Symfony2 http_basic security rejects valid credentials

Question

I use Symfony Standard 2.0.0BETA1 and tried to configure http_basic authentication exactly the same as in this book chapter

security:
encoders:
    Symfony\Component\Security\Core\User\User: plaintext

providers:
    main:
        users:
            foo: { password: testing, roles: ROLE_USER }

firewalls:
    main:
        pattern:    /.*
        http_basic: true
        logout:     true

access_control:
    - { path: /.*, role: ROLE_USER }

Problem is when I try to open a page and i submit user name "foo" and password "testing" it simply loops and ask me for credential infinitely or display error page.

Steps to reproduce issue:

Copy security configuration from http://symfony.com/doc/current/book/security/overview.html#configuration and past it to security.yml file
Refresh app home page
Enter valid credentials

Expected behavior is to see home page but instead credentials prompt is shown.

Does anyone know why that happens and how to fix it?

Teo.sk · Accepted Answer · 2011-10-10 13:29:20Z

7

The http basic authentication is broken with PHP as cgi/fastCGI under Apache

There is a workaround:

app_dev.php

if( !isset($_SERVER['PHP_AUTH_USER']) )
{
    if (isset($_SERVER['HTTP_AUTHORIZATION']) && (strlen($_SERVER['HTTP_AUTHORIZATION']) > 0))
    {
        list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
        if( strlen($_SERVER['PHP_AUTH_USER']) == 0 || strlen($_SERVER['PHP_AUTH_PW']) == 0 )
        {
            unset($_SERVER['PHP_AUTH_USER']);
            unset($_SERVER['PHP_AUTH_PW']);
        }
    }
}

web/.htaccess

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] 
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ app.php [QSA,L]
</IfModule>

Source: symfony github issue

edited Oct 10, 2011 at 13:29

answered Oct 5, 2011 at 18:39

Teo.sk

2,6275 gold badges26 silver badges30 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Matt · Accepted Answer · 2011-05-13 23:52:49Z

7

The problem is you restricted access to /.*, which means all paths, to only users who have the role ROLE_USER.

Say your login path is /login, the user tries to access any other path and is redirected to the login path. The login path (/login) will be matched by the access control pattern /.*. The user will then be denied of access because he doesn't have the role ROLE_USER right now. The security component will redirect the user again to the login form so he can authenticate to get the role, which is restricted, and will redirect the user to the login form to authenticate and so on.

Here's a simple solution to avoid this problem. You can allow access to the login form to anonymous user with the activation of the anonymous user configuration and a new access control item. Add this below main in the firewalls configuration to enable anonymous user:

security:
    firewalls:
        main:
            anonymous: true

And add a new access control item to allow anonymous user to acces the /login pattern:

access_control:
    - { path: /login, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: /.*, role: ROLE_USER }

The order is important here since the rule is: first path matched wins. So the /login path must be above your pattern for other path /.*. This should resolves you redirect loop.

The documentation of Symfony about security is being rewritten right now and will talk more in details about this problem. It is in the symfony-docs github repository under the security branch.

Regards, Matt

edited May 13, 2011 at 23:52

answered May 13, 2011 at 18:05

Matt

11k3 gold badges48 silver badges52 bronze badges

2 Comments

sbgoran Over a year ago

OK, I see your point, but I'm trying to use HTTP basic, so no custom login forms, browser should automatically display credentials form (or, by standard, I could access my app by simply setting appropriate headers, something like Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==)

MGP Over a year ago

+1 this was driving me crazy, I'm using 2.1, the docs say nothing about this.

pagliuca · Accepted Answer · 2013-05-01 21:11:19Z

7

The same problem still occurs in the current version (Symfony version 2.1.8).

It's because of the special way that Apache + PHP as FastCGI handles HTTP auth variables.

At least, the fix for the current version is a little simplier than it was before (as compared to @Teo.sk's answer), and the instructions are available directly hardcoded as comments in the file vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/ServerBag.php of the framework:

/*
* php-cgi under Apache does not pass HTTP Basic user/pass to PHP by default
* For this workaround to work, add these lines to your .htaccess file:
* RewriteCond %{HTTP:Authorization} ^(.+)$
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
*
* A sample .htaccess file:
* RewriteEngine On
* RewriteCond %{HTTP:Authorization} ^(.+)$
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
* RewriteCond %{REQUEST_FILENAME} !-f
* RewriteRule ^(.*)$ app.php [QSA,L]
*/

In short, to fix it, all you have to do is to add the following lines to the .htaccess file of the web/ folder of your application:

RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

New info (2013-05-01): now I'm using Symfony version 2.2.1 and for the fix to work I had to add those two lines of codes right below the following line of web/.htaccess:

RewriteEngine On

edited May 1, 2013 at 21:11

answered Feb 28, 2013 at 1:17

pagliuca

1,23415 silver badges21 bronze badges

2 Comments

Paul Voss Over a year ago

This is exactly what fixed my problem. I already found the RewriteRule somewhere else on stackoverflow but it only worked after i added the RewriteCond. Thanks!

user719662 Over a year ago

shortest and most up-to-date solution here.

Massimo212121 · Accepted Answer · 2015-02-23 11:11:54Z

1

you dont't need to modify your SymfonyProject, you need also change apache2 configuration.

sudoedit /etc/apache2/sites-enabled/[your site].conf

insert

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] 
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]

keep to restart apache2

enjoy :)

answered Feb 23, 2015 at 11:11

Massimo212121

3173 silver badges8 bronze badges

Comments

j0k · Accepted Answer · 2014-07-25 07:52:59Z

0

i use my boundle route:

 - { path: /correspondencia/recepcion/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
 - { path: /correspondencia/recepcion, role: ROLE_ADMIN }

without the last slash wrong

/correspondencia/recepcion/

good

/correspondencia/recepcion

edited Jul 25, 2014 at 7:52

j0k

22.8k28 gold badges81 silver badges90 bronze badges

answered Dec 4, 2011 at 19:49

John Ricaurte

455 bronze badges

Collectives™ on Stack Overflow

Symfony2 http_basic security rejects valid credentials

5 Answers 5

Comments

2 Comments

2 Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

Comments

2 Comments

2 Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related