Closed Whipstickgostop closed 8 years ago
Hi @michaelmarlow,
would you be able to elaborate this a bit more? I'm not able to reproduce this issue... Are you making use of any custom provider/listener/...?
Thanks in advance for your feedback!
Kind regards, David
No custom provider. I did recently update to Symfony 2.6 (from 2.4), but again, it works fine (even on 2.6) when I roll back to e156941.
Token format (HTTP_X-WSSE header)t: 'UsernameToken Username="%s", PasswordDigest="%s", Nonce="%s", Created="%s"'
Full stack trace: 7) \APIBundle\Tests\Controller\QuoteControllerTest::testPostQuote InvalidArgumentException: This token has no "nonce" attribute.
.../vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php:211 .../vendor/escapestudios/wsse-authentication-bundle/Escape/WSSEAuthenticationBundle/Security/Core/Authentication/Provider/Provider.php:66 .../vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/AuthenticationProviderManager.php:74 .../vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AccessListener.php:65 .../vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall.php:69 .../vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php:59 .../vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/EventDispatcher.php:164 .../vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/EventDispatcher.php:53 .../vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/ContainerAwareEventDispatcher.php:167 .../vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/TraceableEventDispatcher.php:112 .../app/bootstrap.php.cache:3009 .../app/bootstrap.php.cache:2982 .../app/bootstrap.php.cache:3131 .../app/bootstrap.php.cache:2376 .../vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Client.php:81 .../vendor/symfony/symfony/src/Symfony/Bundle/FrameworkBundle/Client.php:111 .../vendor/symfony/symfony/src/Symfony/Component/BrowserKit/Client.php:327 .../APIBundle/Tests/Controller/QuoteControllerTest.php:66
Hi @michaelmarlow,
the token has changed a lot from < 2.0.0 to 2.0.0. Would you mind sharing me some code of the testPostQuote? (if possible)
Thanks in advance!
Kind regards, David
No problem. Here's the token generator and the relevant call from testPostQuote.
class WsseToken
{
public static function makeNonce() {
$chars = "123456789abcdefghijklmnopqrstuvwxyz";
$random = "" . microtime();
$random .= mt_rand();
$mi = strlen($chars) - 1;
for ($i = 0; $i < 10; $i++) {
$random .= $chars[mt_rand(0, $mi)];
}
$nonce = md5($random);
return $nonce;
}
public static function makeToken($username, $password) {
$nonce = self::makeNonce();
$ts = date('c');
$digest = base64_encode(sha1($nonce.$ts.$password, true));
$nonce = base64_encode($nonce);
return sprintf('UsernameToken Username="%s", PasswordDigest="%s", Nonce="%s", Created="%s"',
$username, $digest, $nonce, $ts);
}
}
public function getAuthHeaders()
{
$token = WsseToken::makeToken('bob', 'buffalo');
return array(
'HTTP_Authorization' => 'WSSE profile="UsernameToken"',
'HTTP_X-WSSE' => $token
);
}
Call from testPostQuote():
$client = static::createClient();
$request = array(
...
);
$crawler = $client->request('POST', '/api/quotes', $request, array(), $this->getAuthHeaders());
$response = $client->getResponse();
$this->assertJsonResponse($response, 200);
...
Hi @michaelmarlow,
I finally had the time to have a deeper look into the issue you are experiencing. It seems that the provider is trying to get the 'nonce' attribute (EscapeWSSEAuthenticationBundle/Security/Core/Authentication/Provider/Provider.php), but the attribute hasn't been set. This is actually done in the listener (EscapeWSSEAuthenticationBundle/Security/Http/Firewall/Listener.php), so I'm wondering whether you are definitely not using a custom listener.
Could you check the escape_wsse_authentication-section of your app/config/security.yml?
Thanks in advance for your feedback!
Kind regards, David
This was in config.yml rather than security.yml:
# Escape WSSE authentication configuration
escape_wsse_authentication:
authentication_provider_class: Escape\WSSEAuthenticationBundle\Security\Core\Authentication\Provider\Provider
authentication_listener_class: Escape\WSSEAuthenticationBundle\Security\Http\Firewall\Listener
authentication_entry_point_class: Escape\WSSEAuthenticationBundle\Security\Http\EntryPoint\EntryPoint
authentication_encoder_class: Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder
And here is the relevant firewall:
wsse_secured:
provider: apibundle
pattern: ^/api/(?!doc/)
wsse:
realm: "Secured with WSSE" #identifies the set of resources to which the authentication information will apply (WWW-Authenticate)
profile: "UsernameToken" #WSSE profile (WWW-Authenticate)
lifetime: 300
encoder: #digest algorithm
algorithm: sha1
encodeHashAsBase64: true
iterations: 1
Thanks for your continued assistance.
Hi @michaelmarlow,
sorry: I incorrectly mentioned security.yml; it was meant to be config.yml.
Would you mind checking whether your Escape\WSSEAuthenticationBundle\Security\Http\Firewall\Listener definitely has $token->setAttribute('nonce', $wsseHeaderInfo['Nonce']); on line 79?
The issue you're running into, with the config you've provided, doesn't seem to make lots of sense...
Thanks in advance for your feedback!
Kind regards, David
Yup, that line is indeed there.
Hey please, did u find a solution to this exception?
Hi guys,
are you still experiencing this issue with the latest version of this bundle?
Thanks in advance!
Kind regards, David
Sorry for the delayed response. I don't remember when I updated to ~2.3, but it has been fixed for awhile. Thanks!
Latest commit is requesting a Nonce attribute in lowercase, and doing so results in expected failure to authenticate. Not doing so results in the error above. Rolling back to commit #e1569417f094d9f89e3c40a4b39fcb0f41b62d4d resolves the issue.