Open
Conversation
The firewall ID must be passed to the UsernamePasswordToken (or its sub classes) to ensure that authentication is done correctly if there are multiple firewalls. Having a hard-coded value prevents the AuthProvider to be used for more than one firewall. In addition, a provider key which does not match the actual firewall ID prevents the Twig functions logout_path() and logout_url() to work correctly.
xelan
force-pushed
the
bugfix/provider-key
branch
from
9444a06 to
811d71a
Compare
Member
|
Your change seams straightforward. Did you test it against multiple firewall ? |
Contributor
Author
|
Yes, I tested it with two different firewalls, where one uses the active_directory_provider and another one the in_memory provider. With the proposed PR, it works as expected. My security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
Riper\Security\ActiveDirectoryBundle\Security\User\AdUser: plaintext
providers:
in_memory:
memory:
users:
user: { password: 'example', roles: [ 'ROLE_USER'] }
active_directory_provider:
id: riper.security.active.directory.user.provider
firewalls:
test:
pattern: ^/test
provider: in_memory
form_login:
check_path: custom_login_check_route
login_path: custom_login_route
require_previous_session: false
logout:
path: custom_logout_route
target: /
anonymous: ~
secured_area:
pattern: ^/
provider: active_directory_provider
active_directory:
check_path: custom_login_check_route
login_path: custom_login_route
require_previous_session: false
logout:
path: custom_logout_route
target: /
anonymous: ~ |
Contributor
Author
|
Hi @ztec! Do you have any news on this PR? Would be great if you could review and integrate it in the next bugfix release 😄 Thank you very much, best regards |
Contributor
Author
|
Any news on the status of this PR? |
Contributor
Author
|
Hi @ztec! Do you have any news concerning this PR? Best regards |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The firewall ID must be passed to the UsernamePasswordToken to ensure that authentication is done correctly if there are multiple firewalls.
Having a hard-coded value prevents the AuthProvider to be used for more than one firewall.
In addition, a provider key which does not match the actual firewall ID prevents the Twig functions logout_path() and logout_url() to work correctly ("No LogoutListener found for firewall key").
Adding the firewall ID to the auth provider configuration, as it is not there by default, seemed the easiest option for now. Another way would be to pass the providerKey as an additional constructor argument of the AuthenticationProvider. However, this would change the method signature and require adaptations of the service definitions.
See
Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProviderfor the implementation in the Symfony default authentication provider base class. The actual creation of the provider happens here (in the case of the DAO authentication provider).