Not fully authenticated when denying IP or host #19906

h4ckninja · 2016-09-11T05:58:21Z

I have tried on:

OS X
Symfony 3.1 and 2.7
PHP 5.5.36

The problem:

Attempting to deny access via IP or host through @Security or checking $request inside the controller, or access_control in security.yml produces the same error:

 Full authentication is required to access this resource.
500 Internal Server Error - InsufficientAuthenticationException
1 linked Exception:
    AccessDeniedException »

The error log:

 DEBUG - Access denied, the user is not fully authenticated; redirecting to authentication entry point.
CRITICAL - Uncaught PHP Exception Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException: "Full authentication is required to access this resource." at /path]/tmp-security/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php line 128

The same error is thrown on 3.1, which I'm developing my real project on. I don't want the user to be fully authenticated, I want a simple IP address check.

I have followed:

security:
    # ...
    access_control:
        -
            path: ^/_internal/secure
            allow_if: "'127.0.0.1' == request.getClientIp() or has_role('ROLE_ADMIN')"

from: http://symfony.com/doc/current/security/access_control.html

I have also tried:

class DefaultController extends Controller
{
    /**
     * @Route("/", name="homepage")
     */
    public function indexAction(Request $request)
    {
        if($request->getClientIp() == '127.0.0.1')
        {
            throw $this->createAccessDeniedException('IP-based rule.');
        }

        // replace this example code with whatever you need
        return $this->render('default/index.html.twig', array(
            'base_dir' => realpath($this->container->getParameter('kernel.root_dir').'/..').DIRECTORY_SEPARATOR,
        ));
    }
}

To the same, peculiar effect for both methods. The documentation describes it as I am expecting it to work:

In this case, when the user tries to access any URL starting with /_internal/secure, they will only be granted access if the IP address is 127.0.0.1 or if the user has the ROLE_ADMIN role.

But that's not how it is behaving.

The text was updated successfully, but these errors were encountered:

linaori · 2016-09-11T09:35:38Z

Do you actually have a firewall configure to handle authentication on those paths?

h4ckninja · 2016-09-11T20:11:46Z

Sorry, I forgot to include that. Here's my security.yml file:

security:
    encoders:
        AdminBundle\Entity\User:
            algorithm: bcrypt
            cost: 13

    providers:
        db_users:
            entity: { class: AdminBundle\Entity\User, property: username }

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt))/
            security: false

        no_auth:
            pattern: ^/(|css|images|js|admin/login)/
            security: false

        admin:
            anonymous: ~
            pattern: ^/admin/
            guard:
                authenticators:
                    - admin.form_login
            logout:
                path: admin_logout

        main:
            anonymous: ~
            pattern: ^/

The authentication on /admin works. But I have a controller that I want accessible from only certain IP addresses, without requiring actual authentication. The doc above makes it sound like this will work, but it's not working that way. When I add in the IP check while fully authenticated, it works like it should and throws the AccessDeniedException.

linaori · 2016-09-12T06:20:27Z

From what I see, you don't have a specific firewall on ^/_internal/secure so in the end, it grabs the main firewall. This firewall does not have the same context as the other one and it will end up authenticating only for anonymous. However, there's never a check that leads to the access decision manager which leads to actually triggered an authorization.

I recommend to add a ^/ rule with IS_AUTHENTICATED_ANONYMOUSLY if you don't have it yet. For this specific issue, can you add the roles check and see if that works?

security:
    access_control:
        -
            path: ^/_internal/secure
            roles: IS_AUTHENTICATED_ANONYMOUSLY
            allow_if: "'127.0.0.1' == request.getClientIp() or has_role('ROLE_ADMIN')"

Additionally I would say that for this controller you can make the exception with

/**
 * @Route(...)
 * @Security("'127.0.0.1' == request.getClientIp() or is_granted('ROLE_ADMIN')")
 */

h4ckninja · 2016-09-12T06:40:23Z

Apologies for the confusion. My route isn't _internal. It is simply /, in both my actual project and my test 2.7 install so that I could make sure I had it set up correctly.

linaori · 2016-09-12T06:50:01Z

I still recommend adding roles: IS_AUTHENTICATED_ANONYMOUSLY so the authorization (and authentication) is actually triggered and validated.

carsonbot · 2020-12-20T13:03:13Z

Hey, thanks for your report!
There has not been a lot of activity here for a while. Is this bug still relevant? Have you managed to find a workaround?

jakzal mentioned this issue Oct 18, 2016

Error 500 rose on 'AccessDeniedException' #20233

Closed

javiereguiluz added the Bug label Jul 17, 2017

carsonbot added the Status: Needs Review label Jul 17, 2017

theredled mentioned this issue Oct 27, 2019

AccessDeniedException returns 500 instead of 403 when no firewall is defined. #34148

Closed

carsonbot added the Stalled label Dec 20, 2020

h4ckninja closed this as completed Dec 20, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Not fully authenticated when denying IP or host #19906

Not fully authenticated when denying IP or host #19906

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Not fully authenticated when denying IP or host #19906

Not fully authenticated when denying IP or host #19906

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!