I am trying to authenticate users with kerberos in Symfony2 but I'm a little lost on the way.
When the user is authenticated,the Apache server returns the $ _SERVER ['REMOTE_USER'] variable, giving me his username. I can recover this value :
$request = Request::createFromGlobals();
$user = $request->server->get('REMOTE_USER');
But how to tell Symfony to authenticate the user just with this value ? No password is required.
I hesitate between create a custom authentication provider or create a custom use provider.
What is the best way to do this please ?
Added a REMOTE_USER based listener to security firewalls
Several Apache security modules (auth_kerb, auth_cas, etc.) provide the username via an environment variable called REMOTE_USER. For that reason, Symfony 2.6 will include a new authentication listener based on this variable.
To use it in your application, simply define a firewall of the new remote_user type in your security configuration:
# app/config/security.yml
security:
firewalls:
secured_area:
pattern: ^/
remote_user:
provider: your_user_provider
Source: http://symfony.com/blog/new-in-symfony-2-6-security-component-improvements
Related
I'm developing a symfony4 webapp. Users accounts are stored on a DB accessible via an API.
I want to implement this UserProviderInterface as it is advised by the symfony4 documentation to use the symfony4 security module features.
If I understand, implementing this interface requires the API (or service, or db...) to return data (for example hashed password / salt) that will be checked by symfony security.
Is there a way to use the symfony security module without getting such data from the user provider ?
For example to send username and password entered in login form by the user to the api, which will check if it is correct and return a bool ?
You can implement your own Guard Authenticator to perform the authentication checks manually.
There is a good example implementation described in the documentation chapter:
How to Create a Custom Authentication System with Guard
An example configuration would look like this:
security:
firewalls:
firewall_api:
pattern: '^/(.*)+$'
host: '^api\.mypage\.com$'
stateless: true
anonymous: false
guard:
# list of authenticators to try
authenticators:
- 'My\Bridge\Symfony\Security\Authenticator\Guard\JWTTokenAuthenticator'
- 'My\Bridge\Symfony\Security\Authenticator\Guard\FacebookAuthenticator'
# This authenticator's start() method is called
entry_point: 'My\Bridge\Symfony\Security\Authenticator\Guard\JWTTokenAuthenticator'
I am identifying access to certain routes through x509 digital certificate (pre-authentication).
For this I defined the security.yml as follows:
- security:
providers:
x509Provider_Provider:
id: x509Provider_Service
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
xes:
pattern: ^/xes
x509:
provider: x509Provider_Provider
user: "SSL_CLIENT_S_DN"
access_control:
- { path: ^/xes, roles: ROLE_ADMIN, requires_channel: https }
Where I get the SSL_CLIENT_S_DN and I use as username.
In the Provider
x509Provider class implements UserProviderInterface
consult the database if the user exists and has access permissions and based on this
I create an object
**x509User class implements UserInterface, EquatableInterface**
where I store information access permissions and other data.
Apparently it works correctly, in the Symfony profiler I have a user with their roles and marked as authenticated.
The problem is: whenever I access a route (pattern: ^ / XES) the authentication process and access to the database is launched to obtain roles and user permissions.
It should not authenticate only the first time and once created the session use in subsequent requests ?.
I hope I have explained my question correctly.
Greetings
Nowadays, it's quite usual to authenticate the user via an API key
(when developing a web service for instance). The API key is provided
for every request and is passed as a query string parameter or via an
HTTP header.
I think that it's the same for the token.
I am having trouble figuring out how to structure my application.
It is currently a web application built using normal controllers, twig views etc. and using FOS user bundle for authentication. In this application it is possible to create entities that should be seen as a "mobile user"
Now I need an API for a mobile app where the "mobile users" should log in, but I cannot figure out how this authentication should be constructed.
Should I create a user in the user table along with the web app users? Is it possible to require a user to have a specific role to log in on the normal login page?
Or should I add a username and password column to the "mobile user" entity, and make a custom login for the api. But how is this accomplish? I am thinking of using angularjs in the mobile app if this has any impact on how to solve this issue.
One of possible solutions would be using FOSOAuthServerBundle
In this scenario you can have the same place you keep your users for both web app and mobile app. Users can authenticate using the same credentials in web and mobile app - but authentication for mobile app can be done through ajax call.
Thanks to oAuth you don't keep login/password stored at your mobile app.
Bundle itself is written in a way that integrates with Symfony in perfect way.
To access different resources using different security you just configure different firewalls:
security.yml
security:
firewalls:
oauth_token:
pattern: ^/oauth/v2/token
security: false
api:
pattern: ^/api
fos_oauth: true
stateless: true
web_secured:
pattern: ^/
stateless: true
your_security_factory: true
Check these resources for more info:
FOSOAuthServerBundle documentation
step-by-step tutorial
You dont have to use a different user provider but you will need to configure a different firewall in security.yml:
firewalls:
api_firewall:
pattern: "^/api/"
form_login:
check_path: /api/login_check
login_path: /api/login
Then you can still show your users a login form. Using angular, have it post to the check_path. Symfony uses cookies to store authentication information so you may have to configure angular to accept and pass those on subsequent request.
If you dont want to do that you could use an API key and write a custom authenticator implementing SimplePreAuthenticatorInterface
Security.yml
providers:
multiples:
chain:
providers: [db, ldap]
I would like to be able to run a pre-login check before the user is authenticated via the db provider only and not authenticating before any provider, does anyone know if this is possible (and how to do so) with Symfony 2.2?
I know we can set the failure path for form_login;
form_login:
provider: fos_userbundle
failure_path: /register
default_target_path: /home
how can i set the same structure for profile edit and password change. (profile/edit)
AFAIK, No its not possible.
form_login is handled by symfony2 not by fos_userbundle
By specifying form_login, you have told the Symfony2 framework that
any time a request is made to this firewall that leads to the user
needing to authenticate himself, the user will be redirected to a form
where he will be able to enter his credentials. It should come as no
surprise then that you have specified the user provider service we
declared earlier as the provider for the firewall to use as part of
the authentication process.
Since symfony2 take care of security context token population, if has given way to others to set failure path.
But for your case, its completely in your control, then why you need
that setting?
I suggest you to read more about security