Integration with FOSUserBundle : 401 status code
MaximeEvolunium opened this issue · 13 comments
Hi @djoos !
I discover your bundle recently and I'm very interesting about it, but I can't login me with my configuration of security.yml. I looked a lot of issue that you fixed but it didn't work for me.
Please, can you explain me the way to integrate it successfully ?
My security.yml :
encoders:
FOS\UserBundle\Model\UserInterface: sha512
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
wsse_secured:
pattern: ^/api/.*
wsse:
lifetime: 300 #lifetime of nonce
realm: "Secured API" #identifies the set of resources to which the authentication information will apply (WWW-Authenticate)
profile: "UsernameToken" #WSSE profile (WWW-Authenticate)
encoder: #digest algorithm
algorithm: sha1
encodeHashAsBase64: true
iterations: 1
anonymous: true
provider: fos_userbundle
access_control:
- { path: ^/api.*, role: ROLE_USER }
- { path: ^/, role: ROLE_USER }
My config.yml :
fos_user:
db_driver: orm
firewall_name: wsse_secured
user_class: Bg\UserBundle\Entity\User
escape_wsse_authentication:
authentication_provider_class: Escape\WSSEAuthenticationBundle\Security\Core\Authentication\Provider\Provider
authentication_listener_class: Escape\WSSEAuthenticationBundle\Security\Http\Firewall\Listener
authentication_entry_point_class: Escape\WSSEAuthenticationBundle\Security\Http\EntryPoint\EntryPoint
authentication_encoder_class: Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder
Hi @MaximeEvolunium,
thanks for getting in touch!
Would you be able to mimic the FOSUserBundle's encoder settings in your security.yml? Rather than...
encoder: #digest algorithm
algorithm: sha1
encodeHashAsBase64: true
iterations: 1
...make use of:
encoder: #digest algorithm
algorithm: sha512
encodeHashAsBase64: true
iterations: 1
That should do the trick!
Also: you don't have to set the escape_wsse_authentication-settings in your config.yml, as you should be fine running the bundle's defaults.
Let me know how that goes!
Kind regards,
David
Thanks for your answer !
I change my security.yml like you said, but this don't work anyway.
Do I need to change something with FOS ?
Hi @MaximeEvolunium,
would you mind letting me know how you're generating the digest?
Thanks in advance!
David
Hi @djoos !
So, I'm using http://www.teria.com/~koseki/tools/wssegen/ to generate the header with thos parameters :
username => mail address of my user in the DB (ex : test@test.fr)
password => plain text password of my user (ex : test)
nonce and created => auto
before X-WSSE => nothing
Thanks !
EDIT :
I use Chrome Rest Console to access my API with those parameters :
Custom headers => header -> x-wsse
value -> the header generated with http://www.teria.com/~koseki/tools/wssegen/
Authorization header => Authorization profile=”UsernameToken”
Hi @MaximeEvolunium,
ah ok! That is also part of the reason for the 401, as it doesn't use sha512, nor the user's salt...
Please do have a read through #46 and @Danny-P's blog post, but do keep my comments on the post in #46 in mind.
Let me know how you get on!
Kind regards,
David
Hi @djoos,
I saw this issue but I didn't understood, now I see ! I tried but it doesn't work again, but I'm going to continue in this way.
Thanks a lot, I come back to you here if I have any problem !
Best regards
Hi @MaximeEvolunium,
as @timtailor mentioned in #37:
"For anyone who is interested: If you developed a WSSE header accordlingly to http://www.teria.com/~koseki/tools/wssegen/ then you have to use SHA1, 1 iteration, base64 for the digest, but with the specialty that you have to use the password as it is in the database (encrypted, not plain text) and no salt (override getSalt to return empty string and empty salt in your test file."
That should do the trick! I'll close the issue for now, but don't hesitate to let me know how you get on...
Have a great evening!
David
Hi @djoos,
I did everything as describe in the blog of @Danny-P http://daniel-pomrehn.de/2014/05/21/en_symfony2-wsse-webservices/ and as you show me, but I still have a 403 error !
I show you my new source code, tell me if you see something wrong please :
config.yml
fos_user:
db_driver: orm
firewall_name: secured_area
user_class: Bg\UserBundle\Entity\User
escape_wsse_authentication:
authentication_provider_class: Bg\UserBundle\Security\Core\Authentication\Provider\Provider
security.yml
encoders:
FOS\UserBundle\Model\UserInterface: sha1
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
wsse_secured:
pattern: ^/api/.*
wsse:
realm: "Secured Api"
profile: "UsernameToken"
lifetime: 300
encoder:
algorithm: sha1
anonymous: false
provider: fos_userbundle
secured_area:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
check_path: fos_user_security_check
default_target_path: espace_perso
always_use_default_target_path: true
logout:
path: fos_user_security_logout
target: fos_user_security_login
anonymous: true
provider: fos_userbundle
access_control:
- { path: ^/%locale%/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%locale%/login_check, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%locale%/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%locale%/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%locale%/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/coulisse, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/security.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, role: IS_AUTHENTICATED }
- { path: ^/, role: ROLE_USER }
my provider class
namespace Bg\UserBundle\Security\Core\Authentication\Provider;
use Escape\WSSEAuthenticationBundle\Security\Core\Authentication\Provider\Provider as BaseProvider;
class Provider extends BaseProvider
{
protected function getSalt(\Symfony\Component\Security\Core\User\UserInterface $user)
{
return "";
}
}
I try this according to #37 and the blog http://daniel-pomrehn.de/2014/05/21/en_symfony2-wsse-webservices/ :
I put my mail address to login and the password as stored in my database (juste the password column content, encrypted) in fields username and password of the WSSE Generator with nonce and created as auto. I just copy what is generated after "X-WSSE:" and paste it as value in the custom header of rest console (name of the header : X-WSSE), and I try like it. But 403 return..
I thought I did it right, but seems to miss a little thing again...
If you can help me again, It would be great !
Best regards !
Hi @MaximeEvolunium,
thanks for your feedback! Hmmm, the 403 Forbidden isn't a WSSE Auth-issue any longer. Access to the resource your user is trying to access is declined by the Symfony security component (more particularly: Access Control).
I spotted "- { path: ^/api, role: IS_AUTHENTICATED }" in your security.yml. I actually think that IS_AUTHENTICATED is a non-existing role and would instead of "IS_AUTHENTICATED" give "ROLE_USER" a go. This should work - and from there onwards you could go for a more specific role, depending on your setup. If you want every logged in user to have access to the API, ROLE_USER will be fine...
Hope this helps - and do let me know how it goes!
David
Hi @djoos,
I was looking about that line at the same moment that you wrote it :D
This work fine now, thanks a lot and continue to support us like you do, you're great !
Best regards
Thanks for your feedback @MaximeEvolunium!
FYI: I hope to be able to condense the latest FOSUser + EscapeWSSEAuth issues into something useful for the documentation of this bundle so it becomes an easier process for future users.
Have a great day!
This would be very useful and powerful, I hope you'll success !
Great day !
Muchas gracias!!