[Security] User is loaded on every request #43648
Comments
|
Can you try to debug where the call to |
|
Sure. It's starting from the AuthenticatorManager which tries to create an AuthenticatedToken Call Stack:
|
|
Is there anything more I can do to help on this? |
|
Maybe this will help you? stateless: true https://symfony.com/doc/current/security/user_providers.html#creating-a-custom-user-provider |
|
Thank you for the response, but this does not help. Actually, it does the opposite from what I want: It tells the firewall to be stateless and load the user on every request. I want the user to be loaded only on the first request and refreshed on the following. That's what the old firewall did. That seems like a bug to me. It would be great if this could be fixed before releasing 5.4/6.0. I really would like to contribute a fix, but don't know enough about the internals of the new security system. Maybe @wouterj or someone other could look into this? |
|
I created another scenario without using custom code to make sure there is no error in my implementation. I configured security:
enable_authenticator_manager: true
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: 'plaintext'
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
memory_users:
memory:
users:
demo: { password: '123', roles: ['ROLE_USER'] }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
http_basic:
realm: Test
provider: memory_users
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#the-firewall
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
# - { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }When setting break points to
After activating the old firewall security:
enable_authenticator_manager: falsethe behavior changes, so that
So, the Bug (?) seems not only to occour when using REMOTE_USER auth. Is it really intended that the user is fully loaded on every request using the new firewall? Any feedback from the creators would be helpful. |
…TE_USER authentication (stlrnz) This PR was squashed before being merged into the 5.3 branch. Discussion ---------- [Security] Do not overwrite already stored tokens for REMOTE_USER authentication | Q | A | ------------- | --- | Branch? | 5.3 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #43648 | License | MIT As described in #43648 the user is currently loaded on every request for REMOTE_USER authentication. Thanks to `@wouterj` for confirming me on Slack that this seems weird. So, I looked deeper into this. I found out that other Authenticators tell the AuthenticatorManager only under special conditions (like matching route etc.) that they support the current request. However, the `AbstractPreAuthenticatedAuthenticator` is not so picky. In consequence, the user is authenticated again on every request. Inspired by `RememberMeAuthenticator`, this PR adds an addition check to `AbstractPreAuthenticatedAuthenticator` to solve this issue. https://github.com/symfony/symfony/blob/07a891f6c57d9da513d75402f2aa2da73d897044/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php#L63 Commits ------- ce1ee74 [Security] Do not overwrite already stored tokens for REMOTE_USER authentication
Symfony version(s) affected: 5.3.9
Description
After upgrading my application to Symfony 5.3 I tried to enable the new security system. Everything seems to work well. However, I discovered that a fresh user object is loaded by the UserProvider on every request (although it is still beeing loaded from the session).
I'm using REMOTE_USER authentication and a custom User and UserProvider implementation.
How to reproduce
I created a small dummy project to reproduce the problem: https://github.com/stlrnz/test-new-symfony-security
As you can see, there is nothing special in my implementation/configuration:
Additional context
As you can see the UserProvider writes two log messages for debugging.
When using the new security system the user is loaded on the first request:
and refreshed and loaded on the following:
When using the old system by configuring
the user is still loaded on the first request
and refreshed on the following (no loading as expected).
Im my real application, loading a user is a very complex operation (requires some webservice calls etc.). And therfore it should not be done on every request. Is there a way to achive this?
I tried to understand why this happens in the new system. It seems that the Authenticator always triggers the load of the user through the passport to create an Authenticated Token.
symfony/src/Symfony/Component/Security/Http/Authenticator/AbstractPreAuthenticatedAuthenticator.php
Line 105 in 9f43121
The text was updated successfully, but these errors were encountered: