dongxiaolin2801 2016-06-27 18:01
浏览 83
已采纳

Symfony2自定义身份验证系统在不应该的情况下传递用户

I'm writing a bundle for Symfony2 and I need to write a custom authentication system with guards. The whole system is based on tokens. Let's assume I need to send a POST request. In headers I have to include 'TOKEN: testtoken'.

  1. I send a request without 'TOKEN: testtoken' in headers and I get

    { "message": "Authentication Required" }

  2. I send a request with 'TOKEN: badtoken' and I get

    { "message": "Username could not be found." }

    Don't look at 'username'. It's mistake.

  3. I send request with 'TOKEN: testtoken' and I get

    { "token": "testtoken" }

    It's just example page.

  4. Now I delete 'TOKEN: testtoken' from headers (I use Postman for testing REST APIs) and I get

    { "token": "testtoken" }

    I have no idea why. In my opinion in this case my system should return 

    { "message": "Authentication Required" }

Here’s my TokenAuthenticator.php

<?php
namespace WLN\AuthTokenBundle\Security;

use Doctrine\ORM\EntityManager;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;

class TokenAuthenticator extends AbstractGuardAuthenticator
{
    private $em;
    private $user_repository;

    public function __construct(EntityManager $em)
    {
        $this->em = $em;
    }

    public function setConfig($user_repo)
    {
        $this->user_repository = $user_repo;
    }

    public function getCredentials(Request $request)
    {
        if($token = $request->headers->get('WLN-AUTH-TOKEN'))
        {
            return [
                'token' => $token
            ];
        }

        return null;
    }

    public function getUser($credentials, UserProviderInterface $userProvider)
    {
        $token = $credentials['token'];

        return $this->em->getRepository($this->user_repository)
            ->findOneBy(array('token' => $token));
    }

    public function checkCredentials($credentials, UserInterface $user)
    {
        return true;
    }

    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
    {
        return null;
    }

    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
    {
        $data = array(
            'message' => strtr($exception->getMessageKey(), $exception->getMessageData())
        );

        return new JsonResponse($data, 403);
    }

    public function start(Request $request, AuthenticationException $authException = null)
    {
        $data = array(
            'message' => 'Authentication Required'
        );

        return new JsonResponse($data, 401);
    }

    public function supportsRememberMe()
    {
        return false;
    }
}

P.S. My app is on shared-hosting. May caching cause it or something like that?

  • 写回答

1条回答 默认 最新

  • dsa89029 2016-06-29 08:11
    关注

    I've figured out what was wrong. When I was requesting valid token in my sessions formed PHPSESSID. Because of that I was getting so freaky behavior of my API. In my case the solution is to set security.firewalls.main.stateless to true :).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 程序不包含适用于入口点的静态Main方法
  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
  • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 ubuntu子系统密码忘记