From 2b697423b4f0b7bbb757545c43b5e43e5c520339 Mon Sep 17 00:00:00 2001 From: "Johannes M. Schmitt" Date: Tue, 1 Feb 2011 21:59:24 +0100 Subject: [PATCH] [Security] bug fix in FormAuthenticationEntryPoint --- .../Core/Exception/NonceExpiredException.php | 2 +- .../EntryPoint/AuthenticationEntryPointInterface.php | 6 ++++-- .../EntryPoint/BasicAuthenticationEntryPoint.php | 5 +++-- .../EntryPoint/DigestAuthenticationEntryPoint.php | 5 +++-- .../Http/EntryPoint/FormAuthenticationEntryPoint.php | 5 +++-- .../EntryPoint/RetryAuthenticationEntryPoint.php | 5 +++-- .../Http/Firewall/BasicAuthenticationListener.php | 2 +- .../Security/Http/Firewall/ChannelListener.php | 10 +++++----- .../Http/Firewall/DigestAuthenticationListener.php | 12 ++++++------ .../Security/Http/Firewall/ExceptionListener.php | 10 +++++----- 10 files changed, 34 insertions(+), 28 deletions(-) rename src/Symfony/Component/Security/{Core/Authentication => Http}/EntryPoint/AuthenticationEntryPointInterface.php (74%) diff --git a/src/Symfony/Component/Security/Core/Exception/NonceExpiredException.php b/src/Symfony/Component/Security/Core/Exception/NonceExpiredException.php index 5e6a0c54f5..5544a63cf3 100644 --- a/src/Symfony/Component/Security/Core/Exception/NonceExpiredException.php +++ b/src/Symfony/Component/Security/Core/Exception/NonceExpiredException.php @@ -12,7 +12,7 @@ namespace Symfony\Component\HttpKernel\Security\EntryPoint; use Symfony\Component\Security\Core\Exception\AuthenticationException; -use Symfony\Component\Security\Core\Authentication\EntryPoint\AuthenticationEntryPointInterface; +use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpKernel\Log\LoggerInterface; diff --git a/src/Symfony/Component/Security/Core/Authentication/EntryPoint/AuthenticationEntryPointInterface.php b/src/Symfony/Component/Security/Http/EntryPoint/AuthenticationEntryPointInterface.php similarity index 74% rename from src/Symfony/Component/Security/Core/Authentication/EntryPoint/AuthenticationEntryPointInterface.php rename to src/Symfony/Component/Security/Http/EntryPoint/AuthenticationEntryPointInterface.php index 7fd64bfedc..98cbf28113 100644 --- a/src/Symfony/Component/Security/Core/Authentication/EntryPoint/AuthenticationEntryPointInterface.php +++ b/src/Symfony/Component/Security/Http/EntryPoint/AuthenticationEntryPointInterface.php @@ -9,8 +9,9 @@ * file that was distributed with this source code. */ -namespace Symfony\Component\Security\Core\Authentication\EntryPoint; +namespace Symfony\Component\Security\Http\EntryPoint; +use Symfony\Component\EventDispatcher\EventInterface; use Symfony\Component\Security\Core\Exception\AuthenticationException; use Symfony\Component\HttpFoundation\Request; @@ -25,8 +26,9 @@ interface AuthenticationEntryPointInterface /** * Starts the authentication scheme. * + * @param EventInterface $event The "core.security" event * @param object $request The request that resulted in an AuthenticationException * @param AuthenticationException $authException The exception that started the authentication process */ - function start(Request $request, AuthenticationException $authException = null); + function start(EventInterface $event, Request $request, AuthenticationException $authException = null); } diff --git a/src/Symfony/Component/Security/Http/EntryPoint/BasicAuthenticationEntryPoint.php b/src/Symfony/Component/Security/Http/EntryPoint/BasicAuthenticationEntryPoint.php index 26bc30502b..907301c970 100644 --- a/src/Symfony/Component/Security/Http/EntryPoint/BasicAuthenticationEntryPoint.php +++ b/src/Symfony/Component/Security/Http/EntryPoint/BasicAuthenticationEntryPoint.php @@ -11,8 +11,9 @@ namespace Symfony\Component\Security\Http\EntryPoint; +use Symfony\Component\EventDispatcher\EventInterface; use Symfony\Component\Security\Core\Exception\AuthenticationException; -use Symfony\Component\Security\Core\Authentication\EntryPoint\AuthenticationEntryPointInterface; +use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Request; @@ -30,7 +31,7 @@ class BasicAuthenticationEntryPoint implements AuthenticationEntryPointInterface $this->realmName = $realmName; } - public function start(Request $request, AuthenticationException $authException = null) + public function start(EventInterface $event, Request $request, AuthenticationException $authException = null) { $response = new Response(); $response->headers->set('WWW-Authenticate', sprintf('Basic realm="%s"', $this->realmName)); diff --git a/src/Symfony/Component/Security/Http/EntryPoint/DigestAuthenticationEntryPoint.php b/src/Symfony/Component/Security/Http/EntryPoint/DigestAuthenticationEntryPoint.php index 89ba4656d0..ecc6178304 100644 --- a/src/Symfony/Component/Security/Http/EntryPoint/DigestAuthenticationEntryPoint.php +++ b/src/Symfony/Component/Security/Http/EntryPoint/DigestAuthenticationEntryPoint.php @@ -11,8 +11,9 @@ namespace Symfony\Component\Security\Http\EntryPoint; +use Symfony\Component\EventDispatcher\EventInterface; use Symfony\Component\Security\Core\Exception\AuthenticationException; -use Symfony\Component\Security\Core\Authentication\EntryPoint\AuthenticationEntryPointInterface; +use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\Security\Core\Exception\NonceExpiredException; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Request; @@ -38,7 +39,7 @@ class DigestAuthenticationEntryPoint implements AuthenticationEntryPointInterfac $this->logger = $logger; } - public function start(Request $request, AuthenticationException $authException = null) + public function start(EventInterface $event, Request $request, AuthenticationException $authException = null) { $expiryTime = microtime(true) + $this->nonceValiditySeconds * 1000; $signatureValue = md5($expiryTime.':'.$this->key); diff --git a/src/Symfony/Component/Security/Http/EntryPoint/FormAuthenticationEntryPoint.php b/src/Symfony/Component/Security/Http/EntryPoint/FormAuthenticationEntryPoint.php index 0902507c6a..7a18b2f751 100644 --- a/src/Symfony/Component/Security/Http/EntryPoint/FormAuthenticationEntryPoint.php +++ b/src/Symfony/Component/Security/Http/EntryPoint/FormAuthenticationEntryPoint.php @@ -11,10 +11,11 @@ namespace Symfony\Component\Security\Http\EntryPoint; +use Symfony\Component\EventDispatcher\EventInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Security\Core\Exception\AuthenticationException; -use Symfony\Component\Security\Core\Authentication\EntryPoint\AuthenticationEntryPointInterface; +use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\Security\Core\SecurityContext; /** @@ -42,7 +43,7 @@ class FormAuthenticationEntryPoint implements AuthenticationEntryPointInterface /** * {@inheritdoc} */ - public function start(Request $request, AuthenticationException $authException = null) + public function start(EventInterface $event, Request $request, AuthenticationException $authException = null) { if ($this->useForward) { return $event->getSubject()->handle(Request::create($this->loginPath), HttpKernelInterface::SUB_REQUEST); diff --git a/src/Symfony/Component/Security/Http/EntryPoint/RetryAuthenticationEntryPoint.php b/src/Symfony/Component/Security/Http/EntryPoint/RetryAuthenticationEntryPoint.php index eb32e8a5db..ed1297f457 100644 --- a/src/Symfony/Component/Security/Http/EntryPoint/RetryAuthenticationEntryPoint.php +++ b/src/Symfony/Component/Security/Http/EntryPoint/RetryAuthenticationEntryPoint.php @@ -11,8 +11,9 @@ namespace Symfony\Component\Security\Http\EntryPoint; +use Symfony\Component\EventDispatcher\EventInterface; use Symfony\Component\Security\Core\Exception\AuthenticationException; -use Symfony\Component\Security\Core\Authentication\EntryPoint\AuthenticationEntryPointInterface; +use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Request; @@ -34,7 +35,7 @@ class RetryAuthenticationEntryPoint implements AuthenticationEntryPointInterface $this->httpsPort = $httpsPort; } - public function start(Request $request, AuthenticationException $authException = null) + public function start(EventInterface $event, Request $request, AuthenticationException $authException = null) { $scheme = $request->isSecure() ? 'http' : 'https'; if ('http' === $scheme && 80 != $this->httpPort) { diff --git a/src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php index 5cedf49196..98443e945b 100644 --- a/src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php @@ -13,7 +13,7 @@ namespace Symfony\Component\Security\Http\Firewall; use Symfony\Component\Security\Core\SecurityContext; use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; -use Symfony\Component\Security\Core\Authentication\EntryPoint\AuthenticationEntryPointInterface; +use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\HttpKernel\Log\LoggerInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\EventInterface; diff --git a/src/Symfony/Component/Security/Http/Firewall/ChannelListener.php b/src/Symfony/Component/Security/Http/Firewall/ChannelListener.php index 39f8eef761..49cef7e35b 100644 --- a/src/Symfony/Component/Security/Http/Firewall/ChannelListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/ChannelListener.php @@ -12,7 +12,7 @@ namespace Symfony\Component\Security\Http\Firewall; use Symfony\Component\Security\Http\AccessMap; -use Symfony\Component\Security\Core\Authentication\EntryPoint\AuthenticationEntryPointInterface; +use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\HttpKernel\Log\LoggerInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\EventInterface; @@ -37,7 +37,7 @@ class ChannelListener implements ListenerInterface } /** - * + * * * @param EventDispatcherInterface $dispatcher An EventDispatcherInterface instance * @param integer $priority The priority @@ -53,7 +53,7 @@ class ChannelListener implements ListenerInterface public function unregister(EventDispatcherInterface $dispatcher) { } - + /** * Handles channel management. * @@ -72,7 +72,7 @@ class ChannelListener implements ListenerInterface $event->setProcessed(); - return $this->authenticationEntryPoint->start($request); + return $this->authenticationEntryPoint->start($event, $request); } if ('http' === $channel && $request->isSecure()) { @@ -82,7 +82,7 @@ class ChannelListener implements ListenerInterface $event->setProcessed(); - return $this->authenticationEntryPoint->start($request); + return $this->authenticationEntryPoint->start($event, $request); } } } diff --git a/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php index ea6a880970..bc731b3278 100644 --- a/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php @@ -101,7 +101,7 @@ class DigestAuthenticationListener implements ListenerInterface try { $digestAuth->validateAndDecode($this->authenticationEntryPoint->getKey(), $this->authenticationEntryPoint->getRealmName()); } catch (BadCredentialsException $e) { - $this->fail($request, $e); + $this->fail($event, $request, $e); return; } @@ -115,7 +115,7 @@ class DigestAuthenticationListener implements ListenerInterface $serverDigestMd5 = $digestAuth->calculateServerDigest($user->getPassword(), $request->getMethod()); } catch (UsernameNotFoundException $notFound) { - $this->fail($request, new BadCredentialsException(sprintf('Username %s not found.', $digestAuth->getUsername()))); + $this->fail($event, $request, new BadCredentialsException(sprintf('Username %s not found.', $digestAuth->getUsername()))); return; } @@ -125,13 +125,13 @@ class DigestAuthenticationListener implements ListenerInterface $this->logger->debug(sprintf("Expected response: '%s' but received: '%s'; is AuthenticationDao returning clear text passwords?", $serverDigestMd5, $digestAuth->getResponse())); } - $this->fail($request, new BadCredentialsException('Incorrect response')); + $this->fail($event, $request, new BadCredentialsException('Incorrect response')); return; } if ($digestAuth->isNonceExpired()) { - $this->fail($request, new NonceExpiredException('Nonce has expired/timed out.')); + $this->fail($event, $request, new NonceExpiredException('Nonce has expired/timed out.')); return; } @@ -143,7 +143,7 @@ class DigestAuthenticationListener implements ListenerInterface $this->securityContext->setToken(new UsernamePasswordToken($user, $user->getPassword(), $this->providerKey)); } - protected function fail(Request $request, AuthenticationException $failed) + protected function fail(EventInterface $event, Request $request, AuthenticationException $failed) { $this->securityContext->setToken(null); @@ -151,7 +151,7 @@ class DigestAuthenticationListener implements ListenerInterface $this->logger->debug($failed); } - $this->authenticationEntryPoint->start($request, $failed); + $this->authenticationEntryPoint->start($event, $request, $failed); } } diff --git a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php index de909542bf..66d56b39c2 100644 --- a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php @@ -16,7 +16,7 @@ use Symfony\Bundle\SecurityBundle\Security\AccessDeniedHandler; use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface; use Symfony\Component\Security\Core\SecurityContext; use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface; -use Symfony\Component\Security\Core\Authentication\EntryPoint\AuthenticationEntryPointInterface; +use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\HttpKernel\Log\LoggerInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\EventInterface; @@ -87,7 +87,7 @@ class ExceptionListener implements ListenerInterface } try { - $response = $this->startAuthentication($request, $exception); + $response = $this->startAuthentication($event, $request, $exception); } catch (\Exception $e) { $event->set('exception', $e); @@ -101,7 +101,7 @@ class ExceptionListener implements ListenerInterface } try { - $response = $this->startAuthentication($request, new InsufficientAuthenticationException('Full authentication is required to access this resource.', $token, 0, $exception)); + $response = $this->startAuthentication($event, $request, new InsufficientAuthenticationException('Full authentication is required to access this resource.', $token, 0, $exception)); } catch (\Exception $e) { $event->set('exception', $e); @@ -151,7 +151,7 @@ class ExceptionListener implements ListenerInterface return $response; } - protected function startAuthentication(Request $request, AuthenticationException $reason) + protected function startAuthentication(EventInterface $event, Request $request, AuthenticationException $reason) { $this->context->setToken(null); @@ -165,6 +165,6 @@ class ExceptionListener implements ListenerInterface $request->getSession()->set('_security.target_path', $request->getUri()); - return $this->authenticationEntryPoint->start($request, $reason); + return $this->authenticationEntryPoint->start($event, $request, $reason); } }