Question

我知道这个主题有很多线索，但没有一个帮助过我......

我正在开发一个应用程序，您必须在每个请求的标头中发送访问令牌。我用Guard管理这个安全性。

对于我的测试，当我发送虚假令牌或者我不发送它时，必须适当地调用start（）或onAuthenticationFailure（）方法。但它不起作用。我每次都有同样的错误。看起来永远不会调用这些方法。

未发送授权

GET /BileMo/web/app_dev.php/api/products/2 HTTP/1.1
Host: localhost:8888
Content-Type: application/json

{
     "message": "Username could not be found."
}

访问令牌无效

GET /BileMo/web/app_dev.php/api/products/2 HTTP/1.1
Host: localhost:8888
Content-Type: application/json
Authorization: *Fake Facebook Token*

{
     "message": "Username could not be found."
}

而不是：

{
       "message": "Authorization required"
}

或

{
       "message": "The facebook access token is wrong!"
}

使用正确的访问令牌，请求将正确返回给用户。

请求示例：

GET /BileMo/web/app_dev.php/api/products/2 HTTP/1.1
Host: localhost:8888
Content-Type: application/json
Authorization: *Facebook Token*

以下是我的代码的重要部分：

security.yml

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_USER

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

        api_key_user_provider:
            entity:
                class: FacebookTokenBundle:User
                property: facebook_access_token

    firewalls:
        api:
            pattern: ^/api
            stateless: true
            anonymous: false
            guard:
                authenticators:
                    - AppBundle\Security\FacebookAuthenticator

        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_token_generator: security.csrf.token_manager
                login_path: /login
                check_path: /login_check

            oauth:
                resource_owners:
                    facebook:           "/login/check-facebook"
                login_path:        /login
                failure_path:      /login

                oauth_user_provider:
                    #this is my custom user provider, created from FOSUBUserProvider - will manage the
                    #automatic user registration on your site, with data from the provider (facebook. google, etc.)
                    service: my_user_provider
            logout:       true
            anonymous:    true


        login:
            pattern:  ^/login$
            security: false

            remember_me:
                secret: "%secret%"
                lifetime: 31536000 # 365 days in seconds
                path: /
                domain: ~ # Defaults to the current domain from $_SERVER

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }
        - { path: ^/api, role: ROLE_USER }

FacebookAuthenticator.php

namespace AppBundle\Security;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use HWI\Bundle\OAuthBundle\OAuth\Response\UserResponseInterface;
use Doctrine\ORM\EntityManager;
use Symfony\Component\Security\Core\User\UserProviderInterface;

class FacebookAuthenticator extends AbstractGuardAuthenticator
{
    public function __construct(EntityManager $em)
    {
        $this->em = $em;
    }

    /**
     * Called when authentication is needed, but it's not sent
     */
    public function start(Request $request, AuthenticationException $authException = null)
    {
        $data = array(
            // you might translate this message
            'message' => 'Authentication Required'
        );

        return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
    }
    /**
     * Called on every request. Return whatever credentials you want to
     * be passed to getUser(). Returning null will cause this authenticator
     * to be skipped.
     */
    public function getCredentials(Request $request)
    {
        if (!$token = $request->headers->get('Authorization')) {
            // No token?
            $token = null;
        }

        // What you return here will be passed to getUser() as $credentials
        return array(
            'token' => $token,
        );
    }

    public function getUser($credentials, UserProviderInterface $userProvider)
    {
        $user = $this->em->getRepository('FacebookTokenBundle:User')
            ->findOneBy(array('facebook_access_token' => $credentials));
        return $user;

    }

    public function checkCredentials($credentials, UserInterface $user)
    {
        if ($user->getFacebookAccessToken() === $credentials['token']) {
            return true;
        }
            return new JsonResponse(array('message' => 'The facebook access token is wrong!', Response::HTTP_FORBIDDEN));
    }

    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
    {
        // on success, let the request continue
        return null;
    }

    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
    {
        $data = array(
            'message' => strtr($exception->getMessageKey(), $exception->getMessageData())

            // or to translate this message
            // $this->translator->trans($exception->getMessageKey(), $exception->getMessageData())
        );

        return new JsonResponse($data, Response::HTTP_FORBIDDEN);
    }

    public function supportsRememberMe()
    {
        return false;
    }
}

Answer 1

此行为是预期的。 AbstractGuardAuthenticator具有过于通用的界面，如果需要，您需要根据自己的需要进行定制。

例如，要出现“需要授权”错误 - 您可以在getCredentials（）方法中抛出AuthenticationException。 symfony核心将捕获异常，最后将调用方法start（）。

Stream.of(stateLabels, countryLabels)
      .filter(Objects::nonNull)
      .<Supplier<Stream<List<String>>>>map(c ->
          () -> c.stream().map(Collections::singletonList))
      .reduce((s1,s2) -> () -> s1.get().flatMap(x ->
                               s2.get().flatMap(y -> Stream.of(merge(x,y), merge(y,x)))))
      .orElse(Stream::empty)
      .get()
      .map(list -> merge(Collections.singletonList("houston"), list))
      // proceed processing the List<String>s

方法onAuthenticationFailure（）通常用于在凭据错误的情况下将用户重定向到登录页面。如果标题中包含API密钥，则不需要此功能。另外在当前实现中如何分离，当“API密钥不正确”和何时“未找到用户”？

Answer 2

上面的答案有些正确，但做了一些更正：

在身份验证者（后卫）自身内中引发的任何异常都将触发onAuthenticationFailure()

public function onAuthenticationFailure(Request $request, AuthenticationException $exception): JsonResponse
{
    return new JsonResponse(['message' => 'Forbidden'], Response::HTTP_FORBIDDEN);
}

public function start(Request $request, AuthenticationException $authException = null): JsonResponse
{
    return new JsonResponse(['message' => 'Authentication Required'], Response::HTTP_UNAUTHORIZED);
}

例如，当您从应用程序内部（如在控制器中）抛出start()时，将调用方法AccessDeniedException。也许一个好的用例是，例如，您想将一个特定用户列入某条特定路线的黑名单，而又不想让您的警卫身份验证器充满不必要的膨胀。

/** 
 * @Route("/something-special")
 */
public function somethingSpecial()
{
    if ($this->getUser()->getUsername() === 'a_banned_user') {
        throw new AccessDeniedException();
    }

    // ...
}

然后用以下方法进行测试：

$ curl -H "Auth-Header-Name: the_auth_token" http://site.local/something-special
{"message":"Authentication Required"}

但是，另一方面，如果由于缺少令牌头而引发异常，则将运行onAuthenticationFailure()：

public function getCredentials(Request $request): array
{
    if (!$request->headers->has('Authorization')) {
        throw new AuthenticationException('Authentication header missing.');
    }

    // ...
}

然后用以下方法进行测试：

$ curl -H http://site.local/something-special
{"message":"Forbidden"}

带有警卫的Symfony身份验证始终返回“无法找到用户名。”

2 个答案: