[Security] fixed issue where x509 authentication clears unrelated tokens #8283
Conversation
|
I think it makes sense. |
|
I updated all other authentication listeners that clear security tokens. I also hardened the check to also check for the provider key. |
| @@ -181,7 +181,10 @@ private function onFailure(GetResponseEvent $event, Request $request, Authentica | |||
| $this->logger->info(sprintf('Authentication request failed: %s', $failed->getMessage())); | |||
| } | |||
|
|
|||
| $this->securityContext->setToken(null); | |||
| $token = $this->securityContext->getToken(); | |||
| if (null !== $token && $token instanceof UsernamePasswordToken && $this->providerKey == $token->getProviderKey()) { | |||
There was a problem hiding this comment.
you should use a strict comparison
There was a problem hiding this comment.
and you can remove null !== $token. null is not an instance of UsernamePasswordToken
|
Done. Thank you! |
… tokens This commit fixes an issue where authentication listeners clear all security tokens in case of authentication failure. This behavior makes it impossible to combine certain authentication mechanisms, notably x509 with form-based login.
|
From my end this one is ready, I've also tried to test various combinations of authentication listeners which produced the desired results. |
| @@ -38,10 +38,6 @@ public function __construct(SecurityContextInterface $securityContext, Authentic | |||
|
|
|||
| protected function getPreAuthenticatedData(Request $request) | |||
| { | |||
| if (!$request->server->has($this->userKey)) { | |||
There was a problem hiding this comment.
@alcaeus Can you tell us more about this code removal? It does not look like it is related to the goal of this PR.
There was a problem hiding this comment.
Hi! Sorry about the late reply, I've been struck down with the flu for the past week and wasn't able to do anything.
To be honest, that was the first piece of code I removed when trying to fix it. The exception is not caught in the abstract listener, which caused the original problem of cleared tokens.
On second thought, it probably should be left in so that code can react to the different cases ("no certificate provided" and "no data in certificate"). Can you give me another couple of days to check it out? I'll put the code back in and make sure the abstract listener reacts correctly to the exception.
|
The BadCredentialsException is back in (it really makes more sense this way), the AbstractPreAuthenticatedListener now takes care of handling that case. The exception handling is necessary to allow the authentication process to fall through to the next listener. |
| /** | ||
| * Clears a PreAuthenticatedToken for this provider (if present) | ||
| * | ||
| * @return void |
There was a problem hiding this comment.
this should be removed as we don't use mention the return value when it is null
|
Fabien, is this one good to merge or is there anything else that should be changed? |
|
@alcaeus Looks good to me except that I did not see that you based your patch on 2.1, which is not maintained anymore. Can you reopen a new PR on 2.2 instead? |
|
Dang, yeah. Will do. Do you need one on 2.3 as well? |
|
No, just 2.2. |
|
Replaced by the above PR. |
This PR was merged into the 2.2 branch. Discussion ---------- [Security] fixed issue where x509 authentication clears unrelated tokens | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #8226 | License | MIT | Doc PR | symfony/symfony-docs#2825 | Notes | Replaces PR #8283 TODO: - [x] Feedback on change to make sure security is not affected - [x] Fix other authentication listeners (they suffer the same problem) - [x] Write unit tests for bug and maybe a few listener classes as well This pull request is the summary of the problem mentioned in the ticket above. It only fixes the "disappearing token" problem for one authentication provider, not all. If acceptable, the change needs to be applied to all authentication listeners since they always clear all tokens from the security context. Commits ------- 2317443 [Security] fixed issue where authentication listeners clear unrelated tokens
TODO:
This pull request is the summary of the problem mentioned in the ticket above.
It only fixes the "disappearing token" problem for one authentication provider, not all. If acceptable, the change needs to be applied to all authentication listeners since they always clear all tokens from the security context.
Any help or feedback is greatly appreciated.