djoos/EscapeWSSEAuthenticationBundle

Several firewalls with several providers secured with wsse fails to use the correct provider

chrisben opened this issue · 10 comments

Within my application I have two kinds of users (usersA, usersB) that are registered with custom providers (one for each kind of user: providerA and providerB). I have also two different routes (/apiA/ , /apiB/). apiA should check for usersA and apiB for usersB.
I have thus two firewall definitions, and I want to use the WSSE authentication method for both.
The problem is that both firewalls seem to use the same provider (it looks like it's the provider of the first defined firewall that uses wsse) so it fails to recognize the correct user type for one of the two routes.

Here's my security.yml file:

yaml
providers:
providerA:
id: my_providers.providerA
providerB:
id: my_providers.providerB
firewalls:
fireA:
pattern: ^/apiA/
provider: providerA
wsse:
realm: "Secured with WSSE"
profile: "UsernameToken"
fireB:
pattern: ^/apiB/
provider: providerB
wsse:
realm: "Secured with WSSE"
profile: "UsernameToken"
access_control:
- { path: ^/apiA/, role: ROLE_USER_A }
- { path: ^/apiB/, role: ROLE_USER_B }


When I reach /apiB/, providerA is used instead of providerB, and it fails to authenticate my users correctly because they are mistaken for another type.

Does this bundle support multiple providers? Shouldn't we have an extra parameter under wsse: that defines the provider to use behind this authentication (like how it's done for [http_basic, x509...](http://symfony.com/doc/current/reference/configuration/security.html) )  ?

Thanks a lot!

Hi @chrisben,

thanks for getting in touch!

It's been a while since I've done work to this project - leave it with me, I'll get back to you...

Kind regards,
David

Hi @djoos , did you by any chance have time to look into this issue?

Hi @chrisben,

I've been able to replicate the issue and can confirm that multiple providers are currently not supported. I had a brief look at addressing this issue and hope to get back to you with some more information soon, as multiple provider support definitely needs to be implemented...

Hope this helps!

Kind regards,
David

Hi @chrisben,

I've managed to put a version together that should address the issue you're experiencing. I'll try to polish it off and get it out as a separate branch - would you mind giving that a test before properly shipping it out?

Thanks in advance for your feedback!

Kind regards,
David

Hi @djoos ,

Sure I would love to give it a go! Let me know which branch to use and I'll test it.

Thanks a lot for your help there!!

Hi @chrisben,

here's my first part of resolving the multiple providers issue highlighted by you above. Please give the feature/multiple_providers branch a go.

This fix makes sure that your firewall's provider is respected, but I must admit I still need to get my head round the fact that in the full default configuration also per authentication method a provider can be specified (eg. the wsse section in this bundle's case). I'll have a deeper look into that - but appreciate your feedback on the feature/multiple_providers branch as that should already go a long way at making sure WSSE used in different firewalls will respect the firewall's provider.

Thanks in advance for your feedback!

Kind regards,
David

@djoos , I've tested it and it seems to work pretty well so far!
Thanks for your work there, much appreciated.

Hi @chrisben,

thanks for your feedback - I'm happy it's all working for you now!
FYI: I hope to be able to get it released as 2.0.0 in the following week(s).

Have a great evening!

Hi @chrisben,

I've just merged the branch into the master - will be releasing this shortly as 2.0.0, including #55 addition (1.1.0 + 2.0.0). FYI: I'll delete the feature/multiple_providers-branch from the repo afterwards.

Have a great weekend!

Kind regards,
David

Cheers @djoos !