Integration with FOSUserBundle : 401 status code

[MaximeEvolunium]

Hi @djoos !

I discover your bundle recently and I'm very interesting about it, but I can't login me with my configuration of security.yml. I looked a lot of issue that you fixed but it didn't work for me.

Please, can you explain me the way to integrate it successfully ?

My security.yml :

encoders:
    FOS\UserBundle\Model\UserInterface: sha512

providers:
    fos_userbundle:
        id: fos_user.user_provider.username

firewalls:
    wsse_secured:
      pattern:   ^/api/.*
      wsse:
        lifetime: 300 #lifetime of nonce
        realm: "Secured API" #identifies the set of resources to which the authentication information will apply (WWW-Authenticate)
        profile: "UsernameToken" #WSSE profile (WWW-Authenticate)
        encoder: #digest algorithm
            algorithm: sha1
            encodeHashAsBase64: true
            iterations: 1
      anonymous: true
      provider: fos_userbundle

access_control:
    - { path: ^/api.*, role: ROLE_USER }
    - { path: ^/, role: ROLE_USER }

My config.yml :

fos_user:
    db_driver: orm
    firewall_name: wsse_secured
    user_class: Bg\UserBundle\Entity\User

escape_wsse_authentication:
    authentication_provider_class: Escape\WSSEAuthenticationBundle\Security\Core\Authentication\Provider\Provider
    authentication_listener_class: Escape\WSSEAuthenticationBundle\Security\Http\Firewall\Listener
    authentication_entry_point_class: Escape\WSSEAuthenticationBundle\Security\Http\EntryPoint\EntryPoint
    authentication_encoder_class: Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder

[djoos]

Hi @MaximeEvolunium,

thanks for getting in touch!

Would you be able to mimic the FOSUserBundle's encoder settings in your security.yml? Rather than...

encoder: #digest algorithm
    algorithm: sha1
    encodeHashAsBase64: true
    iterations: 1

...make use of:

encoder: #digest algorithm
    algorithm: sha512
    encodeHashAsBase64: true
    iterations: 1

That should do the trick!

Also: you don't have to set the escape_wsse_authentication-settings in your config.yml, as you should be fine running the bundle's defaults.

Let me know how that goes!

Kind regards, David

[MaximeEvolunium]

Thanks for your answer !

I change my security.yml like you said, but this don't work anyway.

Do I need to change something with FOS ?

[djoos]

Hi @MaximeEvolunium,

would you mind letting me know how you're generating the digest?

Thanks in advance! David

[MaximeEvolunium]

Hi @djoos !

So, I'm using http://www.teria.com/~koseki/tools/wssegen/ to generate the header with thos parameters :

username => mail address of my user in the DB (ex : test@test.fr) password => plain text password of my user (ex : test) nonce and created => auto before X-WSSE => nothing

Thanks !

EDIT :

I use Chrome Rest Console to access my API with those parameters :

Custom headers => header -> x-wsse value -> the header generated with http://www.teria.com/~koseki/tools/wssegen/ Authorization header => Authorization profile=”UsernameToken”

[djoos]

Hi @MaximeEvolunium,

ah ok! That is also part of the reason for the 401, as it doesn't use sha512, nor the user's salt...

Please do have a read through #46 and @Danny-P's blog post, but do keep my comments on the post in #46 in mind.

Let me know how you get on!

Kind regards, David

[MaximeEvolunium]

Hi @djoos,

I saw this issue but I didn't understood, now I see ! I tried but it doesn't work again, but I'm going to continue in this way.

Thanks a lot, I come back to you here if I have any problem !

Best regards

[djoos]

Hi @MaximeEvolunium,

as @timtailor mentioned in #37: "For anyone who is interested: If you developed a WSSE header accordlingly to http://www.teria.com/~koseki/tools/wssegen/ then you have to use SHA1, 1 iteration, base64 for the digest, but with the specialty that you have to use the password as it is in the database (encrypted, not plain text) and no salt (override getSalt to return empty string and empty salt in your test file."

That should do the trick! I'll close the issue for now, but don't hesitate to let me know how you get on...

Have a great evening! David

[MaximeEvolunium]

Hi @djoos,

I did everything as describe in the blog of @Danny-P http://daniel-pomrehn.de/2014/05/21/en_symfony2-wsse-webservices/ and as you show me, but I still have a 403 error !

I show you my new source code, tell me if you see something wrong please :

config.yml

fos_user:
    db_driver: orm
    firewall_name: secured_area
    user_class: Bg\UserBundle\Entity\User

escape_wsse_authentication:
    authentication_provider_class: Bg\UserBundle\Security\Core\Authentication\Provider\Provider

security.yml

encoders:
    FOS\UserBundle\Model\UserInterface: sha1

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

providers:
    fos_userbundle:
        id: fos_user.user_provider.username_email

firewalls:
    wsse_secured:
        pattern: ^/api/.*
        wsse:
            realm: "Secured Api"
            profile: "UsernameToken"
            lifetime: 300
            encoder:
                algorithm: sha1
        anonymous: false
        provider: fos_userbundle

    secured_area:
        pattern:   ^/
        form_login:
            provider: fos_userbundle
            login_path:     fos_user_security_login
            check_path:     fos_user_security_check
            default_target_path: espace_perso
            always_use_default_target_path: true
        logout:
            path: fos_user_security_logout
            target: fos_user_security_login
        anonymous: true
        provider: fos_userbundle

access_control:
    - { path: ^/%locale%/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%locale%/login_check, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%locale%/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%locale%/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%locale%/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/coulisse, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
    - { path: ^/security.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api, role: IS_AUTHENTICATED }
    - { path: ^/, role: ROLE_USER }

my provider class

namespace Bg\UserBundle\Security\Core\Authentication\Provider;

use Escape\WSSEAuthenticationBundle\Security\Core\Authentication\Provider\Provider as BaseProvider;

class Provider extends BaseProvider
{
    protected function getSalt(\Symfony\Component\Security\Core\User\UserInterface $user)
    {             
        return "";
    }

}

I try this according to #37 and the blog http://daniel-pomrehn.de/2014/05/21/en_symfony2-wsse-webservices/ :

I put my mail address to login and the password as stored in my database (juste the password column content, encrypted) in fields username and password of the WSSE Generator with nonce and created as auto. I just copy what is generated after "X-WSSE:" and paste it as value in the custom header of rest console (name of the header : X-WSSE), and I try like it. But 403 return..

I thought I did it right, but seems to miss a little thing again...

If you can help me again, It would be great !

Best regards !

[djoos]

Hi @MaximeEvolunium,

thanks for your feedback! Hmmm, the 403 Forbidden isn't a WSSE Auth-issue any longer. Access to the resource your user is trying to access is declined by the Symfony security component (more particularly: Access Control).

I spotted "- { path: ^/api, role: IS_AUTHENTICATED }" in your security.yml. I actually think that IS_AUTHENTICATED is a non-existing role and would instead of "IS_AUTHENTICATED" give "ROLE_USER" a go. This should work - and from there onwards you could go for a more specific role, depending on your setup. If you want every logged in user to have access to the API, ROLE_USER will be fine...

Hope this helps - and do let me know how it goes! David

[MaximeEvolunium]

Hi @djoos,

I was looking about that line at the same moment that you wrote it :D

This work fine now, thanks a lot and continue to support us like you do, you're great !

Best regards

[djoos]

Thanks for your feedback @MaximeEvolunium!

FYI: I hope to be able to condense the latest FOSUser + EscapeWSSEAuth issues into something useful for the documentation of this bundle so it becomes an easier process for future users.

Have a great day!

[MaximeEvolunium]

This would be very useful and powerful, I hope you'll success !

Great day !

[jairoFernandez]

Muchas gracias!!