I'm stucked: authorize logged in users or use WSSE to authorize one

[bertoost]

Hi,

I am a little bit stucked with my project where I want to achieve opening API URLs (FOSRestBundle) as authenticated user (ROLE_ADMIN) and using WSSE header for non-authenticated user. So basically, any API URL should be accessible when:

1. Already authenticated as user (ROLE_ADMIN from FOSUserBundle)
2. The X-WSSE header is provided

Unfortunate I am not allowed to share project specific details; but here some configuration parts

security:
  firewalls:
    api_secured:
      pattern: ^/api
      wsse:
        realm: "Secured with WSSE"
        profile: "UsernameToken"
        encoder:
          algorithm: sha1
    secured_area:
      pattern: ^/
      anonymous: ~
      form_login:
      ...

The /api URLs are also inside "access_control"

  access_control:
    ...
    - { path: ^/api, roles: [ROLE_ADMIN, ROLE_API] }
    ...

The ROLE_API is assigned to a "memory user", which is used for external access. It's no problem to move this user to FOSUserBundle if that would fix this :-)

Besides that, I have setupped a "chain_provider" like this;

  providers:
    chain_provider:
      chain:
        providers: [main, wsse_users]
    ...

WSSE configuration (default);

# Escape WSSE authentication configuration
escape_wsse_authentication:
  authentication_provider_class: Escape\WSSEAuthenticationBundle\Security\Core\Authentication\Provider\Provider
  authentication_listener_class: Escape\WSSEAuthenticationBundle\Security\Http\Firewall\Listener
  authentication_entry_point_class: Escape\WSSEAuthenticationBundle\Security\Http\EntryPoint\EntryPoint
  authentication_encoder_class: Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder

I also use "PdoSessionHandler" to store sessions in the database.

Many many thanks for any help getting this to work.

[djoos]

Hi Bert,

sorry for the delay in getting back to you. Have you been able to crack the issue you were experiencing?

I'll close this issue for now, but please do let me know if you have any further issues, so we can reopen this thread and get to the bottom of it...

Thanks! David

[bertoost]

No not yet fixed it. I am unable to reach /api URLs when I am logged in normally. This is necessary to test responses before getting it in production. Please some help would be great.

[djoos]

Hi Bert,

"I am unable to reach /api URLs when I am logged in normally" Would you be able to let me know what error message you get? Is it the WSSE Auth kicking in and giving you a 403, or...?

You mention you've set up a chain provider - have you tried adding this one explicitly to the api_secured-firewall as provider? Or have you tried using your non-WSSE provider for the api_secured firewall in dev just to get it going as a logged in user?

security:
  firewalls:
    api_secured:
    ...
        provider: chain_provider

Thanks in advance for your feedback! David

[bertoost]

Hi David,

Yes. I tried using the main user-provider (FOSUserBundle) and then I am able to view the api_secured URLs. When I enable WSSE as provider, then I am not able to get any response. As far I can remember, I am getting a 401 Unauthorized response. Only via a test-script that sends the WSSE header.

Cannot check at the moment, because I am migrating the application to Symfony 3.0 and your WSSE bundle was/is not yet compatible with 3.0 ;-). As soon as I have it back up-and-running I will retry to get a response.

[djoos]

Hi Bert,

Re: Symfony 3.0 Yesterday the Symfony 3.0-compatibility PR got merged in: version 2.1.0 of the bundle is now Symfony 3.0-compatible!

Give me a shout when you've got it up and running again - hope this helps!

Kind regards, David

[bertoost]

Will do. Still working on getting all the forms compatible again ;-) Thanks for the merge!

[bertoost]

@djoos Hi David,

I can't get it installed back again in my Symfony 3.0 application. I use "escapestudios/wsse-authentication-bundle": "~2.3.x-dev" but get the The requested package escapestudios/wsse-authentication-bundle could not be found in any version, there may be a typo in the package name. error message. Also tried @ dev-master as version (without space), but no luck. Any help appreciated. Thanks!

[bertoost]

FYI: For my initial issue it was a simple solution; I needed to add the "context" config option to my firewall rules

[djoos]

Hi @bertoost,

sorry for my delayed reply - what do you get when you use "escapestudios/wsse-authentication-bundle": "~2.2" instead?

Thanks in advance, have a great weekend! David

[bertoost]

Hi @djoos Thanks! I successfully Installed v2.2 with composer require escapestudios/wsse-authentication-bundle

[djoos]

Perfect, closing this issue off then... Thanks for your feedback @bertoost!