EscapeWSSEAuthenticationBundle icon indicating copy to clipboard operation
EscapeWSSEAuthenticationBundle copied to clipboard

Published 20 hours ago verified publisher icon djoos

Unexpected result

Open jonatasfreitasv opened this issue 9 years ago • 7 comments

Hello,

what is happening is the following.

I'm testing the REST api in sandbox NelmioDoc.

The first time I open the browser, I try the request without sending the wsse header and returns 401, expected result.

When I add the header WSSE, returns 200, expected result.

When I make a new request with the same header, returns 401, expected result.

Now the possible problem, when I remove the header and make the request again, returns 200, not expected.

Why does it happen? Should not deny request, and the header wsse not exist?

jonatasfreitasv avatar Feb 26 '15 07:02 jonatasfreitasv

Hi Jonatas,

thanks for getting in touch!

It sounds to me that your API is not stateless... Could you perhaps print out the user each call? I've got a feeling that when taking the WSSE header (after the 200 with WSSE header) the app still remembers the user (session), which it definitely shouldn't...

Do let me know (perhaps provide some code snippets) how you get on!

Kind regards, David

djoos avatar Feb 26 '15 18:02 djoos

P.S. If the WSSE header is not present, the WSSE authentication bundle does not demy the request - it just doesn't kick in WSSE authentication. There is a PR (#42) open to make this behaviour possible, but I'd prefer it to be configurable... Please do have a read through #42 as the issue you expect might be similar.

Thanks in advance for your feedback!

djoos avatar Feb 26 '15 18:02 djoos

I test in NelmioAPIDoc Sandbox, direct request. Not have any code.

jonatasfreitasv avatar Feb 26 '15 19:02 jonatasfreitasv

Somewhat related, shouldn't the example code in the docs have the user set their firewall to stateless? I believe that's a requirement for someone who wants to use an authentication provider like this.

bkosborne avatar Feb 26 '15 20:02 bkosborne

Hi @bkosborne,

that is a good suggestion - WSSE auth is stateless, but making that clearer in the firewall makes sense...

Would you mind sensing over a quick PR?

Kind regards, David

djoos avatar Feb 26 '15 21:02 djoos

My security file:

security: encoders: FOS\UserBundle\Model\UserInterface: sha1

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: ROLE_ADMIN

providers:
    fos_userbundle:
        id: fos_user.user_provider.username_email

firewalls:
    wsse_secured:
        pattern: ^/api/.*
        wsse:
            realm: "Secured Api"
            profile: "UsernameToken"
            lifetime: 300
            encoder:
                algorithm: sha1
        anonymous: false
        provider: fos_userbundle

    main:
        pattern: ^/
        form_login:
            provider: fos_userbundle
            csrf_provider: form.csrf_provider
        logout: true
        anonymous: true

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/doc, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/security, role: IS_AUTHENTICATED_ANONYMOUSLY }

jonatasfreitasv avatar Feb 26 '15 22:02 jonatasfreitasv

@djoos #65

bkosborne avatar Feb 27 '15 14:02 bkosborne