Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container fails with stateless firewalls with the new authenticatior manager enabled #37119

Closed
johnvandeweghe opened this issue Jun 5, 2020 · 2 comments
Closed

Container fails with stateless firewalls with the new authenticatior manager enabled #37119

johnvandeweghe opened this issue Jun 5, 2020 · 2 comments
Labels
Bug Security Status: Needs Review

Comments

@johnvandeweghe
Copy link
Contributor

Symfony version(s) affected: 5.1.0

Description
If a stateless firewall is defined, and the new authenticator manager is enabled the following error occurs:

Argument 2 of service "security.listener.session" is abstract: stateless firewall keys.

Some digging appears that the need for the second argument was removed in a recent refactor of the Symfony\Component\Security\Http\EventListener\SessionStrategyListener and the \Symfony\Bundle\SecurityBundle\DependencyInjection\SecurityExtension was updated to no longer add the firewall keys, but in an unrelated refactor changed the service definition in Resources/config/security_authenticator.xml to the following:

        <service id="security.listener.session"
                 class="Symfony\Component\Security\Http\EventListener\SessionStrategyListener"
                 abstract="true">
            <argument type="service" id="security.authentication.session_strategy" />
            <argument type="abstract">stateless firewall keys</argument>
        </service>

This appears to be the root of the issue.

How to reproduce
Minimal example repo: https://github.com/johnvandeweghe/sf-session-listener-bug

  1. Add enable_authenticator_manager: true to security.yaml
  2. Add a stateless firewall:
main:
            pattern: ^/api
            stateless: true
            http_basic: ~
  1. Try to run the bin/console script.

Possible Solution
Changing the service definition to the following - removing the abstract definition and the second argument - fixes it for me (and matches up with the class code):

        <service id="security.listener.session"
                 class="Symfony\Component\Security\Http\EventListener\SessionStrategyListener">
            <argument type="service" id="security.authentication.session_strategy" />
        </service>

Additional context
This doesn't appear to be a problem if there are no stateless firewalls defined, which is likely why it has gone unnoticed during development.

This is my first bug report for Symfony, let me know if any more detail is needed!
@wouterj
Copy link
Member

wouterj commented Jun 6, 2020
edited

Thanks for the very detailed description!

I think there is more trouble here: Seems like I somehow ended up with the complete opposite of what should be done.

symfony/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

Lines 171 to 177 in bdc583c

if ($this->authenticatorManagerEnabled) {
foreach ($this->statelessFirewallKeys as $statelessFirewallId) {
$container
->setDefinition('security.listener.session.'.$statelessFirewallId, new ChildDefinition('security.listener.session'))
->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$statelessFirewallId]);
}
}

This is now registering the SessionStrategyListener only for the stateless firewalls, while it should be registered only for stateful firewalls.

So besides removing the abstract argument you mentioned, I think we should also change this loop to add it for all stateful firewalls. I think it then makes most sense to register the listener on these lines in the SecurityExtension when authenticatorManagerEnabled === true:

symfony/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

Lines 372 to 376 in bdc583c

if (false === $firewall['stateless']) {
$contextKey = $firewall['context'] ?? $id;
$listeners[] = new Reference($contextListenerId = $this->createContextListener($container, $contextKey));
$sessionStrategyId = 'security.authentication.session_strategy';
} else {

Would you be up for a PR making the change (as bugfix in 5.1)? If you know how, please also add a regression test so we won't break this in the future.

@johnvandeweghe johnvandeweghe mentioned this issue Jun 7, 2020
Merged
@johnvandeweghe
Copy link
Contributor Author

Put a PR up (#37126), let me know if it looks how you'd expect it to. @wouterj

@fabpot fabpot closed this as completed Jun 8, 2020
fabpot added a commit that referenced this issue Jun 8, 2020
@fabpot
bug #37126 [SecurityBundle] Fix the session listener registration und…
9760d37 
…er the new authentication manager (johnvandeweghe)

This PR was squashed before being merged into the 5.1 branch.

Discussion
----------

[SecurityBundle] Fix the session listener registration under the new authentication manager

| Q             | A
| ------------- | ---
| Branch?       | 5.1
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #37119
| License       | MIT
| Doc PR        | N/A

Fixes the logic that adds session listeners for firewalls to properly add them only for statefull firewalls. Adds tests to confirm that it is only added to statefull ones. Also remove unused abstract field on session listener

Commits
-------

936ae9d [SecurityBundle] Fix the session listener registration under the new authentication manager
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fabpot @javiereguiluz @wouterj @johnvandeweghe @carsonbot