[Security] [Firewall] Fix support of multiple HTTP authentication methods #24166
Conversation
|
This fixes a bug, it should target 2.7. |
| @@ -66,7 +67,7 @@ public function addConfiguration(NodeDefinition $node) | |||
|
|
|||
| protected function createEntryPoint($container, $id, $config, $defaultEntryPoint) | |||
| { | |||
| if (null !== $defaultEntryPoint) { | |||
| if (null !== $defaultEntryPoint && $defaultEntryPoint instanceof BasicAuthenticationEntryPoint) { | |||
There was a problem hiding this comment.
This is broken, $defaultEntryPoint is a service id here (string), and we cannot dofindDefinition($defaultEntryPointId)->getClass() since the definition won't exist at this stage.
I fear we need a compiler pass to fix this...
There was a problem hiding this comment.
Sorry indeed this is weird. It just works because we never enter in the next statement. The entry point is created even if there is a default matching entry point.
| @@ -15,6 +15,7 @@ | |||
| use Symfony\Component\DependencyInjection\DefinitionDecorator; | |||
| use Symfony\Component\DependencyInjection\ContainerBuilder; | |||
| use Symfony\Component\DependencyInjection\Reference; | |||
| use Symfony\Component\Security\Http\EntryPoint\BasicAuthenticationEntryPoint; | |||
There was a problem hiding this comment.
We don't need to update this one, BasicAuthenticationListener supports any AuthenticationEntryPointInterface. Only digest is tied to a specific implementation.
There was a problem hiding this comment.
I tried to replace my digest authentication by basic and I had the same issue. That's why I also modified this class.
|
@raziel057 I can take care of this if you are ok, I'll give you a workaround in the lexikjwt issue meanwhile. |
|
@chalasr no problem. I let you work on it. |
Configuring guard along with http_digest breaks, because the default entry point for the firewall is automatically the guard authenticator, which is not a BasicAuthenticationEntryPoint / DigestAuthenticationEntryPoint.
We do create the entry point if there is no default entry point configured, so we should keep creating it if the default one is not an instance of BasicAuthenticationEntryPoint / DigestAuthenticationEntryPoint.
Related to lexik/LexikJWTAuthenticationBundle#384.