2

当我想从使用 Symfony 创建的 REST API 中使用 WSSE 对用户进行身份验证时,我遇到了问题。我按照网站 symfony wsse 身份验证 ( http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html ) 上的指南完成了教程 ( http://obtao.com/blog/2013/06 /configure-wsse-on-symfony-with-fosrestbundle/)和用户管理由 FOSUserBundle 处理。

默认情况下,我 wsse 对访问资源 /api 的请求进行身份验证。所以我在我的 security.yml

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        wsse_secured:
            pattern:   /api/.*
            stateless: true
            wsse:      true
            anonymous : false

        #dev:
        #    pattern:  ^/(_(profiler|wdt)|css|images|js)/
        #    security: false


        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
            logout:       true
            anonymous:    true

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }

为了访问我的资源 /api/hello,我在请求标头中添加了:

Authorization: Authorization profile=”UsernameToken”
x-wsse: UsernameToken Username="foo", PasswordDigest="9/dyW92Vp+mWEbyXeblRMqTQSJc=", Nonce="MDc1MGNkZjAwMjNmZjk2YQ==", Created="2014-04-17T16:18:34Z"

但是在发送查询后,我收到一个返回给我的错误:

WSSE Login failed for foo. Why? No Authentication Provider found for token of class "Acme \ UserBundle \ Security \ Authentication \ Token \ WsseUserToken".

此错误消息是我的 WsseListener 类中引发的异常:

try {
        $authToken = $this->authenticationManager->authenticate($token);
        $this->securityContext->setToken($authToken);
    return;
    } catch (AuthenticationException $failed) {
         $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
         // Deny authentication with a '403 Forbidden' HTTP response
         $response = new Response();
         $response->setStatusCode(403);
         $response->setContent($failedMessage);
         $event->setResponse($response);
         return; 
    }
4

2 回答 2

1

好吧,我刚发现问题...

在我的身份验证方法(WsseProvider 类)中,我没有返回任何内容!

之前(不起作用):

public function authenticate(TokenInterface $token)
 {
    $user = $this->userProvider->loadUserByUsername($token->getUsername());
    if(!$user){
      throw new AuthenticationException("Bad credentials... Did you forgot your username ?");
    }
    if ($user && 
        $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
    }
}

之后(作品):

    public function authenticate(TokenInterface $token)
    {
        $user = $this->userProvider->loadUserByUsername($token->getUsername());
        if(!$user){
            throw new AuthenticationException("Bad credentials... Did you forgot your username ?");
        }
        if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
        $authenticatedToken = new WsseUserToken($user->getRoles());
        $authenticatedToken->setUser($user);

        return $authenticatedToken;
    }
    throw new AuthenticationException('The WSSE authentication failed.');
}

现在一切正常!

于 2014-04-17T19:47:19.207 回答
0

确保授权标头没有被 apache 剥离(默认情况下它会剥离它)。

您可以通过将以下行添加到 .htaccess 文件来强制执行此操作:

    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
于 2014-04-17T17:53:41.590 回答