8000 Not fully authenticated when denying IP or host · Issue #19906 · symfony/symfony · GitHub
[go: up one dir, main page]

Skip to content
Not fully authenticated when denying IP or host #19906
Closed
@h4ckninja

Description

@h4ckninja

I have tried on:

  • OS X
  • Symfony 3.1 and 2.7
  • PHP 5.5.36

The problem:

Attempting to deny access via IP or host through @Security or checking $request inside the controller, or access_control in security.yml produces the same error:

 Full authentication is required to access this resource.
500 Internal Server Error - InsufficientAuthenticationException
1 linked Exception:
    AccessDeniedException » 

The error log:

 DEBUG - Access denied, the user is not fully authenticated; redirecting to authentication entry point.
CRITICAL - Uncaught PHP Exception Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException: "Full authentication is required to access this resource." at /path]/tmp-security/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php line 128 

The same error is thrown on 3.1, which I'm developing my real project on. I don't want the user to be fully authenticated, I want a simple IP address check.

I have followed:

security:
    # ...
    access_control:
        -
            path: ^/_internal/secure
            allow_if: "'127.0.0.1' == request.getClientIp() or has_role('ROLE_ADMIN')"

from: http://symfony.com/doc/current/security/access_control.html

I have also tried:

class DefaultController extends Controller
{
    /**
     * @Route("/", name="homepage")
     */
    public function indexAction(Request $request)
    {
        if($request->getClientIp() == '127.0.0.1')
        {
            throw $this->createAccessDeniedException('IP-based rule.');
        }

        // replace this example code with whatever you need
        return $this->render('default/index.html.twig', array(
            'base_dir' => realpath($this->container->getParameter('kernel.root_dir').'/..').DIRECTORY_SEPARATOR,
        ));
    }
}

To the same, peculiar effect for both methods. The documentation describes it as I am expecting it to work:

In this case, when the user tries to access any URL starting with /_internal/secure, they will only be granted access if the IP address is 127.0.0.1 or if the user has the ROLE_ADMIN role.

But that's not how it is behaving.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      0