Skip to content

[Security] Configuring a user checker per firewall #14721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 10 commits into from
Closed

[Security] Configuring a user checker per firewall #14721

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
b4b2e57
Implemented the ChainUserChecker
May 20, 2015
f031185
Added the possibility to register multiple user checkers per firewall
May 21, 2015
ef016fa
Security factories are now injecting the chain user checker per firewall
May 21, 2015
315421e
Added a test case to cover when an empty set is passed
May 21, 2015
d2468f4
Updated docs to briefly explain the exception thrown
Jun 8, 2015
9c35cbb
Put some code back that was merged out by accident
Jun 8, 2015
75f766d
Thanks fabbot.io
Jul 16, 2015
331a52a
Removed bad merge
linaori Jul 16, 2015
c419603
Removed security.user_checker from services
Sep 28, 2015
6189cf2
Removed ChainUser checker & simplified config
Sep 29, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,11 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
->prototype('scalar')->end()
->end()
->booleanNode('security')->defaultTrue()->end()
->scalarNode('user_checker')
->defaultValue('security.user_checker')
->treatNullLike('security.user_checker')
->info('The UserChecker to use when authenticating users in this firewall.')
->end()
->scalarNode('request_matcher')->end()
->scalarNode('access_denied_url')->end()
->scalarNode('access_denied_handler')->end()
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,
$container
->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.dao'))
->replaceArgument(0, new Reference($userProviderId))
->replaceArgument(1, new Reference('security.user_checker.'.$id))
->replaceArgument(2, $id)
;

Expand Down
1 change: 1 addition & 0 deletions ...mfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginLdapFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,
$container
->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.ldap_bind'))
->replaceArgument(0, new Reference($userProviderId))
->replaceArgument(1, new Reference('security.user_checker.'.$id))
->replaceArgument(2, $id)
->replaceArgument(3, new Reference($config['service']))
->replaceArgument(4, $config['dn_string'])
Expand Down
1 change: 1 addition & 0 deletions ...Bundle/SecurityBundle/DependencyInjection/Security/Factory/GuardAuthenticationFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
->replaceArgument(0, $authenticatorReferences)
->replaceArgument(1, new Reference($userProvider))
->replaceArgument(2, $id)
->replaceArgument(3, new Reference('security.user_checker.'.$id))
;

// listener
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
$container
->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.dao'))
->replaceArgument(0, new Reference($userProvider))
->replaceArgument(1, new Reference('security.user_checker.'.$id))
->replaceArgument(2, $id)
;

Expand Down
1 change: 1 addition & 0 deletions ...mfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicLdapFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
$container
->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.ldap_bind'))
->replaceArgument(0, new Reference($userProvider))
->replaceArgument(1, new Reference('security.user_checker.'.$id))
->replaceArgument(2, $id)
->replaceArgument(3, new Reference($config['service']))
->replaceArgument(4, $config['dn_string'])
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
$authProviderId = 'security.authentication.provider.rememberme.'.$id;
$container
->setDefinition($authProviderId, new DefinitionDecorator('security.authentication.provider.rememberme'))
->replaceArgument(0, new Reference('security.user_checker.'.$id))
->addArgument($config['secret'])
->addArgument($id)
;
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RemoteUserFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
$container
->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.pre_authenticated'))
->replaceArgument(0, new Reference($userProvider))
->replaceArgument(1, new Reference('security.user_checker.'.$id))
->addArgument($id)
;

Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/X509Factory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
$container
->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.pre_authenticated'))
->replaceArgument(0, new Reference($userProvider))
->replaceArgument(1, new Reference('security.user_checker.'.$id))
->addArgument($id)
;

Expand Down
24 changes: 14 additions & 10 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface;
use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
use Symfony\Component\DependencyInjection\Definition;
use Symfony\Component\DependencyInjection\DefinitionDecorator;
use Symfony\Component\DependencyInjection\Alias;
use Symfony\Component\HttpKernel\DependencyInjection\Extension;
Expand Down Expand Up @@ -100,16 +101,16 @@ public function load(array $configs, ContainerBuilder $container)

// add some required classes for compilation
$this->addClassesToCompile(array(
'Symfony\\Component\\Security\\Http\\Firewall',
'Symfony\\Component\\Security\\Core\\User\\UserProviderInterface',
'Symfony\\Component\\Security\\Core\\Authentication\\AuthenticationProviderManager',
'Symfony\\Component\\Security\\Core\\Authentication\\Token\\Storage\\TokenStorage',
'Symfony\\Component\\Security\\Core\\Authorization\\AccessDecisionManager',
'Symfony\\Component\\Security\\Core\\Authorization\\AuthorizationChecker',
'Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface',
'Symfony\\Bundle\\SecurityBundle\\Security\\FirewallMap',
'Symfony\\Bundle\\SecurityBundle\\Security\\FirewallContext',
'Symfony\\Component\\HttpFoundation\\RequestMatcher',
'Symfony\Component\Security\Http\Firewall',
'Symfony\Component\Security\Core\User\UserProviderInterface',
'Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager',
'Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage',
'Symfony\Component\Security\Core\Authorization\AccessDecisionManager',
'Symfony\Component\Security\Core\Authorization\AuthorizationChecker',
'Symfony\Component\Security\Core\Authorization\Voter\VoterInterface',
'Symfony\Bundle\SecurityBundle\Security\FirewallMap',
'Symfony\Bundle\SecurityBundle\Security\FirewallContext',
'Symfony\Component\HttpFoundation\RequestMatcher',
));
}

Expand Down Expand Up @@ -369,6 +370,8 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
// Exception listener
$exceptionListener = new Reference($this->createExceptionListener($container, $firewall, $id, $configuredEntryPoint ?: $defaultEntryPoint, $firewall['stateless']));

$container->setAlias(new Alias('security.user_checker.'.$id, false), $firewall['user_checker']);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick question: Why do we need to create aliases?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was the only way I was able to get the user checker defined per firewall. I use an Alias because of the following configuration:

        security:
            firewalls:
                admin:
                    pattern: ^/admin
                    user_checker: app.admin_user_checker
                secured_area:
                    pattern: ^/
                    user_checker: app.user_checker

When the firewall part is being created, I couldn't get the user checker in there, I can only distinguish them based on $id which is the firewall name. By creating an alias per firewall, I can see which is which.

  • security.user_checker.admin -> app.admin_user_checker
  • security.user_checker.secured_area -> app.user_checker

If you have a better idea, I can see if I can make that work instead.


return array($matcher, $listeners, $exceptionListener);
}

Expand Down Expand Up @@ -577,6 +580,7 @@ private function createSwitchUserListener($container, $id, $config, $defaultProv
$switchUserListenerId = 'security.authentication.switchuser_listener.'.$id;
$listener = $container->setDefinition($switchUserListenerId, new DefinitionDecorator('security.authentication.switchuser_listener'));
$listener->replaceArgument(1, new Reference($userProvider));
$listener->replaceArgument(2, new Reference('security.user_checker.'.$id));
$listener->replaceArgument(3, $id);
$listener->replaceArgument(6, $config['parameter']);
$listener->replaceArgument(7, $config['role']);
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/SecurityBundle/Resources/config/guard.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<argument /> <!-- Simple Authenticator -->
<argument /> <!-- User Provider -->
<argument /> <!-- Provider-shared Key -->
<argument type="service" id="security.user_checker" />
<argument /> <!-- User Checker -->
</service>

<service id="security.authentication.listener.guard"
Expand Down
8 changes: 4 additions & 4 deletions src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,15 +217,15 @@

<service id="security.authentication.provider.dao" class="%security.authentication.provider.dao.class%" abstract="true" public="false">
<argument /> <!-- User Provider -->
<argument type="service" id="security.user_checker" />
<argument /> <!-- User Checker -->
<argument /> <!-- Provider-shared Key -->
<argument type="service" id="security.encoder_factory" />
<argument>%security.authentication.hide_user_not_found%</argument>
</service>

<service id="security.authentication.provider.ldap_bind" class="Symfony\Component\Security\Core\Authentication\Provider\LdapBindAuthenticationProvider" public="false" abstract="true">
<argument /> <!-- User Provider -->
<argument type="service" id="security.user_checker" />
<argument /> <!-- UserChecker -->
<argument /> <!-- Provider-shared Key -->
<argument /> <!-- LDAP -->
<argument /> <!-- Base DN -->
Expand All @@ -240,7 +240,7 @@

<service id="security.authentication.provider.pre_authenticated" class="%security.authentication.provider.pre_authenticated.class%" abstract="true" public="false">
<argument /> <!-- User Provider -->
<argument type="service" id="security.user_checker" />
<argument /> <!-- User Checker -->
</service>

<service id="security.exception_listener" class="%security.exception_listener.class%" public="false" abstract="true">
Expand All @@ -260,7 +260,7 @@
<tag name="monolog.logger" channel="security" />
<argument type="service" id="security.token_storage" />
<argument /> <!-- User Provider -->
<argument type="service" id="security.user_checker" />
<argument /> <!-- User Checker -->
<argument /> <!-- Provider Key -->
<argument type="service" id="security.access.decision_manager" />
<argument type="service" id="logger" on-invalid="null" />
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
</service>

<service id="security.authentication.provider.rememberme" class="%security.authentication.provider.rememberme.class%" abstract="true" public="false">
<argument type="service" id="security.user_checker" />
<argument /> <!-- User Checker -->
</service>

<service id="security.rememberme.token.provider.in_memory" class="%security.rememberme.token.provider.in_memory.class%" public="false" />
Expand Down
22 changes: 22 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,13 @@ public function testFirewalls()
'security.authentication.listener.anonymous.host',
'security.access_listener',
),
array(
'security.channel_listener',
'security.context_listener.1',
'security.authentication.listener.basic.with_user_checker',
'security.authentication.listener.anonymous.with_user_checker',
'security.access_listener',
),
), $listeners);
}

Expand Down Expand Up @@ -233,6 +240,21 @@ public function testRememberMeThrowExceptions()
$this->assertFalse($service->getArgument(5));
}

public function testUserCheckerConfig()
{
$this->assertEquals('app.user_checker', $this->getContainer('container1')->getAlias('security.user_checker.with_user_checker'));
}

public function testUserCheckerConfigWithDefaultChecker()
{
$this->assertEquals('security.user_checker', $this->getContainer('container1')->getAlias('security.user_checker.host'));
}

public function testUserCheckerConfigWithNoCheckers()
{
$this->assertEquals('security.user_checker', $this->getContainer('container1')->getAlias('security.user_checker.secure'));
}

protected function getContainer($file)
{
$container = new ContainerBuilder();
Expand Down
6 changes: 6 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@
'remote_user' => true,
'logout' => true,
'remember_me' => array('secret' => 'TheSecret'),
'user_checker' => null,
),
'host' => array(
'pattern' => '/test',
Expand All @@ -80,6 +81,11 @@
'anonymous' => true,
'http_basic' => true,
),
'with_user_checker' => array(
'user_checker' => 'app.user_checker',
'anonymous' => true,
'http_basic' => true,
),
),

'access_control' => array(
Expand Down
7 changes: 7 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
<switch-user />
<x509 />
<remote-user />
<user-checker />
<logout />
<remember-me secret="TheSecret"/>
</firewall>
Expand All @@ -64,6 +65,12 @@
<http-basic />
</firewall>

<firewall name="with_user_checker">
<anonymous />
<http-basic />
<user-checker>app.user_checker</user-checker>
</firewall>

<role id="ROLE_ADMIN">ROLE_USER</role>
<role id="ROLE_SUPER_ADMIN">ROLE_USER,ROLE_ADMIN,ROLE_ALLOWED_TO_SWITCH</role>
<role id="ROLE_REMOTE">ROLE_USER,ROLE_ADMIN</role>
Expand Down
7 changes: 7 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,13 +56,20 @@ security:
logout: true
remember_me:
secret: TheSecret
user_checker: ~

host:
pattern: /test
host: foo\.example\.org
methods: [GET,POST]
anonymous: true
http_basic: true

with_user_checker:
anonymous: ~
http_basic: ~
user_checker: app.user_checker

role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
Expand Down
31 changes: 29 additions & 2 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/MainConfigurationTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ public function testNoConfigForProvider()

$processor = new Processor();
$configuration = new MainConfiguration(array(), array());
$config = $processor->processConfiguration($configuration, array($config));
$processor->processConfiguration($configuration, array($config));
}

/**
Expand All @@ -65,7 +65,7 @@ public function testManyConfigForProvider()

$processor = new Processor();
$configuration = new MainConfiguration(array(), array());
$config = $processor->processConfiguration($configuration, array($config));
$processor->processConfiguration($configuration, array($config));
}

public function testCsrfAliases()
Expand Down Expand Up @@ -108,8 +108,35 @@ public function testCsrfOriginalAndAliasValueCausesException()
);
$config = array_merge(static::$minimalConfig, $config);

$processor = new Processor();
$configuration = new MainConfiguration(array(), array());
$processor->processConfiguration($configuration, array($config));
}

public function testDefaultUserCheckers()
{
$processor = new Processor();
$configuration = new MainConfiguration(array(), array());
$processedConfig = $processor->processConfiguration($configuration, array(static::$minimalConfig));

$this->assertEquals('security.user_checker', $processedConfig['firewalls']['stub']['user_checker']);
}

public function testUserCheckers()
{
$config = array(
'firewalls' => array(
'stub' => array(
'user_checker' => 'app.henk_checker',
),
),
);
$config = array_merge(static::$minimalConfig, $config);

$processor = new Processor();
$configuration = new MainConfiguration(array(), array());
$processedConfig = $processor->processConfiguration($configuration, array($config));

$this->assertEquals('app.henk_checker', $processedConfig['firewalls']['stub']['user_checker']);
}
}
3 changes: 2 additions & 1 deletion ...urityBundle/Tests/DependencyInjection/Security/Factory/GuardAuthenticationFactoryTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ public function testBasicCreate()
'index_0' => array(new Reference('authenticator123')),
'index_1' => new Reference('my_user_provider'),
'index_2' => 'my_firewall',
'index_3' => new Reference('security.user_checker.my_firewall'),
), $providerDefinition->getArguments());

$listenerDefinition = $container->getDefinition('security.authentication.listener.guard.my_firewall');
Expand All @@ -123,7 +124,7 @@ public function testExistingDefaultEntryPointUsed()
'authenticators' => array('authenticator123'),
'entry_point' => null,
);
list($container, $entryPointId) = $this->executeCreate($config, 'some_default_entry_point');
list(, $entryPointId) = $this->executeCreate($config, 'some_default_entry_point');
$this->assertEquals('some_default_entry_point', $entryPointId);
}

Expand Down
11 changes: 9 additions & 2 deletions src/Symfony/Component/Security/Core/User/UserCheckerInterface.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,13 @@

namespace Symfony\Component\Security\Core\User;

use Symfony\Component\Security\Core\Exception\AccountStatusException;

/**
* UserCheckerInterface checks user account when authentication occurs.
* Implement to throw AccountStatusException during the authentication process.
*
* This should not be used to make authentication decisions.
* Can be used when you want to check the account status, e.g when the account is
* disabled or blocked. This should not be used to make authentication decisions.
*
* @author Fabien Potencier <fabien@symfony.com>
*/
Expand All @@ -24,13 +27,17 @@ interface UserCheckerInterface
* Checks the user account before authentication.
*
* @param UserInterface $user a UserInterface instance
*
* @throws AccountStatusException
*/
public function checkPreAuth(UserInterface $user);

/**
* Checks the user account after authentication.
*
* @param UserInterface $user a UserInterface instance
*
* @throws AccountStatusException
*/
public function checkPostAuth(UserInterface $user);
}
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy