Develop Reference

FOSuserbundle login form & SamlBundle SSO login

I'm working on a custom membership website which is based on the Symfony2. This website has two type of the bundles. FOSuserbundle and SamlBundle.
I integrated SamlBundle with FOSuserbundle. Single Sign-On system is working now, but FOSuserbundle login form is not working.
This is my security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface:
id: app.my_password_encoder
PDias\SamlBundle\Security\User\SamlUser: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
backend_samlservice:
id: saml.backend.fosuser.provider
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
require_previous_session: true
login_path: /login
check_path: /login_check
always_use_default_target_path: false
default_target_path: /
use_forward: true
use_referer: false
saml:
provider: backend_samlservice
direct_entry: false
login_path: /login-saml
check_path: /login-check-saml
default_target_path: /
always_use_default_target_path: true
logout:
path: /logout
target: /login
anonymous: true
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
remember_me:
key: '%secret%'
lifetime: 604800 # 1 week
path: /
domain: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/sendemail, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^, role: ROLE_USER }
acl:
connection: default
Even if I was not using Single Sign-On, backend_samlservice will be executed.
When I use ID & Password to login to the website, I will be redirected to the login page.
Do I have to add something?
Thanks for your anwsers.

I've fixed this problem.
The point was SimpleSAML_Session. I had to clean up the session like this.
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6
$session = SimpleSAML_Session::getSessionFromRequest();
$session->cleanup();
I added this code on the SamlAuth.php(pdias/saml-bundle/PDias/SamlBundle/Saml). Then it started working.

Non-existent service "form.csrf_provider" in Symfony2 application

I am trying configure HWIOauthBundle in my Symfony2 application with this link.
When I run app/console cache:clear, or composer install I get this message:
[Symfony\Component\DependencyInjection\Exception\ServiceNotFoundException]
The service "security.firewall.map.context.main" has a dependency on a non-
existent service "form.csrf_provider".
My security.yml file:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_USER
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
in_memory:
memory:
users:
restapi: { password: secretpw, roles: [ 'ROLE_API' ] }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
oauth:
resource_owners:
facebook: "/login/check-facebook"
login_path: /login
failure_path: /login
oauth_user_provider:
service: my_user_provider
logout: true
anonymous: true
http_basic:
realm: "Demo REST API (username: restapi, password: secretpw)"
stateless: true
login:
pattern: ^/login$
security: false
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
I was looking for this error in network, but I can't find good solution for me.

I can't look now to hwio bundle but looks like you doesn't have 'form.csrf_provider' provider regisrered like service. search in project if 'form.csrf_provider' exist.

Different exception on production and dev environment when route doesn't exists

I want to show 404 not found error when someone try to access route in web which doesn't exists.
I'm keep getting this exception in production environment:
Fatal error: Uncaught exception 'Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException' with message 'The token storage contains no authentication token. One possible reason may be that there is no firewall configured for this URL.' in /<path>/app/cache/prod/classes.php:4626 Stack trace: #0 /<path>/app/cache/prod/classes.php(4364): Symfony\Component\Security\Core\Authorization\AuthorizationChecker->isGranted('ROLE_USER', NULL) #1 /<path>/vendor/symfony/symfony/src/Symfony/Bridge/Twig/Extension/SecurityExtension.php(41): Symfony\Component\Security\Core\SecurityContext->isGranted('ROLE_USER', NULL) #2 /<path>/app/cache/prod/twig/9e/5d/2e6e87b557efe952c1ff84648c04bdb5d6870549f95d79526f65c94696d2.php(149): Symfony\Bridge\Twig\Extension\SecurityExtension->isGranted('ROLE_USER') #3 /<path>/app/cache/prod/classes.php(6519): __TwigTemplate_9e5d2e6e87b557efe952c1ff84648c04bdb5d6870549f95d79526f65c94696d2->d in /<path>/app/cache/prod/classes.php on line 6530
this is pretty strange because in dev I'm getting NotFoundHttpException, so in production 404 page should be shown.
This is my security yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: [ ROLE_USER, ROLE_SONATA_ADMIN ]
ROLE_SUPER_ADMIN: [ ROLE_ADMIN, ROLE_EDITOR ]
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
use_forward: true
use_referer: true
check_path: fos_user_security_check
failure_path: front_homepage
default_target_path: /
always_use_default_target_path: false
failure_handler: app.authentication_handler
anonymous: true
api:
pattern: ^/v1
fos_oauth: true
stateless: true
anonymous: true # note that anonymous access is now enabled
main:
pattern: ^/*
oauth:
resource_owners:
facebook: "/login/check-facebook"
google: "/login/check-google"
login_path: fos_user_security_login
use_forward: true
use_referer: true
# failure_path: /login2
failure_handler: app.authentication_handler
provider: fos_userbundle
oauth_user_provider:
service: my_user_provider
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
use_forward: true
use_referer: true
check_path: fos_user_security_check
failure_path: front_homepage
default_target_path: /
always_use_default_target_path: false
failure_handler: app.authentication_handler
logout:
path: fos_user_security_logout
target: /
success_handler: app.authentication_handler
anonymous: true
remember_me:
key: "%secret%"
lifetime: 31536000 # 1 year in seconds
path: /.*
domain: ~
switch_user: { role: ROLE_ADMIN }
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
default:
anonymous: ~
access_control:
# Public dev tools
- { path: ^/_wdt, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/_profiler, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Public login routes
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Private routes
- { path: ^/admin, role: ROLE_ADMIN }
- { path: ^/admin/efconnect, role: ROLE_ADMIN }
- { path: ^/admin/elfinder, role: ROLE_ADMIN }
- { path: ^/v1, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Rest of all domain
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }

Hapenned to me, it's because of the provider:
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
When route is not found, the token isn't created and a 404 exception is thrown so your provider which is supposed to test the token fails and throw error.

I dig in bit and found that error is actually thrown by twig.
I was using is_granted('ROLE_USER') in layout which 404 error page extending. I had to check if user is defined and not empty before checking permissions.
This is related to 2.1 upgrade change:
https://github.com/symfony/symfony/blob/2.8/UPGRADE-2.1.md#security

FOSOAuthServer : Not able to retrieve access token in api while using HWIOAUTHBUNDLE

While Using FOSOAuthServerBundle as OAuthServer and HWIOAuthBundle as OAuth Client, these both application have FOSUSerBundle integration.
I am facing issue in retrieving access token, which will use in sending user response to client application.
Please anyone can help me out.
<?php
public function userAction(Request $request)
{
$user = $this->get('security.context')->getToken()->getUser();
if($user) {
$user = $this->getDoctrine()->getRepository('EparUserBundle:User')->find(
$this->get('security.context')->getToken()->getUser()
);
return new JsonResponse(array(
'id' => $user->getId(),
'username' => $user->getUsername(),
'email' => $user->getEmail()
));
}
return new JsonResponse(array(
'message' => 'User is not identified'
));
}
FosOAuthServer config.yml and security.yml below:
fos_oauth_server:
db_driver: orm # Driver availables: orm, mongodb, or propel
client_class: Epar\Bundle\UserBundle\Entity\Client
access_token_class: Epar\Bundle\UserBundle\Entity\AccessToken
refresh_token_class: Epar\Bundle\UserBundle\Entity\RefreshToken
auth_code_class: Epar\Bundle\UserBundle\Entity\AuthCode
service:
storage: fos_oauth_server.storage.default
user_provider: fos_user.user_manager
client_manager: fos_oauth_server.client_manager.default
access_token_manager: fos_oauth_server.access_token_manager.default
refresh_token_manager: fos_oauth_server.refresh_token_manager.default
auth_code_manager: fos_oauth_server.auth_code_manager.default
options:
# Prototype
#key: []
# Example
# supported_scopes: string
# Changing tokens and authcode lifetime
access_token_lifetime: 3600
refresh_token_lifetime: 1209600
auth_code_lifetime: 30
supported_scopes: user
# Token type to respond with. Currently only "Bearer" supported.
#token_type: string
#realm:
# Enforce redirect_uri on input for both authorize and token steps.
#enforce_redirect: true or false
# Enforce state to be passed in authorization (see RFC 6749, section 10.12)
#enforce_state: true or false
template:
engine: twig
Security.yml
# app/config/security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
administration:
switch_user: true
context: user
pattern: /administration*
form_login:
provider: fos_userbundle
login_path: /administration/login
check_path: /administration/login_check
failure_path: /administration/login
default_target_path: /administration/
use_forward: false
use_referer: true
always_use_default_target_path: true
logout:
path: /administration/logout
target: /administration/login
anonymous: ~
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: fos_userbundle
check_path: /oauth/v2/auth_login_check
login_path: /oauth/v2/auth_login
use_referer: true
anonymous: true
context: connect
# Add your favorite authentication process here
api:
pattern: ^/api
fos_oauth: true
stateless: true
anonymous: true # can be omitted as its default value
access_control:
- { path: ^/administration/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/administration/login_check, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: [ IS_AUTHENTICATED_ANONYMOUSLY ] }
- { path: "/administration.*", role: ROLE_ADMIN }
HWIOAuthBundle application config.yml & security.yml
config.yml
hwi_oauth:
http_client:
timeout: 10 # Time in seconds, after library will shutdown request, by default: 5
verify_peer: false # Setting allowing you to turn off SSL verification, by default: true
ignore_errors: false # Setting allowing you to easier debug request errors, by default: true
max_redirects: 1 # Number of HTTP redirection request after which library will shutdown request,
# by default: 5
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on your site, with data from the provider (facebook. google, etc.)
#and also, the connecting part (get the token and the user_id)
connect:
# confirmation: true
account_connector: my_user_provider
# name of the firewall in which this bundle is active, this setting MUST be set
firewall_name: main
fosub:
username_iterations: 30
properties:
# these properties will be used/redefined later in the custom FOSUBUserProvider service.
github: githubID
atssso: atsssoID
resource_owners:
github:
type: github
client_id: *******
client_secret: ********
scope: "user:email"
atssso:
type: oauth2
client_id : 4_1u2nw1clcdy8o4kk84o004s0000oo0kkkw8ow8sg8koowo0c4c
client_secret: v5sa4t4sylcgsgkg8cosws4400k4s0okg48cgc8ccgk8sg4o4
access_token_url: http://192.168.11.71/atssso/web/app_dev.php/oauth/v2/token
authorization_url: http://192.168.11.71/atssso/web/app_dev.php/oauth/v2/auth
infos_url: http://192.168.11.71/atssso/web/app_dev.php/api/user
user_response_class: HWI\Bundle\OAuthBundle\OAuth\Response\PathUserResponse
scope: "user"
paths:
identifier: id
nickname: username
#realname: ["first_name", "last_name"]
realname: username
email: email
# here you will add one (or more) configurations for resource owners
security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_USER
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
oauth:
resource_owners:
github: "/login/check-github"
atssso: "/login/service/atssso"
login_path: /login
failure_path: /login
oauth_user_provider:
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on your site, with data from the provider (facebook. google, etc.)
service: my_user_provider
logout: true
anonymous: true
login:
pattern: ^/login$
security: false
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }

symfony security firewall authentication

I have a knowledge problem I guess.
I thought, secure an area is done by the firewall. So for my understanding, I only have to write the area down inside the "access_control" to secure it by roles, isn't iT?
Actually, my security.yml looks like:
security:
encoders:
FOS\UserBundle\Model\UserInterface: pbkdf2
role_hierarchy:
ROLE_USER: [ROLE_USER]
ROLE_MODERATOR: [ROLE_AUTHOR]
ROLE_ADMIN: [ROLE_MODERATOR]
ROLE_SUPER_ADMIN: [ROLE_ADMIN]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
# restrict the firewall to specific http methods
methods: [GET, POST]
access_denied_url: /error403
form_login:
check_path: /login_check
# the user is redirected here when they need to log in
login_path: /login
# if true, forward the user to the login form instead of redirecting
use_forward: true
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: /de/dashboard/
target_path_parameter: _target_path
use_referer: false
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: /login
logout: true
anonymous: true
logout:
path: /logout
target: /login
invalidate_session: false
delete_cookies:
a: { path: null, domain: null }
b: { path: null, domain: null }
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/user, role: ROLE_ADMIN }
- { path: ^/administration, role: ROLE_ADMIN }
But if I login with a "ROLE_USER" account, I can access the "administration path anyway.
Where is my problem? Do I miss somenthing? Do I need a listener or something or will this be handled automatically?