[Security] Add impersonation support for stateless authentication #24260
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
should we actually have this extra configuration ? couldn't we just make the switch_user listener stateless when the firewall itself is stateless ? |
|
@stof ideally yes, like the exceptionlistener. But disabling the redirection for stateless firewalls now would be a BC Break right? |
should we plan any deprecation here? Like when the option doesn't match the statelessyness of the firewall, then plan to deprecate the option in 4.1 and make it automatic meanwhile? |
7152540 to
32fc7bb
Compare
|
Deprecation added |
32fc7bb to
0f57086
Compare
0f57086 to
e7a5803
Compare
|
Rebased. ping @symfony/deciders |
fabpot
approved these changes
Sep 30, 2017
|
Thank you @chalasr. |
fabpot
added a commit
that referenced
this pull request
Sep 30, 2017
…hentication (chalasr) This PR was merged into the 3.4 branch. Discussion ---------- [Security] Add impersonation support for stateless authentication | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | https://github.com/lafourchette/SwitchUserStatelessBundle/issues/10#issuecomment-330434589 | License | MIT | Doc PR | n/a The `switch_user` listener triggers a redirection in case of success and thus does not play well with stateless authentication which is common nowadays (as opposed to other listeners like the [exception one](https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php#L187..#L189)). This adds a new `stateless` option to the `switch_user` listener, if set to true then no redirection is triggered during user switching. This will avoid the need for [lafourchette/SwitchUserStatelessBundle](https://github.com/lafourchette/SwitchUserStatelessBundle) which just duplicated the symfony SwitchUserListener (with config factory) at a given state to avoid the 2 LOC which are causing the redirection. The bundle is not actively maintained and the listener it provides is out of date due to the missing upstream additions and bug fixes (see https://github.com/lafourchette/SwitchUserStatelessBundle/issues/10). Commits ------- e7a5803 [Security] Add user impersonation support for stateless authentication
fabpot
added a commit
that referenced
this pull request
Oct 5, 2017
…halasr) This PR was merged into the 3.4 branch. Discussion ---------- [Security] Look at headers for switch_user username | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #24260 | License | MIT | Doc PR | n/a Allowing `switch_user.parameter` config node to be a header name. It's supported by SwitchUserStatelessBundle and I think it makes sense. Forgotten in #24260 so targets 3.4 but not a blocker. Commits ------- 3c80195 [Security] Look at headers for switch user username parameter
This was referenced Oct 18, 2017
Merged
Merged
DougHayward
added a commit
to DougHayward/LexikJWTAuthenticationBundle
that referenced
this pull request
Feb 23, 2018
Change to the documentation as [lafourchette/SwitchUserStatelessBundle](https://github.com/lafourchette/SwitchUserStatelessBundle) no longer appears to be maintained and is no longer necessary since this pull request symfony/symfony#24260
chalasr
added a commit
to lexik/LexikJWTAuthenticationBundle
that referenced
this pull request
Mar 4, 2018
…eDoug) This PR was merged into the 2.x-dev branch. Discussion ---------- Update index.md - Remove reference to lafourchette. Change to the documentation as [lafourchette/SwitchUserStatelessBundle](https://github.com/lafourchette/SwitchUserStatelessBundle) no longer appears to be maintained and is no longer necessary since this pull request symfony/symfony#24260 Commits ------- beb93f9 Update index.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
switch_userlistener triggers a redirection in case of success and thus does not play well with stateless authentication which is common nowadays (as opposed to other listeners like the exception one).This adds a new
statelessoption to theswitch_userlistener, if set to true then no redirection is triggered during user switching.This will avoid the need for lafourchette/SwitchUserStatelessBundle which just duplicated the symfony SwitchUserListener (with config factory) at a given state to avoid the 2 LOC which are causing the redirection.
The bundle is not actively maintained and the listener it provides is out of date due to the missing upstream additions and bug fixes (see https://github.com/lafourchette/SwitchUserStatelessBundle/issues/10).