Description
Symfony version(s) affected: 5.2.0 with new authenticator system
5.2.0-RC2 was not affected
Description
Using security configuration below, I will get a 401 error. HttpBasicAuthenticator::start() is not called, so it won't have the correct WWW-Authenticate header. And then authentication will never work (in browsers).
How to reproduce
Updated, see reproducer below: https://github.com/romaricdrigon/reproducer-for-39249
With this security.yaml:
security:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
snapshot_internal_api:
http_basic: ~
pattern: /api/snapshot
provider: internal_provider
stateless: true
main: # ...Workaround for other users affected
A temporary workaround is to make sure to define entry_point - though there's a small catch about which key to use, you should use service name:
security:
firewalls:
# ...
snapshot_internal_api:
entry_point: security.authenticator.http_basic.snapshot_internal_api # The line to add
http_basic: ~
# ... Possible Solution
I believe this issue was introduced by #39153
I suspect that http_basic authenticator is not part of those. I will have a look at a possible fix asap, but I'm not sure to fully grasp all details yet.