/var/cache/dev/classes.php line 3272
    at Symfony\Component\EventDispatcher\EventDispatcher->doDispatch(array(object(WrappedListener), object(WrappedListener), object(WrappedListener),
        object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener),
        object(WrappedListener), object(WrappedListener)), 'kernel.request', object(GetResponseEvent))
        in /data/web/project1/var/cache/dev/classes.php line 3187
    at Symfony\Component\EventDispatcher\EventDispatcher->dispatch('kernel.request', object(GetResponseEvent))
        in /data/web/project1/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/TraceableEventDispatcher.php line 136
    at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch('kernel.request', object(GetResponseEvent))
        in /data/web/project1/var/cache/dev/classes.php line 4622
    at Symfony\Component\HttpKernel\HttpKernel->handleRaw(object(Request), 1)
        in /data/web/project1/var/cache/dev/classes.php line 4592
    at Symfony\Component\HttpKernel\HttpKernel->handle(object(Request), 1, true)
        in /data/web/project1/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php line 168
    at Symfony\Component\HttpKernel\Kernel->handle(object(Request))
        in /data/web/project1/web/app_dev.php line 30
```

This is my firewall configuration.

```
security:
    firewalls:
        dev:
            pattern: '^/(_(profiler|wdt)|css|images|js)/'
            security: false

        assets:
            pattern: '^/assets'
            security: false

        security:
            pattern: '^/admin/(login|forgotpassword|resetpassword.*)$'
            security: false

        admin:
            pattern: '^/admin'
            form_login:
                provider: admin
                csrf_token_generator: security.csrf.token_manager
                login_path: /admin/login
                check_path: /admin/login_check
                default_target_path: /admin/
            logout:
                path: /admin/logout
                target: /admin
            anonymous: false
            switch_user: { role: ROLE_SUPPORT }
```

I think this is a bug, because an anonymous user should NOT ne able to do anything (especially producing an uncaught Exception) on the `/admin/xxx` URLs...

Regards

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Exception on _switch_user when not logged in. #22729

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Q	A
Bug report?	yes
Feature request?	no
BC Break report?	no
RFC?	no
Symfony version	any (tested on 3.2.8 and older versions)

Uh oh!

Exception on _switch_user when not logged in. #22729

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions