search

djoos / EscapeWSSEAuthenticationBundle

Symfony bundle to implement WSSE authentication
http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html
137 stars 59 forks source link

Issues on installing #39

Closed florin-r closed 10 years ago

florin-r commented 10 years ago

I've tried to install it using the composer command: php composer.phar update escapestudios/wsse-authentication-bundle

I've got no error but when trying to call a webservice, after adding it to AppKernerl I got the error

Fatal error: Class 'Escape\WSSEAuthenticationBundle\EscapeWSSEAuthenticationBundle' not found in /var/www/sample/public_html/app/AppKernel.php

djoos commented 10 years ago

Hi @florin-r,

thanks for getting in touch!

Would you mind double-checking the steps mentioned in README.md? Can you double-check the presence of the bundle in the vendor-dir as well as checking whether the classes get autoloaded? Also: if you want to, you can gist me your AppKernel and I'll have a look...

Thanks in advance for your feedback! David

florin-r commented 10 years ago

Hi David,

Unfortunately I don't find it in vendor-dir and I think ti didn't get installed using php composer.phar update escapestudios/wsse-authentication-bundle

Not sure why even if I added to composer.json which looks like this: "symfony/symfony": "2.3.", "doctrine/orm": ">=2.2.3,<2.4-dev", "doctrine/doctrine-bundle": "1.2.", "twig/extensions": "1.0.", "symfony/assetic-bundle": "2.3.", "symfony/swiftmailer-bundle": "2.3.", "symfony/monolog-bundle": "2.3.", "sensio/distribution-bundle": "2.3.", "sensio/framework-extra-bundle": "2.3.", "sensio/generator-bundle": "2.3.", "incenteev/composer-parameter-handler": "~2.0", "friendsofsymfony/user-bundle": "~2.0@dev", "stfalcon/tinymce-bundle": "dev-master", "jms/serializer-bundle": "dev-master", "nelmio/api-doc-bundle": "dev-master", "escapestudios/wsse-authentication-bundle": "2.3.x-dev", "friendsofsymfony/rest-bundle": "1.1.", "aferrandini/phpqrcode": "1.0.1"

As for AppKernel.php it looks like this: $bundles = array( new JMS\SerializerBundle\JMSSerializerBundle(), new Nelmio\ApiDocBundle\NelmioApiDocBundle(), new FOS\RestBundle\FOSRestBundle(), new Symfony\Bundle\FrameworkBundle\FrameworkBundle(), new Symfony\Bundle\SecurityBundle\SecurityBundle(), new Symfony\Bundle\TwigBundle\TwigBundle(), new Symfony\Bundle\MonologBundle\MonologBundle(), new Symfony\Bundle\SwiftmailerBundle\SwiftmailerBundle(), new Symfony\Bundle\AsseticBundle\AsseticBundle(), new Doctrine\Bundle\DoctrineBundle\DoctrineBundle(), new Sensio\Bundle\FrameworkExtraBundle\SensioFrameworkExtraBundle(), new CMS\AdminBundle\CMSAdminBundle(), new FOS\UserBundle\FOSUserBundle(), new Stfalcon\Bundle\TinymceBundle\StfalconTinymceBundle(), new CMS\EmailNotificationBundle\CMSEmailNotificationBundle(), new Escape\WSSEAuthenticationBundle\EscapeWSSEAuthenticationBundle(), new CMS\DataBundle\CMSDataBundle(), );

Is there a way to add manually the bundle and register it . I'm not sure why is not getting installed with composer.

Thank you.

djoos commented 10 years ago

Hi @florin-r,

your composer.json looks ok - what happens when you run a (general) composer update? Alternatively you could delete your composer.lock and run a composer install?

Let me know how it goes!

Kind regards, David

florin-r commented 10 years ago

Hi David,

Yeap, that was the issue. Now everything is ok. There is though one more question I have.

In the file Provider.php - function validateDigest I see you have $expected = $this->encoder->encodePassword( sprintf( '%s%s%s', base64_decode($nonce), $created, $secret ), $salt );

So you are using the salt for finding the expected value. the problem is that the expected value generated is not equal with the digest sent by the user in the header.

But if I replace that instruction with the one from http://symfony.com/doc/2.2/cookbook/security/custom_authentication_provider.html $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));

everything works perfect - it's true that here the salt is not used anymore.

To generate the digest, nonce and everything I've used http://www.teria.com/~koseki/tools/wssegen/

Can you please tell me if it's save to remained with the second instruction - the one tat works?

djoos commented 10 years ago

Hi @florin-r,

what settings did you use in the security.yml? You can determine to make use of sha512, the amount of iterations, etc.

Let me know how it goes!

David

florin-r commented 10 years ago

firewalls: wsse_secured: pattern: ^/api/.* wsse: realm: "Secured API" #identifies the set of resources to which the authentication information will apply (WWW-Authenticate) profile: "UsernameToken" #WSSE profile (WWW-Authenticate) lifetime: 300 #lifetime of nonce

djoos commented 10 years ago

Hi @florin-r,

ok, in this case you're actually running with the defaults set in services.yml:

    escape_wsse_authentication.encoder:
        class: %escape_wsse_authentication.encoder.class%
        arguments: ['sha1', true, 1]

FYI: I do recommend going for something stronger than sha1, which you can do via specifying a custom digest algorithm - see "Specify a custom digest algorithm" in the README.md.

Whatever you go for there, you need to make sure you're using to generate the digest. You can find an example of leveraging some Symfony2 classes for that purpose in the execute method of https://github.com/escapestudios/EscapeAPIClientBundle/blob/master/REST/Request.php (uses RequestCore, a wrapper around curl) - but it's only the actual generation of the digest I'd like to point out here.

Hope this helps! David

djoos commented 10 years ago

Hi @florin-r,

just checking in to see how it's going...

Thanks in advance for your feedback!

Kind regards, David