[Security] ContextListener misbehavior with multiple UserProviders #4498

zeqfreed · 2012-06-05T10:27:23Z

I'm implementing an application that needs to have separate sets of users for its different sections. For instance, we create Admin and Front sections. For each of the sections I define a firewall rule in security config and a different user provider:

providers:
    provider_admin:
        id: acme.shmundle.my_user_provider.admin

    provider_front:
        id: acme.shmundle.my_user_provider.front

firewalls:
    admin:
         provider: provider_admin
         ....

    front:
         provider: provider_front
         ....

Now, the provider ids reference two different services of the same class that implements UserProviderInterface configured to use different user storages, but same user class.

This setup leads to a problem in ContextListener. After user logs in, the ContextListener attempts to validate user token and refresh user by iterating over every user provider and calling its refreshUser method. If current user provider does not support the user class it throws UnsupportedUserException and ContextListener continues to the next user provider, but if it does and can't actually find the user it throws UsernameNotFoundException which interrupts the iteration and returns null essentially forcing the user to log out.

One solution that would work here is to make sure a different user class used for every user provider, so the iteration always reaches the provider that can refresh user token. But this solution seems quirky, non-obvious and moreover is a kind of side effect depending on the internal implementation of ContextListener.

Another solution is obviously to implement my own ContextListener that will iterate through every user provider regardless of the exceptions thrown. This is the approach I think I will have to take if you confirm that this behavior is actually intended and my use case doesn't lie within symfony's design philosophy.

Please refer to the ContextListener source for the problematic code.

kix · 2012-06-25T14:21:16Z

Perhaps someone should really look into this.

michelsalib · 2012-06-25T14:25:13Z

I ran into this issue today too. This might be very problematic.
@schmittjoh is this design intentional ?

shiroyuki · 2012-06-29T22:38:22Z

FYI to the sport fans, I got this problem even if I use different classes for each provider.

ghost · 2012-07-06T08:14:59Z

I have come across this behaviour when using two firewalls (eg. members and admin) with separate in memory user providers for each. When ContextListener refreshes a user after login it checks ALL user providers, not just the ones specific to the firewall, so it tries to load an admin user from the members user provider, fails, and logs out the admin.

Not sure if this design is intentional, but it isn't documented that you can't use separate instances of the same class of provider.

I have tested a quick bit of code which alters the problematic part of the ContextListener but not sure what effect it would have in the grand scheme of things. My new refreshUser method is:

    private function refreshUser(TokenInterface $token)
    {
        $user = $token->getUser();

        if (!$user instanceof UserInterface) {
            return $token;
        }

        if (null !== $this->logger) {
            $this->logger->debug(sprintf('Reloading user from user provider.'));
        }

        foreach ($this->userProviders as $provider) {
            try {
                $token->setUser($provider->refreshUser($user));

                if (null !== $this->logger) {
                    $this->logger->debug(sprintf('Username "%s" was reloaded from user provider.', $user->getUsername()));
                }

                return $token;
            } catch (UnsupportedUserException $unsupported) {
                // let's try the next user provider
            } catch (UsernameNotFoundException $notFound) {
                // user not found, try next provider
            }
        }

        // If we had a user not found exception then we had a valid provider but could not find a user
        if (isset($notFound)) {
            if (null !== $this->logger) {
                $this->logger->warn(sprintf('Username "%s" could not be found.', $user->getUsername()));
            }

            return null;
        }

        throw new \RuntimeException(sprintf('There is no user provider for user "%s".', get_class($user)));
    }

shiroyuki · 2012-07-06T17:03:35Z

After running some tests, here is my findings.

First of all, the ContextListener is currently designed in the way that assumes the default behaviour like chain providers. This may be right if the chain provider (from security.yml) is to be dropped in SF 2.1.

The implementation of many authentication providers is not well aware of this change and eventually leads this situation unless each provider check if TokenInterface::getProviderKey() is equal to the provider key of AuthenticationProviderInterface.

This makes me think that it might be better to add AuthenticationProviderInterface::compatible which do the check or even better to have an abstract class implementing AuthenticationProviderInterface which at least have the check implementation.

What do you guys think?

ghost · 2012-07-06T17:37:16Z

I agree. In fact, is there any reason that all tokens should not have a getProviderKey() method? This way you would know which provider it came from rather than testing them all in sequence and only perform a single call to refreshUser, which would be of benefit if you are using a database or webservice to provide your users.

ghost · 2012-07-07T12:14:51Z

Looking at this again it seems I'm getting confused between authentication provider and user provider. The user provider has no knowledge of which authentication provider it came from, particularly as it could potentially be used in multiple firewalls. The context listener has no knowledge of the authentication providers, only the user providers, user providers only accept/reject a user based on its class.

I can see a few solutions:

Introduce a getUserProviderKey into UserInterface so each user instance knows exactly where it came from.
Introduce a user_class option into the user provider definition and document that each instance of a user provider must return a unique class.
Change the refreshUser code in the context listener to check all providers, not just stop at the first user not found exception.

shiroyuki · 2012-07-07T20:30:30Z

I think @schmittjoh might have the better idea of the behavior.

asm89 · 2012-07-07T20:56:59Z

Why do you have different user providers for the same user objects? What is the difference between the two?

zeqfreed · 2012-07-08T12:19:55Z

The two different user providers access different user storages to have
distinct set of users. But the user class is the same all over the app.

fabpot · 2012-07-09T13:22:24Z

FYI, we used to have a getUserProviderName() method on TokenInterfaceand it was removed here: df6ffbb

zeqfreed · 2012-07-10T05:26:23Z

@fabpot, could you confirm if the behavior described in the issue is intentional or not? If it is, could you provide some rationale behind this?

fabpot · 2012-07-10T06:39:32Z

@zeqfreed I need to investigate further the consequences of the current way it works vs the "better" way.

tcowin · 2012-09-14T23:55:50Z

Ran into this myself. This seems like less than ideal behavior. Is there an accepted stop gap solution? What are you guys doing to work around this issue?

lyrixx · 2012-09-21T12:32:35Z

Hello.

I agree with first @nyorai's solution : "Introduce a getUserProviderKey into UserInterface so each user instance knows exactly where it came from."

Of course, Add this behavior will lead to break the BC, But it will fix this issue.

tcowin · 2012-09-21T15:49:41Z

Thanks @lyrixx. I found that since I was actually using different User classes that corresponded to my different UserProviders, I was able to modify the method "supportsClass" and be precise about which Users that provider is able to support. The checks in FOS UserBundle and the FR3D LDAPBundle are a little broad for my application, but by customizing those and narrowing down to the exact class I wanted each to support, I was able to get the existing setup to work...

BboyKeen · 2016-06-29T00:43:06Z

Any news on this one ? I just ran into the same issue today

MlleDelphine · 2016-08-31T14:13:43Z

I am "stuck" with the same behavior.
I have two memory providers.
In my concerned firewall settings, in security.yml, I have precised the provider.
security.yml:

    providers:
        memory_users:
            memory:
                users: "%app.users%"
        backend_users:
            memory:
                users: "%app_backend_users%"
[...]

 backend:
            pattern:    ^/
            host:       "%app_backend_host%"
            provider: backend_users
            anonymous:  ~
            form_login:
            logout:
                path:   /logout
                target: /

Nevertheless, I am unable to login. Stacktrace during ONE try :

[2016-08-31 15:25:46] security.INFO: User has been authenticated successfully. {"username":"admin"} []
[2016-08-31 15:25:46] security.WARNING: Username could not be found in the selected user provider.

My questions are:

Why "provider" in my backend firewall is not taken into account in ContextListener?
Why ContextListener does check only the first provider ? Don't understand why a "UsernameNotFoundException" breaks the code while the final response of "refreshUser" method is "There is no user provider for user "%s".', get_class($user)" as if this method has checked ALL providers defined in security.yml while actually, it did not..

I bypass this behavior with "chain_provider" but it does not make sense for me..

hamanuha · 2016-09-17T08:39:50Z

I have the same problem with the following configuration:

    providers:
        admin_user_provider:
            id: app.security.admin_user_provider
        passwordless_user_provider:
            id: app.security.passwordless_user_provide

[...]

        backend:
            pattern: ^/backend
            provider: admin_user_provider
            anonymous: true
            form_login:
                login_path: _backend_security_login
                check_path: _backend_security_login_check
            logout:
                path: _backend_security_logout
                target: _backend_security_login
                invalidate_session: false

        frontend:
            pattern: ^/(?!backend)
            provider: passwordless_user_provider
            anonymous: true
            simple_preauth:
                authenticator: app.security.passwordless_authenticator
            logout:
                path: _frontend_user_logout
                target: _frontend_project_list
                invalidate_session: false

Both providers use the same class buth only return users with specific roles.
As I understood from the docs, every firewall uses one provider. But my frontend firewall uses the first specified provider and not the one I defined in the firewall.
I solved this temporarily also with a chain_provider. Thanks to @MlleDelphine.

It worked on my local development setup somehow, but on the production site it does not...

Einenlum · 2016-11-03T10:30:15Z

👍

I think the implementation is really strange. Here is the difference between the ContextListener and the ChainUserProvider.

The ContextListener will only loop if the provider throws an UnsupportedUserException:

foreach ($this->userProviders as $provider) {
    try {
        // …
        return $token;
    } catch (UnsupportedUserException $e) {
        // let's try the next user provider
    } catch (UsernameNotFoundException $e) {
        if (null !== $this->logger) {
            $this->logger->warning('Username could not be found in the selected user provider.', array('username' => $e->getUsername(), 'provider' => get_class($provider)));
        }

        return;
    }
}

The ChainUserProvider on the other hand, will try to refresh the user with every provider even if the user was not found :

foreach ($this->providers as $provider) {
    try {
        return $provider->refreshUser($user);
    } catch (UnsupportedUserException $e) {
        // try next one
    } catch (UsernameNotFoundException $e) {
        $supportedUserFound = true;
        // try next one
    }
}

This is not only undocumented, it is also very disturbing. I just discovered this after 2 days trying to understand why my user had the correct token after login but then was again anonymous right after the redirection. We really need to fix this incoherent behaviour.

Seems an old PR from 2014 proposed to solve this bug : #12465

xabbuh · 2017-02-27T21:23:50Z

This should be fixed by the patch proposed in #21791.

This PR was merged into the 2.7 branch. Discussion ---------- [SecurityBundle] only pass relevant user provider | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #4498, #12465, #20401, #21737 | License | MIT | Doc PR | There is no need for the context listener to be aware of all the configured user providers. It must only use the provider for the current firewall (the one identified by the context key passed to the constructor) to refresh the user from the session. Commits ------- d97e07f [SecurityBundle] only pass relevant user provider

xabbuh · 2017-02-28T12:15:10Z

The fix in #21791 was not right.

xabbuh · 2017-03-04T12:33:48Z

#21865 is my next attempt to solve this issue. Could you please try it with your projects?

…ing (xabbuh) This PR was merged into the 2.7 branch. Discussion ---------- [Security] context listener: hardening user provider handling | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #4498 | License | MIT | Doc PR | After the wrong fix in #21791 this is the second attempt to solve #4498. If more than one user provider support the user for the current context, all of them will be applied instead of returning prematurely when the first user provider does not find the logged in user. Commits ------- 0fb0929 context listener: hardening user provider handling

omnilight · 2017-05-31T15:17:30Z

@fabpot Hi, I have the same bug with Symfony 2.8
https://github.com/symfony/symfony/blob/2.8/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php#L378

xabbuh · 2017-05-31T15:21:28Z

@omnilight Which patch version of Symfony 2.8 do you use?

omnilight · 2017-05-31T16:11:52Z

@xabbuh 2.8.16

xabbuh · 2017-05-31T21:16:18Z

2.8.19 was the first 2.8 release containing the fix.

omnilight · 2017-06-01T08:16:40Z

@xabbuh Thanks!

lyrixx mentioned this issue Sep 21, 2012

[WIP][Security] Added Ldap provider #5189

Closed

lyrixx mentioned this issue Jan 1, 2013

[2.2] make refreshUser try all providers fixes #4498 #4778

Closed

Renrhaf mentioned this issue May 3, 2014

Multiple memory user providers issue #10818

Closed

javiereguiluz added the Enhancement label Feb 1, 2016

Einenlum mentioned this issue Nov 3, 2016

[Security] Fix context listener misbehaviour #20401

Closed

xabbuh mentioned this issue Feb 27, 2017

[SecurityBundle] only pass relevant user provider #21791

Merged

fabpot closed this as completed Feb 28, 2017

xabbuh reopened this Feb 28, 2017

xabbuh mentioned this issue Mar 4, 2017

[Security] context listener: hardening user provider handling #21865

Merged

fabpot closed this as completed Mar 6, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[Security] ContextListener misbehavior with multiple UserProviders #4498

[Security] ContextListener misbehavior with multiple UserProviders #4498

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[Security] ContextListener misbehavior with multiple UserProviders #4498

[Security] ContextListener misbehavior with multiple UserProviders #4498

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!