From 0a244fd15618b42e9b75ee62f4336166c99e932e Mon Sep 17 00:00:00 2001 From: Jules Pietri Date: Sun, 16 Feb 2020 12:21:02 +0100 Subject: [PATCH] [Security] Various minor fixes in XML config --- security/custom_authentication_provider.rst | 4 +- security/entity_provider.rst | 5 ++- security/force_https.rst | 4 +- security/guard_authentication.rst | 31 ++++++++------- security/json_login_setup.rst | 4 +- security/ldap.rst | 44 +++++++++++---------- security/multiple_guard_authenticators.rst | 2 +- security/multiple_user_providers.rst | 1 - security/remember_me.rst | 6 ++- security/user_checkers.rst | 8 ++-- 10 files changed, 57 insertions(+), 52 deletions(-) diff --git a/security/custom_authentication_provider.rst b/security/custom_authentication_provider.rst index 9b9b83edc61..391635ec5a8 100644 --- a/security/custom_authentication_provider.rst +++ b/security/custom_authentication_provider.rst @@ -172,7 +172,7 @@ the value returned for the expected WSSE information, creates a token using that information, and passes the token on to the authentication manager. If the proper information is not provided, or the authentication manager throws an :class:`Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException`, -a 403 Response is returned. +a 401 Response is returned. .. note:: @@ -188,7 +188,7 @@ a 403 Response is returned. Returning prematurely from the listener is relevant only if you want to chain authentication providers (for example to allow anonymous users). If you want - to forbid access to anonymous users and have a nice 403 error, you should set + to forbid access to anonymous users and have a 404 error, you should set the status code of the response before returning. The Authentication Provider diff --git a/security/entity_provider.rst b/security/entity_provider.rst index 0e3573776e8..a46c00e4877 100644 --- a/security/entity_provider.rst +++ b/security/entity_provider.rst @@ -246,9 +246,10 @@ the username and then check the password (more on passwords in a moment): - + + diff --git a/security/force_https.rst b/security/force_https.rst index 65d5138ed56..25ed6e079f8 100644 --- a/security/force_https.rst +++ b/security/force_https.rst @@ -33,7 +33,7 @@ to use HTTPS then you could use the following configuration: - + @@ -83,7 +83,7 @@ role: diff --git a/security/guard_authentication.rst b/security/guard_authentication.rst index 14159a25cc0..7b40f9898aa 100644 --- a/security/guard_authentication.rst +++ b/security/guard_authentication.rst @@ -116,7 +116,7 @@ Next, make sure you've configured a "user provider" for the user: - + @@ -133,6 +133,7 @@ Next, make sure you've configured a "user provider" for the user: 'your_db_provider' => [ 'entity' => [ 'class' => 'AppBundle:User', + 'property' => 'apiKey', ], ], ], @@ -187,21 +188,18 @@ This requires you to implement several methods:: */ public function getCredentials(Request $request) { - return [ - 'token' => $request->headers->get('X-AUTH-TOKEN'), - ]; + return $request->headers->get('X-AUTH-TOKEN'); } public function getUser($credentials, UserProviderInterface $userProvider) { - $apiKey = $credentials['token']; - - if (null === $apiKey) { + if (null === $credentials) { + // The token header was empty, authentication fails with 401 return; } - // if a User object, checkCredentials() is called - return $userProvider->loadUserByUsername($apiKey); + // if a User is returned, checkCredentials() is called + return $userProvider->loadUserByUsername($credentials); } public function checkCredentials($credentials, UserInterface $user) @@ -222,13 +220,14 @@ This requires you to implement several methods:: public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { $data = [ + // you may ant to customize or obfuscate the message first 'message' => strtr($exception->getMessageKey(), $exception->getMessageData()) // or to translate this message // $this->translator->trans($exception->getMessageKey(), $exception->getMessageData()) ]; - return new JsonResponse($data, Response::HTTP_FORBIDDEN); + return new JsonResponse($data, Response::HTTP_UNAUTHORIZED); } /** @@ -303,11 +302,11 @@ Finally, configure your ``firewalls`` key in ``security.yml`` to use this authen - - + + + + AppBundle\Security\TokenAuthenticator @@ -336,6 +335,8 @@ Finally, configure your ``firewalls`` key in ``security.yml`` to use this authen TokenAuthenticator::class, ], ], + // if you want, disable storing the user in the session + // 'stateless' => true, // ... ], ], diff --git a/security/json_login_setup.rst b/security/json_login_setup.rst index e5945671058..b62f07c1d6e 100644 --- a/security/json_login_setup.rst +++ b/security/json_login_setup.rst @@ -184,8 +184,8 @@ The security configuration should be: + username-path="security.credentials.login" + password-path="security.credentials.password"/> diff --git a/security/ldap.rst b/security/ldap.rst index 2b73e3a9f3b..35e82dcced3 100644 --- a/security/ldap.rst +++ b/security/ldap.rst @@ -152,20 +152,19 @@ use the ``ldap`` user provider. - + .. code-block:: php + // app/config/security.php use Symfony\Component\Ldap\Ldap; $container->loadFromExtension('security', [ @@ -358,15 +357,15 @@ Configuration example for form login - + .. code-block:: php + // app/config/security.php use Symfony\Component\Ldap\Ldap; $container->loadFromExtension('security', [ @@ -394,9 +393,8 @@ Configuration example for HTTP Basic firewalls: main: - # ... + stateless: true http_basic_ldap: - # ... service: Symfony\Component\Ldap\Ldap dn_string: 'uid={username},dc=example,dc=com' @@ -411,23 +409,28 @@ Configuration example for HTTP Basic https://symfony.com/schema/dic/services/services-1.0.xsd"> + + - + .. code-block:: php + // app/config/security.php use Symfony\Component\Ldap\Ldap; $container->loadFromExtension('security', [ + // ... + 'firewalls' => [ 'main' => [ 'http_basic_ldap' => [ 'service' => Ldap::class, 'dn_string' => 'uid={username},dc=example,dc=com', - // ... ], 'stateless' => true, ], @@ -449,7 +452,6 @@ Configuration example for form login and query_string main: # ... form_login_ldap: - # ... service: Symfony\Component\Ldap\Ldap dn_string: 'dc=example,dc=com' query_string: '(&(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))' @@ -466,10 +468,10 @@ Configuration example for form login and query_string - + + @@ -482,11 +484,11 @@ Configuration example for form login and query_string $container->loadFromExtension('security', [ 'firewalls' => [ 'main' => [ + // ... 'form_login_ldap' => [ 'service' => Ldap::class, 'dn_string' => 'dc=example,dc=com', 'query_string' => '(&(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))', - // ... ], ], ] diff --git a/security/multiple_guard_authenticators.rst b/security/multiple_guard_authenticators.rst index 08486591eb5..b9f7622db17 100644 --- a/security/multiple_guard_authenticators.rst +++ b/security/multiple_guard_authenticators.rst @@ -68,7 +68,7 @@ This is how your security configuration can look in action: 'default' => [ 'anonymous' => null, 'guard' => [ - 'entry_point' => '', + 'entry_point' => LoginFormAuthenticator::class, 'authenticators' => [ LoginFormAuthenticator::class, FacebookConnectAuthenticator::class, diff --git a/security/multiple_user_providers.rst b/security/multiple_user_providers.rst index f228d0839a1..56ecaee6976 100644 --- a/security/multiple_user_providers.rst +++ b/security/multiple_user_providers.rst @@ -149,7 +149,6 @@ the first provider is always used: 'pattern' => '^/', 'provider' => 'user_db', 'http_basic' => [ - // ... 'realm' => 'Secured Demo Area', 'provider' => 'in_memory', ], diff --git a/security/remember_me.rst b/security/remember_me.rst index 698b53f4f57..8258e6a2408 100644 --- a/security/remember_me.rst +++ b/security/remember_me.rst @@ -348,7 +348,7 @@ service you just created: @@ -357,6 +357,8 @@ service you just created: .. code-block:: php // app/config/security.php + use Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider; + $container->loadFromExtension('security', [ // ... @@ -365,7 +367,7 @@ service you just created: // ... 'remember_me' => [ // ... - 'token_provider' => 'Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider', + 'token_provider' => DoctrineTokenProvider::class, ], ], ], diff --git a/security/user_checkers.rst b/security/user_checkers.rst index e32bc547acd..97f215bac82 100644 --- a/security/user_checkers.rst +++ b/security/user_checkers.rst @@ -89,8 +89,9 @@ is the service id of your user checker: - - AppBundle\Security\UserChecker + @@ -99,11 +100,10 @@ is the service id of your user checker: .. code-block:: php // app/config/security.php - - // ... use AppBundle\Security\UserChecker; $container->loadFromExtension('security', [ + // ... 'firewalls' => [ 'main' => [ 'pattern' => '^/',