search

djoos / EscapeWSSEAuthenticationBundle

Symfony bundle to implement WSSE authentication
http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html
137 stars 59 forks source link

How to enforce roles #93

Open Heshyo opened 2 years ago

Heshyo commented 2 years ago

I'm working on a legacy project that uses WSSE. It has worked well for years but I now need to update it to assign different roles to different end points / requests. Is this possible with this bundle?

If I don't log in and try to access the API I'm automatically redirected to the log in page. Once logged in I can access all pages of the API but I'm always viewed as IS_AUTHENTICATED_ANONYMOUSLY, not IS_AUTHENTICATED_FULLY.

Is there a way to get the user that makes the request inside the controller, to enforce roles?

djoos commented 2 years ago

Hi @Heshyo,

I now need to update it to assign different roles to different end points / requests. Is this possible with this bundle? This bundle facilitates WSSE authentication. I guess you want to have different users who can use WSSE to authenticate, each with their own roles. This as well as having different roles for different endpoints is OOTB Symfony security functionality, so it is possible.

I'm always viewed as IS_AUTHENTICATED_ANONYMOUSLY, not IS_AUTHENTICATED_FULLY It would be good if you could detail a bit more what you are doing to access the WSSE-secured API, as you mentioned a few things ("I'm automatically redirected to the login page" and "I can access all pages of the API") that confuse me slightly, ie. how are you making the calls to the WSSE-secured API endpoint(s)?

Heshyo commented 2 years ago

Hi @djoos,

First, thanks for still helping with this repo after all these years!

I have a javascript front end that accesses the API. For each GET or POST request the HTTP headers are updated:

headers['Authorization'] = 'WSSE profile="UsernameToken"';
headers['x-wsse'] = "UsernameToken Username=\"" + username + "\", PasswordDigest=\"" + digest 
    + "\", Nonce=\"" + nonce + "\", Created=\"" + dateCreated + "\"";

That's why, once I'm logged in, the headers are properly sent for each request and I can access the API.

Concerning I'm automatically redirected to the login page, this is actually handled in the front end when the x-wsse header cannot be computed, so it has nothing to do with this bundle, sorry.

In the controller, when handling a request, I added some checks to see the authentication status, something like:

    if ($this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_FULLY'))
        ...
    else if ... IS_AUTHENTICATED_REMEMBER
    else if ... IS_AUTHENTICATED_ANONYMOUSLY

that's how I realized I was always seen as only IS_AUTHENTICATED_ANONYMOUSLY.

Here's my security.yml

security:

    providers:
        user_provider:
            id: app_user_provider

    firewalls:
        # disables authentication for assets and the profiler
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        wsse_secured:
            pattern:   ^/api/*
            stateless: true
            provider: user_provider
            wsse:
                realm: "Secured with WSSE"
                profile: "UsernameToken"
                encoder: #digest algorithm
                    algorithm: xxx

        main:
            anonymous: ~

    encoders:
        AppBundle\Entity\User:
            algorithm: xxx
djoos commented 2 years ago

Hmmm, I haven't got any dummy setup currently - but I'll have a play and see if I can help out with this. (just being 100% honest: it won't be super quick though as it's being a really busy time here)

Heshyo commented 2 years ago

Thanks for the update. I really appreciate you taking the time to look at this. There's no need to hurry as I'm tackling other things in the meantime.