[Security] [Firewall] Fix support of multiple HTTP authentication methods#24166
[Security] [Firewall] Fix support of multiple HTTP authentication methods#24166raziel057 wants to merge 2 commits intosymfony:3.2from
Conversation
|
This fixes a bug, it should target 2.7. |
| protected function createEntryPoint($container, $id, $config, $defaultEntryPoint) | ||
| { | ||
| if (null !== $defaultEntryPoint) { | ||
| if (null !== $defaultEntryPoint && $defaultEntryPoint instanceof BasicAuthenticationEntryPoint) { |
There was a problem hiding this comment.
This is broken, $defaultEntryPoint is a service id here (string), and we cannot dofindDefinition($defaultEntryPointId)->getClass() since the definition won't exist at this stage.
I fear we need a compiler pass to fix this...
There was a problem hiding this comment.
Sorry indeed this is weird. It just works because we never enter in the next statement. The entry point is created even if there is a default matching entry point.
| use Symfony\Component\DependencyInjection\DefinitionDecorator; | ||
| use Symfony\Component\DependencyInjection\ContainerBuilder; | ||
| use Symfony\Component\DependencyInjection\Reference; | ||
| use Symfony\Component\Security\Http\EntryPoint\BasicAuthenticationEntryPoint; |
There was a problem hiding this comment.
We don't need to update this one, BasicAuthenticationListener supports any AuthenticationEntryPointInterface. Only digest is tied to a specific implementation.
There was a problem hiding this comment.
I tried to replace my digest authentication by basic and I had the same issue. That's why I also modified this class.
|
@raziel057 I can take care of this if you are ok, I'll give you a workaround in the lexikjwt issue meanwhile. |
|
@chalasr no problem. I let you work on it. |
Configuring guard along with http_digest breaks, because the default entry point for the firewall is automatically the guard authenticator, which is not a BasicAuthenticationEntryPoint / DigestAuthenticationEntryPoint.
We do create the entry point if there is no default entry point configured, so we should keep creating it if the default one is not an instance of BasicAuthenticationEntryPoint / DigestAuthenticationEntryPoint.
Related to lexik/LexikJWTAuthenticationBundle#384.