[Security] Allow to set a check_path on json_login listener #22425
Conversation
b0593b6 to
2b2f9fe
Compare
2b2f9fe to
7cb7a0b
Compare
|
as pointed out in #21948 I think it makes sense to make this feature stateful and then it makes sense to support the check_path properly. another optional thing one could add to this is a check if the |
|
@lsmith77 I just made the My personal use case is the following: In this case, no need for both token and username/password authentications to be stateful. What I need is to be able to define the path that this listener should cover. I think most use cases for this listener will look like mine. But for those who want their users to resend username/password on each request, why not. |
|
my point above regarding checking the content type is so that one could use |
864eb94 to
407a081
Compare
|
Sounds good to me. I think it should be discussed separately though, I'll open another PR if you don't do it before. |
| @@ -70,6 +73,10 @@ public function handle(GetResponseEvent $event) | |||
| $request = $event->getRequest(); | |||
| $data = json_decode($request->getContent()); | |||
There was a problem hiding this comment.
This could be moved below the check? Not that expensive but still.
407a081 to
9d30800
Compare
9d30800 to
7e6c261
Compare
| @@ -16,7 +16,7 @@ security: | |||
| pattern: ^/ | |||
| anonymous: true | |||
| json_login: | |||
| check_path: /mychk | |||
| check_path: /chk | |||
There was a problem hiding this comment.
looks like the author expected the check_path to work already :)
There was a problem hiding this comment.
Indeed 😊 I think initially it was not stateless and used the check_path:
|
I propose to mark this feature as |
|
If we talk about the whole |
|
BTW the constructor signature now looks pretty much like that of |
|
@lsmith77 The abstract one offers a bit too much "stateful" stuff, its main methods couldn't be reused as is. I would keep this one standalone right now, flagging as experimental will give time to factorize as needed anyway. |
|
sure .. thought it might mean the abstract class should maybe be refactored at some point |
| $event = new GetResponseEvent($this->getMockBuilder(KernelInterface::class)->getMock(), $request, KernelInterface::MASTER_REQUEST); | ||
|
|
||
| $this->listener->handle($event); | ||
| $this->assertEquals('ok', $event->getResponse()->getContent()); |
There was a problem hiding this comment.
Please, use assertSame() instead.
e94b5e4 to
e4533f8
Compare
|
@phansys fixed. |
|
Thank you @chalasr. |
|
as promised here is the follow up #22477 |
…mith77) This PR was merged into the 3.3-dev branch. Discussion ---------- [Security] add Request type json check in json_login | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no, unreleased feature | Deprecations? | no | Tests pass? | yes | Fixed tickets | | License | MIT | Doc PR | - follow up to #22425 to limit the `UsernamePasswordJsonAuthenticationListener` to only requests with appropriate JSON content type. I am not entirely happy with this implementation but mostly because Symfony out of the box only provides very limited content type negotiation. I guess anyone that wants to tweak the content negotiation will simply need to ensure the Request::$format is set accordingly before the code is triggered. Commits ------- 045a36b add Request type json check in json_login
…mith77) This PR was merged into the 3.3-dev branch. Discussion ---------- [Security] add Request type json check in json_login | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no, unreleased feature | Deprecations? | no | Tests pass? | yes | Fixed tickets | | License | MIT | Doc PR | - follow up to symfony/symfony#22425 to limit the `UsernamePasswordJsonAuthenticationListener` to only requests with appropriate JSON content type. I am not entirely happy with this implementation but mostly because Symfony out of the box only provides very limited content type negotiation. I guess anyone that wants to tweak the content negotiation will simply need to ensure the Request::$format is set accordingly before the code is triggered. Commits ------- 045a36b303 add Request type json check in json_login
…mith77) This PR was merged into the 3.3-dev branch. Discussion ---------- [Security] add Request type json check in json_login | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no, unreleased feature | Deprecations? | no | Tests pass? | yes | Fixed tickets | | License | MIT | Doc PR | - follow up to symfony/symfony#22425 to limit the `UsernamePasswordJsonAuthenticationListener` to only requests with appropriate JSON content type. I am not entirely happy with this implementation but mostly because Symfony out of the box only provides very limited content type negotiation. I guess anyone that wants to tweak the content negotiation will simply need to ensure the Request::$format is set accordingly before the code is triggered. Commits ------- 045a36b303 add Request type json check in json_login
…mith77) This PR was merged into the 3.3-dev branch. Discussion ---------- [Security] add Request type json check in json_login | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no, unreleased feature | Deprecations? | no | Tests pass? | yes | Fixed tickets | | License | MIT | Doc PR | - follow up to symfony/symfony#22425 to limit the `UsernamePasswordJsonAuthenticationListener` to only requests with appropriate JSON content type. I am not entirely happy with this implementation but mostly because Symfony out of the box only provides very limited content type negotiation. I guess anyone that wants to tweak the content negotiation will simply need to ensure the Request::$format is set accordingly before the code is triggered. Commits ------- 045a36b303 add Request type json check in json_login
#22423The listener should allow to restrict authentication to a given check_path, as stated in the docs http://symfony.com/doc/master/security/json_login_setup.html