我正在使用symfony 2.6的内部网站点。
我设法创建了一个自定义安全提供程序/侦听器/等,以提供NTLM身份验证(基于Windows登录)。 我还设法将其与从数据库中获取角色结合起来。
我现在正在研究switch_user功能,我认为我的身份验证与模拟过程相冲突,如旁边的日志所示。
我是USER1(来自NTLM),并且想要模仿USER2,为了清晰起见,重新解释了带有**的日志条目
[2015-07-18 22:17:47] request.INFO: Matched route "homepage_conception" (parameters: "mode": "conception", "_controller": "AppBundle\Controller\MainController::indexAction", "_route": "homepage_conception") [] []
[2015-07-18 22:17:48] security.DEBUG: Read SecurityContext from the session [] []
[2015-07-18 22:17:48] security.DEBUG: Reloading user from user provider. [] []
[2015-07-18 22:17:48] doctrine.DEBUG: ** SELECT query for USER1 (based on id) ** []
[2015-07-18 22:17:48] security.DEBUG: Username "USER1" was reloaded from user provider. [] []
[2015-07-18 22:17:48] app.DEBUG: NTLM Authentication - Handshake Step 1 [] []
[2015-07-18 22:17:48] app.DEBUG: NTLM Authentication - Requesting from client - WWW-Authenticate: NTLM [] []
在NTLM身份验证期间,请求被重新发送3次(这是第2轮)
[2015-07-18 22:17:48] request.INFO: Matched route "homepage_conception" (parameters: "mode": "conception", "_controller": "AppBundle\Controller\MainController::indexAction", "_route": "homepage_conception") [] []
[2015-07-18 22:17:49] security.DEBUG: Read SecurityContext from the session [] []
[2015-07-18 22:17:49] security.DEBUG: Reloading user from user provider. [] []
[2015-07-18 22:17:49] doctrine.DEBUG: ** SELECT query for USER1 (based on id) ** []
[2015-07-18 22:17:49] security.DEBUG: Username "USER1" was reloaded from user provider. [] []
[2015-07-18 22:17:49] app.DEBUG: NTLM Authentication - Handshake Step 2 [] []
[2015-07-18 22:17:49] app.DEBUG: NTLM Authentication - Requesting from client - WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAAAICAgAAAAAAAAAAAAAAAA== [] []
NTLM第三轮
[2015-07-18 22:17:49] request.INFO: Matched route "homepage_conception" (parameters: "mode": "conception", "_controller": "AppBundle\Controller\MainController::indexAction", "_route": "homepage_conception") [] []
[2015-07-18 22:17:49] security.DEBUG: Read SecurityContext from the session [] []
[2015-07-18 22:17:49] security.DEBUG: Reloading user from user provider. [] []
[2015-07-18 22:17:49] doctrine.DEBUG: ** SELECT query for USER1 (based on id) ** []
[2015-07-18 22:17:49] security.DEBUG: Username "USER1" was reloaded from user provider. [] []
[2015-07-18 22:17:49] app.DEBUG: NTLM Authentication - Handshake Step 3 [] []
[2015-07-18 22:17:49] app.DEBUG: NTLM Authentication - Got user info, creating token with username USER1 [] []
[2015-07-18 22:17:49] doctrine.DEBUG: ** SELECT query to get full user object (based on username) ** ["USER1"] []
[2015-07-18 22:17:49] doctrine.DEBUG: ** SELECT query to know role for USER1 id from mapping table (based on id) ** ** []
[2015-07-18 22:17:50] doctrine.DEBUG: ** SELECT query to have role object (based on role id) ** [96] []
[2015-07-18 22:17:50] doctrine.DEBUG: ** SELECT query to have role object (based on role id) ** [97] []
我在!试图切换用户......
[2015-07-18 22:17:50] security.INFO: Attempt to switch to user "USER2" [] []
[2015-07-18 22:17:50] doctrine.DEBUG: ** SELECT query to get full user object (based on username) ** ["USER2"] []
[2015-07-18 22:17:50] doctrine.DEBUG: ** SELECT query to know role for USER2 id from mapping table (based on id) ** [5] []
[2015-07-18 22:17:50] ... various event "kernel..." I can provide them if needed
[2015-07-18 22:17:50] event.DEBUG: Listener "Symfony\Component\Security\Http\Firewall::onKernelRequest" stopped propagation of the event "kernel.request". [] []
[2015-07-18 22:17:50] event.DEBUG: Listener "Symfony\Bundle\AsseticBundle\EventListener\RequestListener::onKernelRequest" was not called for event "kernel.request". [] []
[2015-07-18 22:17:50] security.DEBUG: Write SecurityContext in the session [] []
[2015-07-18 22:17:50] ... various event "kernel..." I can provide them if needed
再次(!?)在NTLM握手...(1/3)
[2015-07-18 22:17:50] request.INFO: Matched route "homepage_conception" (parameters: "mode": "conception", "_controller": "AppBundle\Controller\MainController::indexAction", "_route": "homepage_conception") [] []
[2015-07-18 22:17:50] security.DEBUG: Read SecurityContext from the session [] []
[2015-07-18 22:17:50] security.DEBUG: Reloading user from user provider. [] []
[2015-07-18 22:17:50] doctrine.DEBUG: ** SELECT query for USER2 (based on id) ** []
[2015-07-18 22:17:50] security.DEBUG: Username "USER2" was reloaded from user provider. [] []
[2015-07-18 22:17:51] app.DEBUG: NTLM Authentication - Handshake Step 1 [] []
[2015-07-18 22:17:51] app.DEBUG: NTLM Authentication - Requesting from client - WWW-Authenticate: NTLM [] []
NTLM 2/3
[2015-07-18 22:17:51] request.INFO: Matched route "homepage_conception" (parameters: "mode": "conception", "_controller": "AppBundle\Controller\MainController::indexAction", "_route": "homepage_conception") [] []
[2015-07-18 22:17:51] security.DEBUG: Read SecurityContext from the session [] []
[2015-07-18 22:17:51] security.DEBUG: Reloading user from user provider. [] []
[2015-07-18 22:17:51] doctrine.DEBUG: ** SELECT query for USER2 (based on id) ** []
[2015-07-18 22:17:51] security.DEBUG: Username "USER2" was reloaded from user provider. [] []
[2015-07-18 22:17:51] app.DEBUG: NTLM Authentication - Handshake Step 2 [] []
[2015-07-18 22:17:51] app.DEBUG: NTLM Authentication - Requesting from client - WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAAAICAgAAAAAAAAAAAAAAAA== [] []
NTLM 3/3
[2015-07-18 22:17:52] request.INFO: Matched route "homepage_conception" (parameters: "mode": "conception", "_controller": "AppBundle\Controller\MainController::indexAction", "_route": "homepage_conception") [] []
[2015-07-18 22:17:52] security.DEBUG: Read SecurityContext from the session [] []
[2015-07-18 22:17:52] security.DEBUG: Reloading user from user provider. [] []
[2015-07-18 22:17:52] doctrine.DEBUG: ** SELECT query for USER2 (based on id) ** []
[2015-07-18 22:17:52] security.DEBUG: Username "USER2" was reloaded from user provider. [] []
[2015-07-18 22:17:52] app.DEBUG: NTLM Authentication - Handshake Step 3 [] []
[2015-07-18 22:17:52] app.DEBUG: NTLM Authentication - Got user info, creating token with username USER1 [] []
[2015-07-18 22:17:52] doctrine.DEBUG: ** SELECT query to get full user object (based on username) ** ["USER1"] []
[2015-07-18 22:17:52] doctrine.DEBUG: ** SELECT query to know role for USER1 id from mapping table (based on id) ** []
[2015-07-18 22:17:52] doctrine.DEBUG: ** SELECT query to have role object (based on role id) ** [96] []
[2015-07-18 22:17:52] doctrine.DEBUG: ** SELECT query to have role object (based on role id) ** [97] []
[2015-07-18 22:17:52] ... various event "kernel..." I can provide them if needed
有人有任何关于如何使所有这些东西一起工作的线索吗?
这是我的NTLMListener代码
namespace AppBundle\Security\Firewall;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\Security\Http\Firewall\ListenerInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use AppBundle\Security\Authentication\Token\NtlmUserToken;
use Symfony\Component\HttpKernel\Log\LoggerInterface;
class NtlmListener implements ListenerInterface
{
protected $securityContext;
protected $authenticationManager;
protected $logger;
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
{
$this->securityContext = $securityContext;
$this->authenticationManager = $authenticationManager;
$this->logger = $logger;
}
private function unAuthorized($msg=null) {
$ntlm = 'WWW-Authenticate: NTLM';
if ($msg) {
$ntlm .= ' '.$msg;
}
header('HTTP1.0 401 Unauthorized');
header($ntlm);
$this->logger->debug("NTLM Authentication - Requesting from client - ".$ntlm);
return 1; // NTLM_AUTH_FAILED
}
private function getInfosFromNTLM() {
if (!empty($_SERVER['HTTP_VIA'])) {
return 2; // NTLM_PROXY
}
$header = apache_request_headers();
$auth = isset($header['Authorization']) ? $header['Authorization'] : null;
if (is_null($auth)) {
$this->logger->debug("NTLM Authentication - Handshake Step 1");
return $this->unAuthorized();
}
if ($auth && (substr($auth,0,4) == 'NTLM')) {
$c64 = base64_decode(substr($auth,5));
$state = ord($c64{8});
switch ($state) {
case 1:
$this->logger->debug("NTLM Authentication - Handshake Step 2");
$chrs = array(0,2,0,0,0,0,0,0,0,40,0,0,0,1,130,0,0,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0);
$ret = "NTLMSSP";
foreach ($chrs as $chr) {
$ret .= chr($chr);
}
return $this->unAuthorized(trim(base64_encode($ret)));
case 3:
$this->logger->debug("NTLM Authentication - Handshake Step 3");
$l = ord($c64{31}) * 256 + ord($c64{30});
$o = ord($c64{33}) * 256 + ord($c64{32});
$domain = str_replace("\0","",substr($c64,$o,$l));
$l = ord($c64{39}) * 256 + ord($c64{38});
$o = ord($c64{41}) * 256 + ord($c64{40});
$user = str_replace("\0","",substr($c64,$o,$l));
return array('domain'=>$domain,'user'=>$user);
}
}
return 3;
}
public function handle(GetResponseEvent $event)
{
header('WWW-Authenticate: Negociate');
$infos = $this->getInfosFromNTLM();
switch ($infos) {
case 3:
case 2:
// NTLM not available ... give up
return;
case 1:
//header sent, client will re-send request (if NTLM aware)
exit;
default:
}
$this->logger->debug("NTLM Authentication - Got user info, creating token with username ".$infos["user"]);
$token = new NtlmUserToken();
$token->setUser($infos['user']);
try {
$authToken = $this->authenticationManager->authenticate($token);
$this->securityContext->setToken($authToken);
} catch (AuthenticationException $failed) {
// Deny authentication with a '403 Forbidden' HTTP response
$response = new Response($failed);
$response->setStatusCode(403);
$event->setResponse($response);
}
}
}