Integration with FOSUserBundle : 401 status code

[benjamin-hubert]

Hi,

I'm having the same problem as @djoos was having and i followed every step of your discussion on #49 without success.

The only difference from your tutorial is that i'm using sha512 as FOS encoder. So i changed the encoder parameter to sha512 and made a custom function to generate my token (based on https://github.com/sdiaz/FOSRestBundleByExample/blob/master/src/ByExample/DemoBundle/Controller/SecurityController.php#L64 ).

Still without success, please could you explain what i've been doing wrong ?

Thank's

PS : here is my code

security:
    providers:
        main:
           id: fos_user.user_provider.username
      wsse_secured:
          pattern: ^/api/.*
          anonymous: false
          provider: main
          wsse:
              lifetime: 31556926
              realm: "Secured API"
              profile: "UsernameToken"
              encoder:
                 algorithm: sha512
                 encodeHashAsBase64: true
                 iterations: 1
    encoders:
       Alpixel\Component\UserBundle\Entity\User: sha512

I also made the modification about the Authentication provider

[benjamin-hubert]

@djoos : it's not actually... i've followed your explanations and the blog post on #49 but i still have the problem. Do you prefer that i continue the ticket on #49 ?

[djoos]

Hi @gouaille,

thanks for getting in touch - sorry, I was a bit too quick on the case of closing the issue, thinking you had double-posted it ;-)

Would you mind double-checking whether the amount of iterations is definitely 1 for your encoder?

Thanks in advance for your feedback!

Kind regards, David

[benjamin-hubert]

Actually i didn't set an iteration amount for this encoder (i even wasn't aware you could !). Do you know if there is any default value ?

[djoos]

Could you try to set your wsse encoder settings to...

encoder:
  algorithm: sha512
  encodeHashAsBase64: false
  iterations: 1

...and let me know how that goes?

Thanks! David

[benjamin-hubert]

I 've just changed my FOS encoders just as follow :

    encoders:
       Alpixel\Component\UserBundle\Entity\User:
              algorithm: sha512
              encode_as_base64: false
              iterations: 1

and still not working (i created a new account and tried to query the API with it)

[djoos]

Hi @gouaille,

sorry for the confusion: you need to make sure the settings of the WSSE encoder match those of the FOSUserBundle encoder... I think FOSUserBundle's sha512 doesn't encode the hash as base64 by default, so could you give that a go in the WSSE encoder settings?

encoder:
  algorithm: sha512
  encodeHashAsBase64: false #as opposed to true
  iterations: 1

Thanks in advance for your feedback! David

[benjamin-hubert]

I've password like that in my database : EwdZsnSt7JbZYy5DrUf3TEWpgJVh36JUAYDjw+mfUcWdA/RSjJ4vV90MALcR+AmVF11lkSyRf//WzJQzNovcgw==

Looks like base64 to me but i've also tried your solution and it's not working either.

Here's a recap of my parameters :

security:

    providers:
        main:
           id: fos_user.user_provider.username

    firewalls:

      #API firewall
      wsse_secured:
          pattern: ^/api/.*
          anonymous: false
          provider: main
          wsse:
              lifetime: 31556926
              realm: "Secured API"
              profile: "UsernameToken"
              encoder:
                 algorithm: sha512
                 encodeHashAsBase64: true
                 iterations: 1

    encoders:
       Alpixel\Component\UserBundle\Entity\User:
              algorithm: sha512
              encode_as_base64: true
              iterations: 1

[benjamin-hubert]

I tried to go back to a sha1 configuration to test if http://www.teria.com/~koseki/tools/wssegen/ was working and wasn't able to make it work either.

[benjamin-hubert]

My bad, i made it works with sha1 ! I think my token generator is not good...

        $created = date('c');
        $nonce = substr(md5(uniqid('nonce_', true)), 0, 16);
        $nonceHigh = base64_encode($nonce);
        $passwordDigest = base64_encode(hash("sha512",$nonce . $created . $user->getPassword() . "{}", true));
        $header = "UsernameToken Username=\"{".$user->getUsername()."}\", PasswordDigest=\"{$passwordDigest}\", Nonce=\"{$nonceHigh}\", Created=\"{$created}\"";

I'm looking into it right now

[benjamin-hubert]

Done !

The first problem, i think, was the iteration problem which, with your solution, is perfectly solved.

Second problem was i was encoding the digest with a sha1 and told my firewall it was encoded to sha512. My password encoder was sha512, not the WSSE digest.

New problem is i'm not able to change the iterations to more than 1. I'm investigating on it.

[benjamin-hubert]

@djoos I don't understand how iterations are working (since it seems to have a difference between the digest and the original password encoding).

Could you suggest a proper way to generate the WSSE Header inside Symfony ?

[djoos]

Hi @gouaille,

I'm glad you're up and running!

"Could you suggest a proper way to generate the WSSE Header inside Symfony ?" If you want to refactor your token generation logic, perhaps you could have a look at the body of the execute-method in this file? (using Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder)

Hope this helps!

Kind regards, David

P.S. I'll close this issue now, but do keep me posted on your progress, ok? Thanks!

[skyjooy]

@djoos i think i have the same problem. What's the issue ? Thx