I have two firewalls in my Symfony (5.4) application.
What I want is to create a login link for another firewall (where the login_link is configured) while logged in into the other firewall.
Currently the system doesn’t allow that (No Symfony\Bundle\SecurityBundle\LoginLink\LoginLinkHandler found for this firewall. Did you forget to add a "login_link" key under your "admin_area" firewall?)
Is there a way to tell the login link creator to create the link for a specific firewall? (I didn’t see it in the implementation so I don’t really know).
UPDATE 2022-06-10: Beginning with Symfony 6.1, just use the new Autowire-Attribute like this:
public function myLoginLinkAction(
User $myUser,
#[Autowire(service: 'security.authenticator.login_link_handler.my_other_firewall')] LoginLinkHandlerInterface $myOtherFirewallLoginLinkHandler,
): Response
{
// …
$loginLinkDetails = $myOtherFirewallLoginLinkHandler->createLoginLink($myUser);
// …
}
For older Symfony versions:
The solution is to inject the concrete link handler service for my other firewall using an alias defined in security.yaml (where the other firewall that we want to build login links for is named "my_other_firewall"):
services:
# define a concrete alias for the login link handler of the
# my_other_firewall firewall to avoid the FirewallAwareLoginLinkHandler
# that always uses the current request's firewall
Symfony\Component\Security\Http\LoginLink\LoginLinkHandlerInterface $myOtherFirewallLoginLinkHandler: '#security.authenticator.login_link_handler.my_other_firewall'
Then, when I inject the LoginLinkHandlerInterface to my login link building controller, I use the defined parameter name $myOtherFirewallLoginLinkHandler and get the correct LoginLinkHandler injected instead of the FirewallAwareLoginLinkHandler that only exists to use the LoginLinkHandler defined for the firewall of the current request.
This solves the problem the documented way to use concrete implementations, when more than one implements a certain interface.
Related
I try to use keycloak as the authentication service in my design. In my case, when the keycloak starts, I need one more realm besides default master realm. Assuming the new agency is called "demo".
So it means when keycloak starts, it should have two realms (master and demo).
In addtion, in the realm demo, I need to configure the default client "admin-cli" to enable "Full Scope Allowed". Also need to add some buildin mapper to this client.
In this case, I wonder whether I can use something like initialization file which keycloak can load when starting ?
Or I need to use keycloak client APIs to do this operations (e.g., Java keycloak admin client)?
Thanks in advance.
You can try the following:
Create the Realm;
Set all the options that you want;
Go to Manage > Export;
Switch Export groups and roles to ON;
Switch Export clients to ON;
Export.
That will export a .json file with the configurations.
Then you can tested it be deleting your Demo Realm and:
Go to Add Realm;
Chose the .json file that was exported;
Click Create.
Check if the configurations that you have changed are still presented on the Demo Realm, if there are then it means that you can use this file to import the Realm from. Otherwise, for the options that were not persistent you will have to create them via the Admin Rest API.
I created a presto custom password authenticator plugin (internal) by making a copy of the LDAP plugin and modifying it. You can see that code here: https://github.com/prestodb/presto/tree/master/presto-password-authenticators/src/main/java/com/facebook/presto/password.
I created copies of the Authenticator, AuthenticatorFactory, and the config, and modified them to basically just take a user/password from the config and to only allow that user in. I also put the new class in the PasswordAuthenticatorPlugin registration code.
I can see the plugin loading when presto is started, but it doesn't appear to do anything despite no errors being present. What am I missing?
Note: I had already found a solution to this, I'm just recording it on SO as I originally came here and found no help.
To make a custom password plugin work, you actually need HTTPS enabled for communication with the coordinator. You can actually see this recommendation at the bottom of their documentation:
https://prestodb.github.io/docs/current/develop/password-authenticator.html
Additionally, the coordinator must be configured to use password authentication and have HTTPS enabled.
So, the steps to make it work are:
Make sure your main config.properties has "http-server.authentication.type=PASSWORD".
Make sure you add a password-authenticator.properties next to config properties with content like the sample in the link above. But make sure you use your string from your authenticator as the name, and that you add your configuration properties instead (user name and password).
Set up a JKS store or a real certificate (some instructions here from Presto for JKS: https://prestodb.github.io/docs/current/security/tls.html).
Add SSL config to your config.properties.
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/presto-keystore/keystore.jks
http-server.https.keystore.key=password123
Set up your JDBC driver to use the same key store.
I wrote up a blog on it with a bit more detail as well if any of that doesn't make sense. But after doing all this, you should find that it does require a password and it does enforce your plugin.
https://coding-stream-of-consciousness.com/2019/06/18/presto-custom-password-authentication-plugin-internal/
I'm doing a project with Symfony2 and I want to use Google/Facebook/Twitter for connection. So I installed HWIOAuthBundle, but I got this error when I update my composer.json
"The child node "firewall_name" at path "hwi_oauth" must be
configured.".
Thanks for you help !
Yes, and if you read the doc :
(it gives the config... )
Step 2: Configuring resource owners
HWIOAuthBundle creates a dedicated service for each resource owner you
want to use in your application. These resource owners will be used in
the oauth firewall. The bundle ships several pre-configured resource
owners that need only a little configuration.
To make this bundle work you need to add the following to your
app/config/config.yml:
app/config/config.yml
hwi_oauth:
# name of the firewall in which this bundle is active, this setting MUST be set
firewall_name: secured_area
# an optional setting to configure a query string parameter which can be used to redirect
# the user after authentication, e.g. /connect/facebook?_destination=/my/destination will
# redirect the user to /my/destination after facebook authenticates them. If this is not
# set then the user will be redirected to the original resource that they requested, or
# the base address if no resource was requested. This is similar to the behaviour of
# [target_path_parameter for form login](http://symfony.com/doc/2.0/cookbook/security/form_login.html).
# target_path_parameter: _destination
I am applying this tutorial into symfony 2.4, I've finished the setup in the config.yml and everything, I managed to visit the admin/google/analytics page, but the problem is when I tried to authenticate with the parameters I've created in the config.yml file, it is searching for the scope, here is the parameters.
happy_r_google_analytics:
host: www.example.com
profile_id: MyProfileId
tracker_id: UA-TRACKER-ID
token_file_path: %kernel.root_dir%/var/storage
happy_r_google_api:
application_name: Project Default Service Account
oauth2_client_id: OAuthClientID
oauth2_client_secret: OAuthClientSecret
oauth2_redirect_uri: http://www.example.com/app_local.php/admin/google/analytics/oauth2callback
developer_key: DevelopperKey
site_name: http://www.example.com
I think there's no problem here, I've got no idea where I can set the scope so the google Api client can set it to https://www.googleapis.com/auth/analytics.readonly
You need to define a scope. If you use Google Auth, check Authorization scopes for it.
You must do something like:
$googleClient = new \Google_Client();
$googleClient->setScopes(array(
'https://www.googleapis.com/auth/plus.me',
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile',
));
I'd like to get three Drupal websites to work together using CAS. So, one of these Drupal websites is using the CAS server module; but, when I go to the other Drupal websites as a CAS "client" I still have to press "Log in" to be logged in.
Is it possible for the CAS "client" to check automatically? So, users won't have to press the "Log in" button if they are already logged in? And, if they aren't they can remain anonymous.
Ok, I figured it out. It's called "the Gateway feature" in CAS.
My confusion was because the Drupal CAS module wasn't working the way I had thought it would. Here is what the client portion of the Drupal CAS module says:
[ x ] Check with the CAS server to see if the user is already logged in?
This implements the Gateway feature of the CAS Protocol.
So, digging through the module code I was able to figure out a solution.
The Fix:
The phpCAS function that implements the CAS gateway feature is:
phpCAS::checkAuthentication()
Here is a snippet of code that I plan to use:
$is_auth = phpCAS::checkAuthentication(); // Returns TRUE or FALSE
if ($is_auth) {
phpCAS::forceAuthentication();
}
else {
// Do nothing until user is ready to authenticate.
}
I have a couple options:
Put this functionality in a separate "glue" module
Hack the Drupal CAS module to suit my needs
Try to make improvements, and see if this can be contributed back
(If I'm lucky, I might get to contribute some code back to this module.)
As one of the cas module mainainers I'd like to request that this discussion get moved to an issue in the projects issue queue. This code snippet should do absolutely nothing different, since using "CheckAuthentication" should cause a drupal login. If you're getting different behavior, we want to know about it and fix it.
It turns out this functionality is working in the CAS module, but the "Caching mode" needs to be set to "Disabled". See issue: http://drupal.org/node/1280474
Also, the authentication check only happens the first time the site is accessed (until the browser is closed and re-opened). See issue: http://drupal.org/node/1405448