0

我在后端(api)使用 symfony。身份验证过程由 FosUserBundle、LexikJWTAuthenticationBundle 和 LdapTools 处理......一切正常。

问题是当我要在控制器或服务中获得经过身份验证的用户时。

用户通过 Authorization 头认证,不存在 401 异常

$this->container->get('security.token_storage')->getToken()->getUser()//null

$preAuthToken = $this->container->get('security.token_storage')->getToken();
$tmp = $this->container->get('lexik_jwt_authentication.jwt_manager')->decode($preAuthToken);//i can get the username and roles

但真正的问题在于安全系统

if ($this->isGranted('ROLE_USER')) {
     echo 'never gets here!!';
     } else {
  echo 'always';
}

安全系统总是失败,因为 getUser() 返回的用户总是空的。

我的问题是: LexikJWTAuthenticationBundle 不应该在成功认证后注入或替换当前用户、令牌?

还是我应该以编程方式进行?我不想陷入不良做法..

提前致谢!

security.yml 信息

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt
        LdapTools\Bundle\LdapToolsBundle\Security\User\LdapUser: plaintext

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        ldap:
            id: ldap_tools.security.user.ldap_user_provider

        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        refresh:
            pattern: ^/api/token/refresh
            stateless: true
            anonymous: true

        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        api_login:
            pattern:  ^/login
            stateless: true
            provider: fos_userbundle
            anonymous: true
            form_login:
                check_path:               /login
                require_previous_session: false
                username_parameter:       username
                password_parameter:       password
                success_handler:          lexik_jwt_authentication.handler.authentication_success
                failure_handler:          AppBundle\Handler\AuthenticationFailureHandler
                require_previous_session: false
            guard:
                authenticators:
                    - ldap_tools.security.ldap_guard_authenticator
            logout: true

        api:
            pattern:   ^/
            stateless: true
            lexik_jwt: ~

    access_control:
        - { path: ^/login$,           role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/,                 role: IS_AUTHENTICATED_FULLY }

授权。失败处理程序(以防万一)

public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
    {
        $token = $exception->getToken();

        if (is_string($exception->getToken()->getUser())) {
            $usuario = $this->container->get('fos_user.user_manager')->findUserByUsername($token->getUsername());
            if ($usuario) {
                $token = new UsernamePasswordToken($usuario, 'yes', 'public', $usuario->getRoles());
            } else {
                return $this->container->get('lexik_jwt_authentication.handler.authentication_failure')->onAuthenticationFailure($request, $exception);
            }

        }
        return $this->handleAuthenticationFail($request, $token, $exception);
    }

    public function handleAuthenticationFail(Request $request, TokenInterface $token, AuthenticationException $exception)
    {

        $username = $token->getUsername();

        $password = $request->get('password');
        if ($this->ldapManager->authenticate($username, $password)) {
            return $this->container->get('lexik_jwt_authentication.handler.authentication_success')->handleAuthenticationSuccess($token->getUser());
        }

        return $this->container->get('lexik_jwt_authentication.handler.authentication_failure')->onAuthenticationFailure($request, $exception);
    }
4

0 回答 0