8000 [DX][Security] Check for server PHP_AUTH_USER · Issue #13950 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[DX][Security] Check for server PHP_AUTH_USER #13950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rvanlaak opened this issue Mar 17, 2015 · 6 comments
Closed

[DX][Security] Check for server PHP_AUTH_USER #13950

rvanlaak opened this issue Mar 17, 2015 · 6 comments

Comments

@rvanlaak
Copy link
Contributor

For a server-side payment notification service we authorize the $request->server parameters PHP_AUTH_USER and PHP_AUTH_PW. For complex security annotations we can always implement the Annotations of the JMSSecurityExtraBundle, but this seems a bit too much for this simple use-case:

// Authentication check
if (
    $request->server->get('PHP_AUTH_USER') != $this->container->getParameter('security_user') ||
    $request->server->get('PHP_AUTH_PW') != $this->container->getParameter('security_pw')
) {
    throw $this->createNotFoundException();
}

What I'd like to propose is that the @Security annotation is able to compare the server parameters with the values from the container parameters:

/**
 * @Security("php_auth('%security_user%', '%security_pw%')")
 */
public function showAction(Post $post)
@stof
Copy link
Member
stof commented Mar 17, 2015

@Security is related to the authorization layer, running voters based on the authenticated user. PHP_AUTH_USER and PHP_AUTH_PW on the other hand are related to authenticating the user.
What you need is to enable the http_basic authentication in your firewall.

@rvanlaak
Copy link
Contributor Author

Enabling http_basic authentication for that route could indeed solve this, but it would be a nice feature if such an easy check can be handled via annotations 👍

So, you think an annotation for such basic authentication checks is a no-go?

@stof
Copy link
Member
stof commented Mar 23, 2015

@rvanlaak the issue is that you are asking to mix the authentication and the authorization in the annotation, while they are different concerns.

@rvanlaak
Copy link
Contributor Author

Doesn't has to be the same annotation, the following would also be great.

@Authorization(user="%parameter%", password="%parameter%")

But I notice you aren't convinced of the ease this would offer? 👍

@MacDada
Copy link
Contributor
MacDada commented May 8, 2015

@rvanlaak Correct "username" and "password" are not "authorization" concerns.

  • Authentication deals with finding out who is the person accessing the app.
  • Authorization deals with finding out if that person has access to a certain part of the app.

Please read the docs to understand more about this topic:

Actually this link covers exactly what you're trying to achieve (basic auth):
http://symfony.com/doc/current/book/security.html

You can also use annotations to require specific role(s) for the controller:
http://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/annotations/security.html

@rvanlaak
Copy link
Contributor Author
rvanlaak commented May 8, 2015

Thanks @MacDada , but I was well aware of most of those pages. My proposition would be to have a specific annotation to check for authentication parameters, to reduce boilerplate code. As nobody sees this as a viable usecase, I'll close this issue.

@rvanlaak rvanlaak closed this as completed May 8, 2015
@rvanlaak rvanlaak mentioned this issue Sep 28, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MacDada @stof @rvanlaak
0