eZ Community » Forums » eZ Publish 5 Platform » Symfony Authentication Provider & Ez...
expandshrink

Symfony Authentication Provider & Ez User Provider

Symfony Authentication Provider & Ez User Provider

Tuesday 07 May 2013 5:35:14 pm - 14 replies

Hello everybody,

I followed the Symfony documentation for creating a secured area behind a firewall, a redirection to a custom login form, and the authentication services, as explained here:

http://symfony.com/fr/doc/master/book/security.html
http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

This works great, but when I activate the eZ user provider, lets try to explain clearly:

The symfony authentication provider: "Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider"
on line 83, tries to load the user object corresponding to the "username" value provided by the HTML form;
Using an instance of:
"eZ\Publish\Core\MVC\Symfony\Security\User\Provider"
It calls the method "loadUserByUsername", with the username as parameter (sounds good !), but this method only accepts numeric values. It calls directly the eZ\Publish\Core\Repository\UserService->loadUser method that throws an exception if the parameter is not numeric.

So it fails....

If I modify the UserService to handle retrieval of user by login, everything works perfectly and my authentication system is OK.

Can anyone tell me if I missed something ? Or everything ?

Thank you in advance,

Romain Petit.

Tuesday 07 May 2013 6:11:09 pm

why you do not use the module user/login ?

Wednesday 08 May 2013 2:06:45 am

Quote from Nguyen Huu Bruno :

why you do not use the module user/login ?

Firstly, because modules are not exciting any more...
Secontly, I'm working on a long term project, and I don't wan't to rely on ezp4 functionnalities, and have to reimplement everything on ezp4 retirement. 

Wednesday 08 May 2013 8:18:07 am

Hi Romain !

I can only encourage what you are doing happy.gif Emoticon. However, be aware that for login, using the legacy module is the only official way to do. We should work on a new real controller soon (for 5.2). In the meantime, relying on legacy user/login is perfectly safe.

Wednesday 08 May 2013 9:04:11 pm

If I correctly understand the new eZ way, the following code in the controller will check the authorization.

if ( !$this->isGranted( new AuthorizationAttribute( $module , $function ) ) )       

    throw new AccessDeniedException();

Will this also redirect the user to the login form (currently the module user/login, in the future the user controller I can guess) ?

Thursday 09 May 2013 9:06:12 am

Quote from Jérôme Vieilledent :

Hi Romain !

I can only encourage what you are doing happy.gif Emoticon. However, be aware that for login, using the legacy module is the only official way to do. We should work on a new real controller soon (for 5.2). In the meantime, relying on legacy user/login is perfectly safe.

Hi Jérôme,

Yes I understand that the official controller would me more complex (with SSO and other stuff) that only the user/login module can do right now.

About that issue I have with the "Provider->loadUserByUsername" that only accepts integers, for me it looks like an issue on the Ez\Publish side, can you tell me what do you think about this ?

Many thanks,

Romain.

Thursday 09 May 2013 9:17:59 am

Quote from Nguyen Huu Bruno :

If I correctly understand the new eZ way, the following code in the controller will check the authorization.

if ( !$this->isGranted( new AuthorizationAttribute( $module , $function ) ) )       

    throw new AccessDeniedException();

Will this also redirect the user to the login form (currently the module user/login, in the future the user controller I can guess) ?

Hello,

I did not try that way, I was checking roles with the ez contoller, that allows sudo and other intersting things.

To check access to controllers, I think it's more relevant to use directly the Symfony built-in security because it's upstream, then the Ez role system for fine grained checking.

I use the following functions for this (inside controller):

$repository = $this->get( 'ezpublish.api.repository' );
$access = $repository->hasAccess( $module, $function );
$access = $repository->canUser( $module, $function, $params );

Thursday 09 May 2013 11:41:00 am

Hi Romain

Quote from Romain Petit :

About that issue I have with the "Provider->loadUserByUsername" that only accepts integers, for me it looks like an issue on the Ez\Publish side, can you tell me what do you think about this ?

This is due to how API works. Loading a user is done by its ID. This might change a bit in the future, but there is nothing wrong with it as far as eZ Publish is concerned.

Regarding Bruno's approach, he's definitely right. You really should use the way he suggests as it's correctly wrapped by Symfony and uses the Voter system. And anyway, the methods you're using are used in the backend, so it's perfectly safe and doesn't prevent use sudo() blunk.gif Emoticon.

Thursday 06 June 2013 3:18:01 pm

Quote from Jérôme Vieilledent :

Hi Romain !

I can only encourage what you are doing happy.gif Emoticon. However, be aware that for login, using the legacy module is the only official way to do. We should work on a new real controller soon (for 5.2). In the meantime, relying on legacy user/login is perfectly safe.

Hi Jérôme,

So I understand correctly, that it is not possible yet (eZ 5.1) to "switch" the currently logged in anonymous user to another user? 

Let's say I have this sweet user instance type of \eZ\Publish\API\Repository\Values\User\User within my controller and want to have this user instance as my currently logged in user. It's not possible as the security context for Symfony is only settable via legacy module user/login?

Thanks in advance happy.gif Emoticon

Thursday 06 June 2013 3:37:54 pm

Hi Ryad

You actually can switch your user, at least from a Repository point of view...

Thursday 06 June 2013 3:42:27 pm

Quote from Jérôme Vieilledent :

Hi Ryad

You actually can switch your user, at least from a Repository point of view...

You mean the user context for the API repository? Like this: $container->get('ezpublish.api.repository')->setCurrentUser($user);

Yes, I need a logic like this, to actually fetch my \eZ\Publish\API\Repository\Values\User\User instance via $searchService->findContent(). But I didn't found a way to use the retrieved user object as the currently logged in user session.

Maybe I missed something?

PS: Thanks for the really, really quick reaction!

Thursday 06 June 2013 4:36:47 pm

Hi,

I think we all have the same problem (see my post here : http://share.ez.no/forums/ez-publish-5-platform/how-to-log-a-user-in-a-controller). 

I did not manage to log in a user in a controller. I also tried an old module from eZ 4, and this does not work anymore. It seems the "Symfony session" is not used.

I think I will have to force the user to login manually, or maybe I can generate an ajax request to simulate a post to /user/login. That is dirty... but I spent days on it, and still no solution.

Thursday 06 June 2013 4:40:22 pm

Hi Ryad,

I suggest you to rely on an eZ Publish legacy module. This feature is not part of the new API right now.

But the solution is to use the "'eZUserLoggedInID' session variable, that is the only link between eZ & Symfony sessions. (Remember all this may change very soon)

Edit:

I forgot the cookie. Please have a look at: eZ\Publish\Core\MVC\Legacy\Security\Firewall\LegacyListener 

Romain.

PS: Forgot to thank you Jérôme for your previous answer, it has been usefull.

Modified on Friday 07 June 2013 5:14:19 am by Romain Petit

Friday 07 June 2013 8:30:44 am

Good morning,

I really need to thank you for this workaround Romain (see http://share.ez.no/forums/ez-publish-5-platform/how-to-log-a-user-in-a-controller#comment80504). It is absolutely helpful, although it obviously does not create a Symfony security context.

Hopefully there will be a more "Symfony like" way of logging in an eZ user in the next release.

Have a nice day sir!

Modified on Friday 07 June 2013 8:32:11 am by Ryad-Marcel El-Dajani

Friday 07 June 2013 9:21:44 am

Good morning Ryad,

The Symfony part is handled by the "LegacyListener" class during the next page load (see my previous post), and the injected symfony role is: ROLE_USER.

So you have to rely only on the eZ API for access checking, as explained by Jérôme.

Have a nice day,

Romain.

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from