search

sdiaz / FOSRestBundleByExample

FOSRestBundle example project with Symfony 2.6 standard distribution
MIT License
106 stars 31 forks source link

HTTP 401 status #18

Closed andersonkoester closed 9 years ago

andersonkoester commented 9 years ago

Hi, I'm running this project, I guess I'm not understanding well this concepts. I'm calling /api/v1/tokens.json and getting a token, based on my access's information. But, when I'll call some other secured method I get 401.

I'm using x-wsse and authorization headers: X-WSSE: UsernameToken Username="andersonkoester", PasswordDigest="C/s2VtFhLHEeKmOgxgjyTWPsU0o=", Nonce="ZWE5Y2Q1YWU1MjdlZTExNQ==", Created="2015-03-03T18:40:55-03:00" Authorization: WSSE profile="UsernameToken"

My idea is use this project integrated on other sample project I'm programming, but the returns are breaking my head right in the middle.

I don't think it was a issue, like I said, I think I'm not understanding well how it works.

sdiaz commented 9 years ago

I will check this out

andersonkoester commented 9 years ago

It works when I removed "(role)" from pattern of this security config:

wsse_secured:
  pattern:      (.*)/(role)(.*)
  context:      user
  stateless:    true

Like I said, I didn't understand this concept, now I found this little trick on pattern in security.yml.

Now, my logged user is allowed to access all secured methods.

kahllac commented 9 years ago

thx for the trick but how do you access to salt.json with your pattern ?

andersonkoester commented 9 years ago

@kahllac, I'm using an unique salt for each user (FOSUserBundle implementation) and it's save on my DB.

kahllac commented 9 years ago

sorry, i don't understand. you never call the services user/salt.json ? With the pattern "(.)/(role)(.)" i can login and get the response au /token.json but i can't call the users.json service. Without "role" i can call users.json but can't login (can't call salt.json by ex.)

thx

andersonkoester commented 9 years ago

I'm sorry, I got it wrong. Let's see my actual security config file:

wsse_secured:
  // this line grant security for this url patterns (/mng/*, /account/* and /app/*) and it can't manage url using this patterns (/account/salt and /account/remember)
  pattern:      (.*)/(mng|account|app)(?!/(.*)(salt|remember))(.*)
  context:      user
  stateless:    true
  wsse:
    nonce_dir: null
    provider: fos_userbundle
    lifetime: 6000
    anonymous:    false

I realy don't know if this way is the best, but I created, using regular expression, a simple filter on my security configuration to avoid the SecurityBundle deny these two urls that work without authentication token.

kahllac commented 9 years ago

thx for your answere. How did you manage the username param in salt.json call ? api/v1/users/USERNAME/salt.json

andersonkoester commented 9 years ago

Correct, my salt call is: /account/{username}/salt.json

kahllac commented 9 years ago

Thx, with your pattern and some change it's work.