EscapeWSSEAuthenticationBundle icon indicating copy to clipboard operation
EscapeWSSEAuthenticationBundle copied to clipboard

Published 20 hours ago verified publisher icon djoos

How to enforce roles

Open Heshyo opened this issue 3 years ago • 4 comments

I'm working on a legacy project that uses WSSE. It has worked well for years but I now need to update it to assign different roles to different end points / requests. Is this possible with this bundle?

If I don't log in and try to access the API I'm automatically redirected to the log in page. Once logged in I can access all pages of the API but I'm always viewed as IS_AUTHENTICATED_ANONYMOUSLY, not IS_AUTHENTICATED_FULLY.

Is there a way to get the user that makes the request inside the controller, to enforce roles?

Heshyo avatar Jan 12 '22 01:01 Heshyo

Hi @Heshyo,

I now need to update it to assign different roles to different end points / requests. Is this possible with this bundle? This bundle facilitates WSSE authentication. I guess you want to have different users who can use WSSE to authenticate, each with their own roles. This as well as having different roles for different endpoints is OOTB Symfony security functionality, so it is possible.

I'm always viewed as IS_AUTHENTICATED_ANONYMOUSLY, not IS_AUTHENTICATED_FULLY It would be good if you could detail a bit more what you are doing to access the WSSE-secured API, as you mentioned a few things ("I'm automatically redirected to the login page" and "I can access all pages of the API") that confuse me slightly, ie. how are you making the calls to the WSSE-secured API endpoint(s)?

djoos avatar Jan 12 '22 13:01 djoos

Hi @djoos,

First, thanks for still helping with this repo after all these years!

I have a javascript front end that accesses the API. For each GET or POST request the HTTP headers are updated:

headers['Authorization'] = 'WSSE profile="UsernameToken"';
headers['x-wsse'] = "UsernameToken Username=\"" + username + "\", PasswordDigest=\"" + digest 
    + "\", Nonce=\"" + nonce + "\", Created=\"" + dateCreated + "\"";

That's why, once I'm logged in, the headers are properly sent for each request and I can access the API.

Concerning I'm automatically redirected to the login page, this is actually handled in the front end when the x-wsse header cannot be computed, so it has nothing to do with this bundle, sorry.

In the controller, when handling a request, I added some checks to see the authentication status, something like:

    if ($this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_FULLY'))
        ...
    else if ... IS_AUTHENTICATED_REMEMBER
    else if ... IS_AUTHENTICATED_ANONYMOUSLY

that's how I realized I was always seen as only IS_AUTHENTICATED_ANONYMOUSLY.

Here's my security.yml

security:

    providers:
        user_provider:
            id: app_user_provider

    firewalls:
        # disables authentication for assets and the profiler
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        wsse_secured:
            pattern:   ^/api/*
            stateless: true
            provider: user_provider
            wsse:
                realm: "Secured with WSSE"
                profile: "UsernameToken"
                encoder: #digest algorithm
                    algorithm: xxx

        main:
            anonymous: ~

    encoders:
        AppBundle\Entity\User:
            algorithm: xxx

Heshyo avatar Jan 13 '22 02:01 Heshyo

Hmmm, I haven't got any dummy setup currently - but I'll have a play and see if I can help out with this. (just being 100% honest: it won't be super quick though as it's being a really busy time here)

djoos avatar Feb 04 '22 19:02 djoos

Thanks for the update. I really appreciate you taking the time to look at this. There's no need to hurry as I'm tackling other things in the meantime.

Heshyo avatar Feb 05 '22 12:02 Heshyo