Authentication exceptions logged before having the chance to get handled #27440
Comments
|
The exact same problem you described also happens for access denied exceptions. |
|
I confirm this issue (I did not see it earlier, so I dig a bit :/ ) Here are the logs for the different version of Symfony: |
|
Ping @ro0NL FYI. |
|
It seems that excluded_http_codes also doesen't work. With this config: I still get 403 "Access denied" errors. |
|
In general i'd like to raise the security exception listener to 2049, sure. But it's quite significant.. and im afraid it affects some users. We could lower the logging a bit from 2048 to maybe just 10 or so, so the security listener would get 11. But conceptually it's the same problem... changing priorities is tricky. Another solution would be to introduce a pointer interface to mark exceptions skipped from logging. |
Like it ;) |
|
Or log exceptions at |
|
@nicolas-grekas the intend was to log at high prio, so that it works independent from userland listeners. Those are typically defined with prio > 0 (and most likely < 2048 :)). The issue is it potentially disables logging, hence the PR to decouple it. That said, i think we should revert it :) given the conflict with the security exception listener. However i'd prefer to meet in the middle, e.g.
|
|
Moreover, we could trigger a deprecation in case there are userland listeners with prio between 0 and 512, in effort to change the prio in 5.0 |
|
@ro0NL There are legit use case to be between 0 & 512 ; In our app we have a LocaleListener And on another app there is API Platform (so many listeners) |
|
@lyrixx it would affect exception listeners only ... we can log exceptions with with prio 0 (security is prio 1). This creates a range from 0 to -128 for userland listeners to overwrite rendering and preserve standard logging. |
This PR was squashed before being merged into the 4.1 branch (closes #27562). Discussion ---------- [HttpKernel] Log/Collect exceptions at prio 0 | Q | A | ------------- | --- | Branch? | 4.1 | Bug fix? | yes | New feature? | no | BC breaks? | no, fixes one | Deprecations? | no | Tests pass? | yes <!-- please add some, will be required by reviewers --> | Fixed tickets | #27440 | License | MIT | Doc PR | symfony/symfony-docs#... <!-- required for new features --> So that it runs after the security exception listener, which runs at prio 1. Im not sure what to do with the (wrong) changelog entry for 4.1.0 at this point.. should we add a new entry for 4.1.1? Commits ------- 85b832b [HttpKernel] Log/Collect exceptions at prio 0
Symfony version(s) affected: 4.1.0
Description
Seems like ever since #25366, authentication exceptions are first logged, and then handled gracefully (redirecting to a login entrypoint).
If an unauthenticated user hits a route they cannot access (e.g. a homepage route with this firewall rule
- { path: ^/, role: ROLE_ADMIN }), what currently happens is:step 1:
Symfony\Component\Security\Http\Firewall\AccessListenerrightfully throws anAccessDeniedExceptionexceptionstep 2: because of its new and high priority level (of
2048since [HttpKernel] Decouple exception logging from rendering #25366),Symfony\Component\HttpKernel\EventListener\ExceptionListenerdecides to log this exception:Uncaught PHP Exception AccessDeniedException .... Logging such a CRITICAL error has the bad side-effect of causing Monolog to send me an email.step 3: because of its (now-comparatively-low) priority level of
1,Symfony\Component\Security\Http\Firewall\ExceptionListenergets triggered. It converts the exception to a (redirect)Response(to the login page), and the website appears to work. However, it's way too late already, as "step 2" (above) already logged the error and sent me an exception email.Possible Solution
Symfony\Component\Security\Http\Firewall\ExceptionListenercan be executed with a higher priority thanSymfony\Component\HttpKernel\EventListener\ExceptionListener, so that graceful handling of authentication exceptions can happen before logging.Changing
Symfony\Component\Security\Http\Firewall\ExceptionListener, so that theKernelEvents::EXCEPTIONpriority is higher (from1to2049) works around the problem.The text was updated successfully, but these errors were encountered: