Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected result #63

Open
jonatasfreitasv opened this issue Feb 26, 2015 · 7 comments
Open

Unexpected result #63

jonatasfreitasv opened this issue Feb 26, 2015 · 7 comments

Comments

@jonatasfreitasv
Copy link

Hello,

what is happening is the following.

I'm testing the REST api in sandbox NelmioDoc.

The first time I open the browser, I try the request without sending the wsse header and returns 401, expected result.

When I add the header WSSE, returns 200, expected result.

When I make a new request with the same header, returns 401, expected result.

Now the possible problem, when I remove the header and make the request again, returns 200, not expected.

Why does it happen?
Should not deny request, and the header wsse not exist?
@djoos
Copy link
Owner

djoos commented Feb 26, 2015

Hi Jonatas,

thanks for getting in touch!

It sounds to me that your API is not stateless...
Could you perhaps print out the user each call? I've got a feeling that when taking the WSSE header (after the 200 with WSSE header) the app still remembers the user (session), which it definitely shouldn't...

Do let me know (perhaps provide some code snippets) how you get on!

Kind regards,
David

@djoos
Copy link
Owner

djoos commented Feb 26, 2015

P.S. If the WSSE header is not present, the WSSE authentication bundle does not demy the request - it just doesn't kick in WSSE authentication. There is a PR (#42) open to make this behaviour possible, but I'd prefer it to be configurable...
Please do have a read through #42 as the issue you expect might be similar.

Thanks in advance for your feedback!

@jonatasfreitasv
Copy link
Author

I test in NelmioAPIDoc Sandbox, direct request. Not have any code.

@bkosborne
Copy link
Contributor

Somewhat related, shouldn't the example code in the docs have the user set their firewall to stateless? I believe that's a requirement for someone who wants to use an authentication provider like this.

@djoos
Copy link
Owner

djoos commented Feb 26, 2015

Hi @bkosborne,

that is a good suggestion - WSSE auth is stateless, but making that clearer in the firewall makes sense...

Would you mind sensing over a quick PR?

Kind regards,
David

@jonatasfreitasv
Copy link
Author

My security file:

security:
encoders:
FOS\UserBundle\Model\UserInterface: sha1

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: ROLE_ADMIN

providers:
    fos_userbundle:
        id: fos_user.user_provider.username_email

firewalls:
    wsse_secured:
        pattern: ^/api/.*
        wsse:
            realm: "Secured Api"
            profile: "UsernameToken"
            lifetime: 300
            encoder:
                algorithm: sha1
        anonymous: false
        provider: fos_userbundle

    main:
        pattern: ^/
        form_login:
            provider: fos_userbundle
            csrf_provider: form.csrf_provider
        logout: true
        anonymous: true

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/doc, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/security, role: IS_AUTHENTICATED_ANONYMOUSLY }

@bkosborne
Copy link
Contributor

@djoos #65

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@djoos @bkosborne @jonatasfreitasv