I'm using symfony2 and its login system through security.yml
When I log in with correct credentials , I get redirected to the correct page but will still have the anonymous in the profiler bar.
when I remove this line :
ini_set('session.cookie_domain', '.domain.com');
it works.
I need that line because my socket server is running on domain.com and I'm developing on sub.domain.com
How can I fix this problem ?
Thanks!
Configure your cookie domain in the framework configuration, instead of calling ini_set():
# app/config/config.yml
framework:
session:
cookie_domain: .domain.com
Reference: http://symfony.com/doc/current/reference/configuration/framework.html#cookie-domain
Related
I have a Spring-boot web app that uses SAML authentication provided by https://samltest.id/ .
It works fine on localhost but now I'm trying to put it on a server that has Nginx. Ngnix is configured so that any http request is redirected to https and https://myserver.company.com/myApp/ is sent to http://local_ip:local_port/ .
This cfg works fine if the application has no security but with SAML the result is: when I access the home page of the app I'm redirected to the login page (correct) and after successful login I'm redirected to https://myserver.company.com/saml/SSO/ instead of https://myserver.company.com/myApp/saml/SSO so Nginx gives a 404.
The metadata.xml contains:
<md:AssertionConsumerService Location="http://myserver.company.com:80/saml/SSO"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" index="0"/>
<md:AssertionConsumerService Location="http://myserver.company.com:80/saml/SSO"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" index="1"/>
Note that URLs are http-based.
After a lot of Google search I have tried the following: I modified SAMLProcessingFilter configuration so that filterProcessesUrl property is "/myApp/saml/SSO" instead of the default value "/saml/SSO".
Now the metadata.xml contains:
<md:AssertionConsumerService Location="http://myserver.company.com:80/myApp/saml/SSO"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" index="0"/>
<md:AssertionConsumerService Location="http://myserver.company.com:80/myApp/saml/SSO"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" index="1"/>
and after login I'm redirected to https://myserver.company.com/myApp/saml/SSO but this time I get a 404 from the web application instead of Nginx (the error page is different).
What am I missing?
UPDATE: the 3rd attempt
Restored SAMLProcessingFilter cfg to its default,
modified the context root of my app to be http://local_ip:local_port/myApp ,
modified Nginx cfg so that https://myserver.company.com/myApp/ maps
to http://local_ip:local_port/myApp (same context root),
set entityBaseURL property of MetadataGenerator to https://myserver.company.com/myApp ,
uploaded the new metadata.xml to https://samltest.id/ (now it contains https URLs).
Now, after a successful login I'm redirected to https://myserver.company.com/myApp/saml/SSO as expected but I get a 401 from the application with message "Authentication Failed: Incoming SAML message is invalid" and in the application log there is "org.opensaml.common.SAMLException: Unsupported request".
After several attempts I have found the solution.
No need to modify SAMLProcessingFilter or the context root. The key is to use SAMLContextProviderLB instead of SAMLContextProviderImpl as described in the chapter "Advanced configuration" of the manual. Also the entityBaseURL change already described in my question is necessary (it is in the manual too).
I changed OAuth2 Login form frontend to backend implementation. OAuth2Login is setup using spring security configuration.
Everything worked in local machine.
But on server it doesn't create Session Cookie anymore. Which, I guess, creates the following exception:
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_not_found]
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:165) ~[spring-security-oauth2-client-5.1.2.RELEASE.jar!/:5.1.2.RELEASE]
So it wasn't entirely accurate that the session cookie wasn't being set. I think I looked it wrongly in chrome when I was looking it in production. But the cookie was seemed to be reset.
spring:
security:
oauth2:
client:
registration:
google:
redirectUri: https://<youurl>/login/oauth2/code/google
When I added this it created new problem:
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_redirect_uri_parameter]
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:132) ~[spring-security-oauth2-client-5.1.2.RELEASE.jar!/:5
.1.2.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175) ~[spring-security-core-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:186)
This is because redirectUri is HTTPS but google always returns HTTP
So I ended up adding reading a Stack Overflow post and added a OncePerRequestFilter to my project. Since it's google that is sending this over HTTP they must be thinking it's secure. Couldn't find any way to make google send it over HTTPS
I'm doing a project with Symfony2 and I want to use Google/Facebook/Twitter for connection. So I installed HWIOAuthBundle, but I got this error when I update my composer.json
"The child node "firewall_name" at path "hwi_oauth" must be
configured.".
Thanks for you help !
Yes, and if you read the doc :
(it gives the config... )
Step 2: Configuring resource owners
HWIOAuthBundle creates a dedicated service for each resource owner you
want to use in your application. These resource owners will be used in
the oauth firewall. The bundle ships several pre-configured resource
owners that need only a little configuration.
To make this bundle work you need to add the following to your
app/config/config.yml:
app/config/config.yml
hwi_oauth:
# name of the firewall in which this bundle is active, this setting MUST be set
firewall_name: secured_area
# an optional setting to configure a query string parameter which can be used to redirect
# the user after authentication, e.g. /connect/facebook?_destination=/my/destination will
# redirect the user to /my/destination after facebook authenticates them. If this is not
# set then the user will be redirected to the original resource that they requested, or
# the base address if no resource was requested. This is similar to the behaviour of
# [target_path_parameter for form login](http://symfony.com/doc/2.0/cookbook/security/form_login.html).
# target_path_parameter: _destination
I am applying this tutorial into symfony 2.4, I've finished the setup in the config.yml and everything, I managed to visit the admin/google/analytics page, but the problem is when I tried to authenticate with the parameters I've created in the config.yml file, it is searching for the scope, here is the parameters.
happy_r_google_analytics:
host: www.example.com
profile_id: MyProfileId
tracker_id: UA-TRACKER-ID
token_file_path: %kernel.root_dir%/var/storage
happy_r_google_api:
application_name: Project Default Service Account
oauth2_client_id: OAuthClientID
oauth2_client_secret: OAuthClientSecret
oauth2_redirect_uri: http://www.example.com/app_local.php/admin/google/analytics/oauth2callback
developer_key: DevelopperKey
site_name: http://www.example.com
I think there's no problem here, I've got no idea where I can set the scope so the google Api client can set it to https://www.googleapis.com/auth/analytics.readonly
You need to define a scope. If you use Google Auth, check Authorization scopes for it.
You must do something like:
$googleClient = new \Google_Client();
$googleClient->setScopes(array(
'https://www.googleapis.com/auth/plus.me',
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile',
));
On the development machine we have the default certificates that comes with apache, when we trying to authenticate with facebook, HWIOAuthBundle fires an exception:
SSL certificate problem: unable to get local issuer certificate
It's clear that in plain PHP we need to set an option CURLOPT_SSL_VERIFYPEER = false, and pass to curl_setopt_array(...).
How can we define these options for Symfony or for HWIOAuthBundle?
Add following options under "hwi_oauth" and you should be fine.
hwi_oauth:
http_client:
verify_peer: false