如何解决Symfony 4.4 安全/会话已保存但未使用
完整的配置文件如下。
我的网站在不同的条目中使用 2 个守卫 :
-
lexik_jwt_authentication.jwt_token_authenticator访问^/api条路线 -
App\Security\LoginAuthenticator访问^/secured条路线
JWT 认证运行良好,允许用户调用 API 平台路由,例如 localhost/api/types
问题在于使用 LoginAuthenticator 会话。这是基本的 symfony 配置(使用 PHP bin/console make:auth 自动生成的文件)
当使用正确的用户/密码登录时,守卫将会话保存到 app/var/sessions/dev/sess_ras4up86e1c8a1bs9khr5t7scg
保存并设置会话后,LoginAuthenticator 会触发 onAuthenticationSuccess 函数将用户重定向到路由名称 `test。
但是 testController 不起作用,将用户重定向到登录页面 (302 HTTP code)。它还在 var/log/dev/dev.log 中抛出以下错误:
[2021-07-08 13:07:40] request.INFO: Matched route "app_login". {"route":"app_login","route_parameters":{"_route":"app_login","_controller":"App\\Controller\\SecurityController::login"},"request_uri":"https://krang.local/login","method":"POST"} []
[2021-07-08 13:07:40] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"login","authenticators":1} []
[2021-07-08 13:07:40] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"login","authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] security.DEBUG: Calling getCredentials() on guard authenticator. {"firewall_key":"login","authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] security.DEBUG: Passing guard token information to the GuardAuthenticationProvider {"firewall_key":"login","authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] doctrine.DEBUG: SELECT t0.id AS id_1,t0.username AS username_2,t0.password AS password_3,t0.is_active AS is_active_4,t0.roles AS roles_5,t0.customer_id AS customer_id_6 FROM users t0 WHERE t0.username = ? LIMIT 1 ["matthieu"] []
[2021-07-08 13:07:40] security.INFO: Guard authentication successful! {"token":"[object] (Symfony\\Component\\Security\\Guard\\Token\\PostAuthenticationGuardToken: PostAuthenticationGuardToken(user=\"matthieu\",authenticated=true,roles=\"ROLE_USER,ROLE_ADMIN\"))","authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] security.DEBUG: Guard authenticator set success response. {"response":"[object] (Symfony\\Component\\HttpFoundation\\RedirectResponse: HTTP/1.0 302 Found\r\nCache-Control: no-cache,private\r\nDate: Thu,08 Jul 2021 11:07:40 GMT\r\nLocation: /secured/backmarketProducts\r\n\r\n<!DOCTYPE html>\n<html>\n <head>\n <Meta charset=\"UTF-8\" />\n <Meta http-equiv=\"refresh\" content=\"0;url='/secured/backmarketProducts'\" />\n\n <title>Redirecting to /secured/backmarketProducts</title>\n </head>\n <body>\n Redirecting to <a href=\"/secured/backmarketProducts\">/secured/backmarketProducts</a>.\n </body>\n</html>)","authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] security.DEBUG: Remember me skipped: it is not configured for the firewall. {"authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] security.DEBUG: The "App\Security\LoginAuthenticator" authenticator set the response. Any later authenticator will not be called {"authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] request.INFO: Matched route "test". {"route":"test","route_parameters":{"_route":"test","_controller":"App\\Controller\\BackMarketController::productsList"},"request_uri":"https://krang.local/secured/backmarketProducts","method":"GET"} []
[2021-07-08 13:07:40] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"secured","authenticators":1} []
[2021-07-08 13:07:40] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"secured","authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured","authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationCredentialsNotFoundException(code: 0): A Token was not found in the TokenStorage. at /home/matthieu/krang/webservice/vendor/symfony/security-http/Firewall/AccessListener.PHP:69)"} []
[2021-07-08 13:07:40] security.DEBUG: Calling Authentication entry point. [] []
[2021-07-08 13:07:40] request.INFO: Matched route "app_login". {"route":"app_login","method":"GET"} []
[2021-07-08 13:07:40] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"login","authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"login","authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2021-07-08 13:07:40] request.INFO: Matched route "_wdt". {"route":"_wdt","route_parameters":{"_route":"_wdt","_controller":"web_profiler.controller.profiler::toolbaraction","token":"ad25b7"},"request_uri":"https://krang.local/_wdt/ad25b7","method":"GET"} []
我们可以看到这个错误:
[2021-07-08 13:07:40] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured","authenticator":"App\\Security\\LoginAuthenticator"} []
[2021-07-08 13:07:40] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationCredentialsNotFoundException(code: 0): A Token was not found in the TokenStorage. at /home/matthieu/krang/webservice/vendor/symfony/security-http/Firewall/AccessListener.PHP:69)"} []
Guard 验证器不支持请求
这是什么意思?我给你一些有用的代码来结帐:
security:
encoders:
App\Entity\User:
algorithm: auto
role_hierarchy:
ROLE_USER : "ROLE_USER"
ROLE_ADMIN : "ROLE_ADMIN"
ROLE_SUPERADMIN : "ROLE_SUPERADMIN"
providers:
entity_provider:
entity:
class: App\Entity\User
property: username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login
stateless: true
anonymous: true
json_login:
check_path: /login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
guard:
authenticators:
- App\Security\LoginAuthenticator
logout:
path: app_logout
# where to redirect after logout
# target: app_any_route
docs:
pattern: ^/docs
stateless: true
anonymous: true
secured:
pattern: ^/secured
stateless: true
provider: entity_provider
guard:
authenticators:
- App\Security\LoginAuthenticator
api:
pattern: ^/api
stateless: true
anonymous: false
provider: entity_provider
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
access_control:
- { path: ^/login,roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register,roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api,roles: IS_AUTHENTICATED_FULLY }
- { path: ^/docs,roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secured,roles: IS_AUTHENTICATED_FULLY }
class SecurityController extends AbstractController
{
/**
* @Route("/login",name="app_login")
*/
public function login(AuthenticationUtils $authenticationUtils): Response
{
if ($this->getUser()) {
die();
}
// get the login error if there is one
$error = $authenticationUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authenticationUtils->getLastUsername();
return $this->render('security/login.html.twig',['last_username' => $lastUsername,'error' => $error]);
}
/**
* @Route("/logout",name="app_logout")
*/
public function logout()
{
throw new \LogicException('This method can be blank - it will be intercepted by the logout key on your firewall.');
}
}
LoginAuthenticator: (src/Security/LoginAuthenticator.PHP)
class LoginAuthenticator extends AbstractformLoginAuthenticator implements PasswordAuthenticatedInterface
{
use TargetPathTrait;
public const LOGIN_ROUTE = 'app_login';
private $entityManager;
private $urlGenerator;
private $csrftokenManager;
private $passwordEncoder;
public function __construct(EntityManagerInterface $entityManager,UrlGeneratorInterface $urlGenerator,CsrftokenManagerInterface $csrftokenManager,UserPasswordEncoderInterface $passwordEncoder)
{
$this->entityManager = $entityManager;
$this->urlGenerator = $urlGenerator;
$this->csrftokenManager = $csrftokenManager;
$this->passwordEncoder = $passwordEncoder;
}
public function supports(Request $request)
{
return self::LOGIN_ROUTE === $request->attributes->get('_route')
&& $request->isMethod('POST');
}
public function getCredentials(Request $request)
{
$credentials = [
'username' => $request->request->get('username'),'password' => $request->request->get('password'),'csrf_token' => $request->request->get('_csrf_token'),];
$request->getSession()->set(
Security::LAST_USERNAME,$credentials['username']
);
return $credentials;
}
public function getUser($credentials,UserProviderInterface $userProvider)
{
$token = new Csrftoken('authenticate',$credentials['csrf_token']);
if (!$this->csrftokenManager->isTokenValid($token)) {
throw new InvalidCsrftokenException();
}
$user = $this->entityManager->getRepository(User::class)->findOneBy(['username' => $credentials['username']]);
if (!$user) {
throw new UsernameNotFoundException('Username Could not be found.');
}
return $user;
}
public function checkCredentials($credentials,UserInterface $user)
{
return $this->passwordEncoder->isPasswordValid($user,$credentials['password']);
}
/**
* Used to upgrade (rehash) the user's password automatically over time.
*/
public function getpassword($credentials): ?string
{
return $credentials['password'];
}
public function onAuthenticationSuccess(Request $request,TokenInterface $token,$providerKey)
{
if ($targetPath = $this->getTargetPath($request->getSession(),$providerKey)) {
return new RedirectResponse($targetPath);
}
return new RedirectResponse($this->urlGenerator->generate('test'));
}
protected function getLoginUrl()
{
return $this->urlGenerator->generate(self::LOGIN_ROUTE);
}
}
BackMarketController(只是一个函数) 认证成功时调用的函数
/**
* @return JsonResponse
* @Route("/secured/backmarketProducts",name="test")
*/
public function productsList(Request $request)
{
return $this->render('back_market/backmarketProducts.html.twig');
}
关于网络服务器:
- Apache2
- Debian 8
- 使用 HTTPS
- Symfony 4.4
我当然可以给你更多的信息,你尽管问。
我通过查看其他类似主题所做的尝试:
- Symfony 4 login Guard authenticator errors(默认保存会话信息)
- 更新项目组件
-
Symfony 4 login form : authenticating successfully,but authentication immediately lost after redirect(将
EquatableInterface添加到User实体) - Kill
onAuthenticationSuccessBEFORE REDIRECTION 在探查器上显示会话已创建但无法遵循重定向(查看上面的错误)
更新 1(3 天后)
我找到了一种允许 jwt 令牌和 securityauthentificator 协同工作的方法。
有 security.yaml :
security:
encoders:
App\Entity\User:
algorithm: auto
role_hierarchy:
ROLE_USER : "ROLE_USER"
ROLE_ADMIN : "ROLE_ADMIN"
ROLE_SUPERADMIN : "ROLE_SUPERADMIN"
providers:
entity_provider:
entity:
class: App\Entity\User
property: username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: true
guard:
entry_point: lexik_jwt_authentication.jwt_token_authenticator
authenticators:
- App\Security\SecurityAuthenticator
- lexik_jwt_authentication.jwt_token_authenticator
logout:
path: app_logout
json_login:
check_path: /login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
login:
pattern: ^/login
stateless: true
anonymous: true
json_login:
check_path: /login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
docs:
pattern: ^/docs
stateless: true
anonymous: true
api:
pattern: ^/api
stateless: true
anonymous: false
provider: entity_provider
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
secured:
pattern: ^/secured
anonymous: false
guard:
authenticators:
- App\Security\SecurityAuthenticator
logout:
path: app_logout
access_control:
- { path: ^/login,roles: IS_AUTHENTICATED_FULLY }
我认为块解决了这个问题,symfony 安全组件在 main 防火墙上声明了两个守卫,默认使用 jwt。
为了使用基本的 symfony 身份验证系统 (securityAuthentificator),我刚刚添加了一个安全防火墙,提供 SecurityAuthenticator
有什么好的方法来处理安全问题吗?这个把戏看起来合法吗?我不确定我是否提供了一个好的解决方案。
解决方法
似乎没有人能够帮助我。无论如何,我自己解决了这个问题。
有我的全功能security.yaml:
此配置有效,使 symfony 能够使用带有 JWT 令牌的 API PLATEFORM 并在简单的后台应用程序上登录用户。
security:
encoders:
App\Entity\User:
algorithm: auto
role_hierarchy:
ROLE_USER : "ROLE_USER"
ROLE_ADMIN : "ROLE_ADMIN"
ROLE_SUPERADMIN : "ROLE_SUPERADMIN"
providers:
entity_provider:
entity:
class: App\Entity\User
property: username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: true
guard:
entry_point: lexik_jwt_authentication.jwt_token_authenticator
authenticators:
- App\Security\SecurityAuthenticator
- lexik_jwt_authentication.jwt_token_authenticator
logout:
path: app_logout
json_login:
check_path: /login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
login:
pattern: ^/login
stateless: true
anonymous: true
json_login:
check_path: /login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
docs:
pattern: ^/docs
stateless: true
anonymous: true
api:
pattern: ^/api
stateless: true
anonymous: false
provider: entity_provider
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
secured:
pattern: ^/secured
anonymous: false
guard:
authenticators:
- App\Security\SecurityAuthenticator
logout:
path: app_logout
access_control:
- { path: ^/login,roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register,roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api,roles: IS_AUTHENTICATED_FULLY }
- { path: ^/docs,roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secured,roles: IS_AUTHENTICATED_FULLY }
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
