search

djoos / EscapeWSSEAuthenticationBundle

Symfony bundle to implement WSSE authentication
http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html
137 stars 59 forks source link

Unable to reuse nonce within lifetime #27

Closed tom10271 closed 10 years ago

tom10271 commented 10 years ago

I don't know why I am unable to reuse the nonce and I have set the lifetime for nonce to be 5184000 already.

Here is my config.yml:

config.yml

firewalls:
    wsse_secured:
        pattern:   ^/api
        provider: fos_userbundle
        stateless: true
        wsse:
            nonce_dir: "/nonce" #location where nonces will be saved; use null to skip nonce-validation
            lifetime: 5184000 #lifetime of nonce
            realm: "Secured API" #identifies the set of resources to which the authentication information will apply (WWW-Authenticate)
            profile: "UsernameToken" #WSSE profile (WWW-Authenticate)
            encoder: #digest algorithm
                algorithm: sha1
                encodeHashAsBase64: true
                iterations: 1

I have another question that I am building a single paged website that will keep requesting my REST API developed with FOSRestBundle. However different resources require different privileges that user needs to be logged first.

For testing, if my REST API is secured by HTTP authentication, I cannot test it with REST client. If I use WSSE, I can test the service but it is complicated to use over webpage.

Should I use WSSE for authenticating users or HTTP authenticating would be better? WSSE seems not quite suuitable for webpage. Or if I can authenticate user and give them a token in WSSE if user is logged in?

Thanks for helping.

djoos commented 10 years ago

Hi Tom,

you can't reuse nonces (well, you can outside the lifetime while using the provided commands to clean up expired nonces) so you should push a unique one on each request.

Here's a link to an API-bundle we use as a base for all our API-clients, based upon requestcore/curl: https://github.com/escapestudios/EscapeAPIClientBundle. Especially have a look at https://github.com/escapestudios/EscapeAPIClientBundle/blob/master/REST/Request.php's execute-method for the X-WSSE-header. It might be useful to make your own implementation...

Re: single page If I understand correctly you'd like different users to have different access to your API, right? WSSE is perfect for that, but you'll (obviously) have to make sure to set up different users within their groups/roles so that you can use this to secure your different calls. No need to say that they will have to provide the X-WSSE header to each request.

I'll definitely keep your questions and comments in mind when working on some documentation/examples for the bundle.

Hope this helps!

Kind regards, David

djoos commented 10 years ago

Hi @tom10271,

how are you getting on?

Thanks in advance for your feedback!

Kind regards, David

djoos commented 10 years ago

I'll close this issue for now, do let me know if you are still running into problems though...

Kind regards, David