My application required to use an SSO service called Shibboleth. Therefore, I used the existing shibboleth-bundle . Everything has changed, and we need to add a form validation method for the user. So I decided to implement Shibboleth authentication with the new Guard component. (See ShibbolethGuardBundle )
I found a problem during development. Symfony calls methods ShibbolethAuthenticatoron the first request, creates a token, and never calls any method ShibbolethAuthenticatoron subsequent requests. This means that if the Shibboleth session ends, the user is still authenticated using the Symfony session.
This is also a problem if you want to implement token authentication. The user needs to send a token only at the first request. Any other request is authenticated by the session.
This issue also exists for other single sign-on services. If you go to Facebook, you want to go to any website that uses Facebook authentication. But if you accomplished this with Guard, you will still have a valid session after going to facebook.
I found a quick solution by checking if the shibboleth header variables are set in mine UserProviderfor each request. If they are missing, an Exception is thrown and mine is ExceptionListenerredirected to the login page.
I think this is not a good solution, because the ShibbolethGuardBundle should handle this problem. Does anyone have an idea how I could solve this in a more appropriate way?
source
share