1

我正在尝试设置 FOSRestBundle 以捕获身份验证异常。我的配置:

fos_rest:
  param_fetcher_listener: true
  body_listener: true
  format_listener: true
  view:
    default_engine: php
  format_listener:
    default_priorities: ['json']
    fallback_format: json
    prefer_extension: false
  access_denied_listener:
    json: true
  exception:
    codes:
      Symfony\Component\Security\Core\Exception\AccessDeniedException: 403

twig:
  exception_controller: FOS\RestBundle\Controller\ExceptionController::showAction

此配置将在控制器中抛出异常时捕获异常,但不会在从安全组件中抛出异常时(即,如果用户身份验证失败)。我的配置有问题,还是 FOSRestBundle 根本没有设计为拦截堆栈中该点的异常?

值得一提的是,我在这里使用了基于 WSSE 教程的自定义身份验证提供程序:

http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

4

2 回答 2

0

authentication exceptions should normally be handled by the authentication failure handler service.

The authentication handlers can be found in your security.yml:

security:
    firewalls:
       firewall_name:
           form_login:
               # ...
               failure_path:    /foo
               failure_forward: false
               failure_path_parameter: _failure_path
               failure_handler: some.service.id
               success_handler: some.service.id

see the configuration reference.

See this question for information on how to implement your own failure handler.

于 2013-07-04T14:37:31.563 回答
0

我遇到了同样的问题。我的问题是 WsseListener 实际上并没有抛出异常。他们的教程有这些代码:

try {
            $authToken = $this->authenticationManager->authenticate($token);
            $this->securityContext->setToken($authToken);

        return;
    } catch (AuthenticationException $failed) {
        // ... you might log something here

        // To deny the authentication clear the token. This will redirect to the login page.
        // Make sure to only clear your token, not those of other authentication listeners.
        // $token = $this->securityContext->getToken();
        // if ($token instanceof WsseUserToken && $this->providerKey === $token->getProviderKey()) {
        //     $this->securityContext->setToken(null);
        // }
        // return;

        // Deny authentication with a '403 Forbidden' HTTP response
        $response = new Response();
        $response->setStatusCode(403);
        $event->setResponse($response);

    }

    // By default deny authorization
    $response = new Response();
    $response->setStatusCode(403);
    $event->setResponse($response);
}

注意 AuthenticationException 是如何被捕获的,然后它返回一个 HTTP 响应。

我只是通过抛出 $failed 来修复我的:

catch (AuthenticationException $failed) {
     throw $failed
}
于 2013-10-02T13:32:22.320 回答