Problem with multi Authentication providers

[MGDSoft]

Hi djoos!

I have a problem with following configuration

    api:
            pattern:   ^/api/v.*
            stateless: true
            provider: api_user
            wsse:
                realm: "%api_wsse_realm%" #identifies the set of resources to which the authentication information will apply (WWW-Authenticate)
                profile: "%api_wsse_profile%" #WSSE profile (WWW-Authenticate)
                lifetime: "%api_wsse_lifetime%"

                encoder:
                    algorithm: "%api_wsse_algorithm%"
                    encodeHashAsBase64: "%api_wsse_encodehashasbase64%"
                    iterations: "%api_wsse_iterations%"
            http_basic:  ~

Http_basic make it crash with "This token has no "nonce" attribute." because it trying to get value token value in Escape\WSSEAuthenticationBundle\Security\Core\Authentication\Provider\Provider line 66

I dont know why is inside it but if I override authentication_provider_class two AuthenticationProviders work

   public function authenticate(TokenInterface $token)
    {
        if (!$token->hasAttribute('nonce'))
            return;

        return parent::authenticate($token);
    }

What is wrong here?

Thanks in advance djoos!

[Drachenkaetzchen]

I have exactly the same issue. My use case is that I need HTTP Basic auth for functional tests, and I wish to use this bundle to perform the regular authentification.

[djoos]

Hi there,

have you both got a X-WSSE header in your (failed) requests? As the Listener just returns when no X-WSSE header is detected...

Thanks in advance for your feedback!

Kind regards, David

[Drachenkaetzchen]

The issue in my case is that the Provider does not check if the attribute "nonce" exists.

A possible bugfix would be to call $token->hasAttribute('nonce') first. I will see if I can create a pull request for that issue.

[djoos]

Hi @felicitus,

would you mind explaining me a bit more as to why the provider kicks in in your particular case? Do you have a X-WSSE header in your request?

Thanks in advance for your feedback!

Kind regards, David

[Drachenkaetzchen]

No, I don't have a X-WSSE header in my request. However, I can't see where Symfony2 checks for the X-WSSE header on the Provider class. As far as I know, Symfony2 simply calls all AuthenticationProviderInterfaceclasses with authenticate, as far as I remember it was being called from the Sf2 class AuthenticationProviderManager in the authenticate method, where it iterates over all providers.

Note that my firewall does include both http basic AND WSSE at the same time.

I hope that helps. If not, let me know and I will write a verbose answer as I'm currently not at my dev workstation where this issue occured.

[djoos]

Thanks for the additional information!

I'm puzzled as to why the WSSE's provider is even being used when the firewall listener is simply returning due to no X-WSSE header being present in the request header... Even though you've got X-WSSE and HTTP basic - each has it's own specific authentication provider that is used when their respective listener kicks in.

Would you mind sharing some code with me that would allow me to replicate what you are getting, so I can dig a bit around?

Thanks in advance!

Kind regards, David

P.S. The PR will fix the issue you are experiencing - I do think it is better to check the availability of the attribute before actually using it, however I'd like to go a bit deeper into the issue!

[Drachenkaetzchen]

I just tried to reproduce, but failed. I'm not sure why this happened in the first place. Maybe some issue with switching between authentication methods and data stored in a session perhaps?

[djoos]

Not sure though as WSSE is stateless (do you have stateless: true in your firewall?) and the X-WSSE header needs to be provided in the header of every request for it to "kick in".

Any chance you could have had an incomplete X-WSSE header in the past? (not sure whether I've already covered that scenario in the tests, but will make a note of it so I can check that!)

Thanks in advance for your feedback!

Kind regards, David

[Drachenkaetzchen]

I just tested it and noticed that even with stateless: true it fails.

I'm pretty certain that I don't have an incomplete X-WSSE header since my unit tests fail as well, and they only authenticate via HTTP Basic.

[djoos]

Hi @felicitus,

so you've been able to replicate the issue? Great!

Would you mind checking what goes on in the firewall listener, as WSSE shouldn't kick in at all when authenticating via HTTP basic...

If there is anything you could throw my way to replicate the issue, let me know!

Kind regards, David

[Drachenkaetzchen]

Well as I mentioned in https://github.com/escapestudios/EscapeWSSEAuthenticationBundle/issues/69#issuecomment-140420538 the Provider always iterates over all registered handlers.

As I have no idea on Symfony2 internals, I'm simply using my bugfix from my forked repo for now.

[djoos]

Hi all,

the authentication provider was actually not making use of its own supports-method, so "incompatible" tokens are not authenticated - I've addressed this in b38d8c1851bd6d6173a627d6f85ac756a8cc29be; would you be able to give this version a go and feed back to me whether this addresses the issue you are having?

Looking forward to hearing from you, so I can get this pushed out as 2.0.3...

Thanks in advance!

Kind regards, David

[Drachenkaetzchen]

Hi David,

that makes sense - thank you for fixing the issue. I will try to test it in time, but I'll not be at my desk the next week and I doubt I can test this tomorrow. I might forget to test, can you remind me in two weeks if I forgot to test? Thanks!

cheers Felicitus

[djoos]

Hi @felicitus,

nudge

Have you been able to test this?

Thanks! David