I'm working with ldaptools-bundle, fosuserbundle in an api endpoint.
My security.yaml looks like this
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
LdapTools\Bundle\LdapToolsBundle\Security\User\LdapUser: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
chain_provider:
chain:
providers: [ldap, fos_userbundle]
fos_userbundle:
id: fos_user.user_provider.username_email
ldap:
id: ldap_tools.security.user.ldap_user_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login
stateless: true
anonymous: true
provider: ldap
json_login:
check_path: /login
username_path: username
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
guard:
authenticators:
- ldap_tools.security.ldap_guard_authenticator
main:
pattern: ^/
provider: fos_userbundle
stateless: true
anonymous: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
the problem is thath the ldap guard authenticator is not checking the credentials.
When I change the provider to ldap instead fosuser I got a 500 error code in BasePasswordEncoder class, it happens also if I use the chain_provider
Warning: hash_equals(): Expected known_string to be a string, null
given
Is there a miss config or something?
The workflow should be as follow:
The user is authenticated against ldap server
The user is loaded correctly and then lexik takes care of the token generation
Note: The workflow works without ldap and the token is generated.
Thanks in advance!
Related
I have a website with a standard connection, and I want to add a new way to connect thanks to the API part.
I have followed this doc :
1https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/index.md#getting-started
So I add JWT bundle to my Symfony 3 project, and I changed my security.yml :
# app/config/security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: sha512
GS\UserBundle\Entity\User: sha512 #sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
main:
entity:
class: GS\UserBundle\Entity\User
property: login
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
anonymous: true
provider: main
stateless: true
form_login:
login_path: login
check_path: login_check
default_target_path: preLogin
logout:
path: logout
target: preLogin
remember_me:
secret: '%secret%' # se souvenir de moi
lifetime: 1000
always_remember_me: true
login:
pattern: ^/api/login
stateless: true
anonymous: true
provider: main
json_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
api:
pattern: ^/api
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
access_control:
- { path: /admin, roles: ROLE_ADMIN }
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
I have configured my config.yml like this :
lexik_jwt_authentication:
secret_key: '%kernel.project_dir%/config/jwt/private.pem'
public_key: '%kernel.project_dir%/config/jwt/public.pem'
user_identity_field: login
pass_phrase: 'MY PASSWORD'
token_ttl: 3600
And When I tried to obtain my token with postman like this :
I have this error :
The key "_username" must be a string, "NULL" given.
So, I tried to add "user_parameter" in the security.yml in order to give the parameters name of my user entity, like this :
login:
pattern: ^/api/login
stateless: true
anonymous: true
json_login:
check_path: /api/login_check
username_parameter: login
password_parameter: mdp
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
And now Postman answer me nothing.
EDIT:
I find a commande to check my config file and I have this answer :
And if I remove the username_parameter and the password_parameter, the commande check tell me that the config is ok, but I have the same error with postman :
The key "username" must be a string, "NULL" given.
Help me please I don't find any solution...
Lexik JWT authentication config needs the provider key in the security.yaml.
login:
pattern: ^/api/login
stateless: true
anonymous: true
provider: YOUR_PRODIVER_NAME #in your case it's main
json_login:
check_path: /api/login_check
username_parameter: login
password_parameter: mdp
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
Then to be able to verify the user informations, it needs to know what field is the identity field.
So in the lexik_jwt_authentication.yaml:
lexik_jwt_authentication:
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(JWT_PASSPHRASE)%'
user_identity_field: YOUR_USER_FIELD # example email
token_ttl: 7200
About the request parameters, username and password have to be passed (No _)
I use configuration like documentation. This is my security file:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: [ROLE_USER]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
login:
pattern: ^/api/login
stateless: true
anonymous: true
json_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
api:
pattern: ^/api
provider: fos_userbundle
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
access_control:
- { path: ^/api/login_check, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
and my routing file
api_login_check:
path: /api/login_check
When I get in m browser to /api/login_check i get error
Unable to find the controller for path "/api/login_check". The route is wrongly configured.
Any idea?
change your security.yml login firewall configuration with the following:
login:
pattern: ^/api/login
stateless: true
anonymous: true
form_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
remove login_check path from your access control it should be already configured
- { path: ^/api/login_check, roles: IS_AUTHENTICATED_ANONYMOUSLY }
You need to adjust your access control configuration :
access_control:
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
I am pretty sure you use API Platform for this, if you read the documentation here, you will see that the access control on the login URL use ^/login in the path and not ^/api/login_check
I try to configure FOSUserBundle in Symfony 2.7 but I still get "You must configure the check path to be handled by the firewall using form_login in your security firewall configuration." exception.
I searched vendor folder for Security Controller and I found that checkAction throws such exception.
I would like to allow
admin to log into /admin section,
and editors to /editor section.
I use two ways of logging: one is in_memory, and second fos_userbundle. This is my security.yml
encoders:
Symfony\Component\Security\Core\User\User: plaintext
Inpero\PageBundle\Entity\User: bcrypt
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_EDITOR: ROLE_USER
ROLE_ADMIN: [ROLE_EDITOR, ROLE_USER]
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
in_memory:
memory:
users:
admin: { password: pass1, roles: [ 'ROLE_ADMIN' ] }
fos_userbundle:
id: fos_user.user_provider.username
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# the login page has to be accessible for everybody
page_login:
pattern: ^/admin/login$
security: false
page_admin:
pattern: ^/admin
form_login:
check_path: my_page_check
login_path: my_page_login
logout:
path: my_page_logout
target: /
editor_login:
pattern: ^/editor/login
security: false
editors:
pattern: ^/editor
form_login:
provider: fos_userbundle
check_path: /editor/login_check
login_path: /editor/login
failure_path: /editor/login
default_target_path: /editor/
always_use_default_target_path: true
#csrf_token_generator: security.csrf.token_manager
# if you are using Symfony < 2.8, use the following config instead:
csrf_provider: form.csrf_provider
logout:
path: fos_user_security_logout
target: /
anonymous: ~
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/book/security.html#security-book-access-control-matching-options
access_control:
- { path: ^/efconnect, role: IS_AUTHENTICATED_REMEMBERED }
- { path: ^/elfinder, role: IS_AUTHENTICATED_REMEMBERED }
- { path: ^/admin, role: ROLE_ADMIN }
- { path: ^/editor, role: ROLE_EDITOR }
What am I doing wrong?
I need to create a portal for my website using two authentication protocols.
Using a standard approach with login / password
Using a CAS service
So, when a user arrives on the homepage he can choose one of these two authentication systems.
I am not very skilled in security in symfony2, so I have follow the Symfony documentation to write this code:
#Security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
firewalls:
secure_area:
pattern: ^/
anonymous: ~
context: form_auth
form_login:
login_path: /form_login
check_path: /form_login_check
logout:
path: /logout
target: /riac
access_control:
- { path: ^/riac/admin, roles: ROLE_ADMIN }
providers:
in_memory:
memory:
users:
bob: { password: bob, roles: 'ROLE_ADMIN' }
main:
entity: { class: Riac\HomeBundle\Entity\Login, property: username }
This one works fine for the login/password approach.
To create the CAS protocol I have found BeSimpleSsoAuthBundle, but... problems....
So I have read the installation documentation to implement this one and I have success to run it alone (with no login/password protocol). For now to implement both protocols at once I have written this code:
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
firewalls:
cas_secure_area:
pattern: ^/
anonymous: ~
context: cas_auth
trusted_sso:
manager: admin_sso
login_action: false
logout_action: false
login_path: /cas_login
check_path: /cas_login_check
create_users: true
created_users_roles: [ROLE_USER, ROLE_ADMIN]
check_path: /form_login_check
logout:
path: /logout
target: /riac
secure_area:
pattern: ^/
anonymous: ~
context: form_auth
form_login:
login_path: /form_login
check_path: /form_login_check
logout:
path: /logout
target: /riac
access_control:
- { path: ^/riac/admin, roles: ROLE_ADMIN }
providers:
in_memory:
memory:
users:
bob: { password: bob, roles: 'ROLE_ADMIN' }
main:
entity: { class: Riac\HomeBundle\Entity\Login, property: username }
But it doesn't work (logout problem, login_check not found, difficulty to identify what method to use).
So I think that is not the best methodology, but I don't know how do this. Can you help me please?
Im trying to create an oauth2 server based on FOSOauthServerBundle, FOSRestBundle and FOSUserBundle. I created a demo application to test the my oauth-server and it failed receiving the data via the GET reguest
(received 401 error ' error="access_denied", error_description="OAuth2
authentication required" '),
in spite the fact that the user was authenticated and the client received an access token properly.
How should I implement the api controllers so the oauth2 will execute the authentication process?
Also, i would like to take a look on real working oauth server example based on those bundles so i would be able to check my application on it.
my security.yml:
jms_security_extra:
secure_all_services: false
expressions: true
security:
acl:
connection: default
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
in_memory:
memory:
users:
user: { password: userpass, roles: [ 'ROLE_USER' ] }
admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
fos_userbundle:
id: fos_user.user_provider.username
encoders:
FOS\UserBundle\Model\UserInterface: sha512
Symfony\Component\Security\Core\User\User: plaintext
firewalls:
api:
pattern: ^/api
fos_oauth: true
stateless: true
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: fos_userbundle
check_path: /oauth/v2/auth_login_check
login_path: /oauth/v2/auth_login
use_referer: true
anonymous: true
oauth_token:
pattern: ^/oauth/v2/token
security: false
secured_area:
pattern: ^/
anonymous: ~
form_login:
provider: fos_userbundle
check_path: /login_check
login_path: /login
always_use_default_target_path: true
default_target_path: /
access_control:
- { path: ^/oauth/v2/auth_login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/oauth/v2/auth, role: ROLE_USER }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY}
- { path: ^/, roles: ROLE_USER }
- { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }
Thanks.
Submitting the answer so this will close the open question.
Access denied caused because the request did not contain the access token. Refer to documentation with section titled Creating A Client and Usage.
https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/blob/master/Resources/doc/index.md