All geek questions in one place

Security throws 500 exceptions with Token not detected in TokenStorage instead of 403 or 401

I am doing authorization using ApiKey, and I want to get 401 Unauthorizedif the authorization data is not specified, and 403 Forbiddenif the authorization data is invalid. But I got it 500 Internal Server Errorin both situations.

security.yml

security:

    providers:
        api_key_user_provider:
            entity:
                class: RestBundle:RestUser
                property: apikey

    firewalls:
        rest_api_area:
            pattern: ^/api
            stateless: true
            rest_auth:
                header: x-apikey
            provider: api_key_user_provider

    access_control:
        - { path: ^/api, roles: ROLE_REST_USER }

RestUserListener.php

class RestUserListener implements ListenerInterface
{
    protected $tokenStorage;
    protected $authenticationManager;
    private $header;

    function __construct(TokenStorageInterface $tokenStorage, AuthenticationManagerInterface $authenticationManager, $header)
    {
        $this->tokenStorage = $tokenStorage;
        $this->authenticationManager = $authenticationManager;
        $this->header = $header;
    }

    public function handle(GetResponseEvent $event)
    {
        $request = $event->getRequest();

        $apikey = $request->headers->get($this->header);
        if (!$apikey) return;

        $token = new RestUserToken();
        $token->setUser($apikey);

        $authToken = $this->authenticationManager->authenticate($token);
        $this->tokenStorage->setToken($authToken);
        return;
    }
}

RestUserAuthenticationProvider.php:

class RestUserAuthenticationProvider implements AuthenticationProviderInterface
{
    private $userProvider;

    public function __construct(UserProviderInterface $userProvider)
    {
        $this->userProvider = $userProvider;
    }

    public function authenticate(TokenInterface $token)
    {
        $user = $this->userProvider->loadUserByUsername($token->getUsername());

        if ($user)
        {
            $authenticatedToken = new RestUserToken($user->getRoles());
            $authenticatedToken->setUser($user);

            return $authenticatedToken;
        }

        throw new AuthenticationException("Apikey not found.");
    }

    public function supports(TokenInterface $token)
    {
        return $token instanceof RestUserToken;
    }
}

RestUserToken is as simple as AbstractTokenit has no additional logic.

api_key_user_provider is the standard entity provider identified by the propertyApiKey RestUser

RestUserFactory also does not have additional magic inside, as in the official documentation

+4
1

RestUserListener::handle() HTTP 401 HTTP 403.

return; .

: :

use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;

//
...
//

public function handle(GetResponseEvent $event)
{
    $request = $event->getRequest();

    if ( /* something invalid here, so error */ ) {
        $context = $request->getHost();

        throw new UnauthorizedHttpException(
            "Basic realm=\"$context\"",
            'Please authenticate correctly or any other message here'
        );
    }
}

Throwing UnauthorizedHttpException HTTP 401 ( , ).

HTTP 403 Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException.

+2

Source: https://habr.com/ru/post/1620945/

More articles:


All Articles