I've been going through lots of official docs, code and articles to work out the best way to do this, but would like some advice.
I will have a local DB users table connected via Doctrine. When a user logs in, username + password, I must authenticate them via an API (it implements an ACL). If successful I should create them in the local DB (or update if existing user is logging in).
I need a User Entity in order to hold the user details once authenticated and persist to the DB. I need a User Provider which will take the entered details, make a call to the API and return the result of the authentication request. Do I also need a User class to represent a user as returned by the API, then I would get data from this, and set into the User Entity?
As always, typing this out I think has helped, but I would appreciate if anyone could confirm or advise otherwise?
I'm not sure where the actual auth call to the API should be, of course there is a loadByUsername() function in my UserProvider class, but this is only to load the user, not authenticate using the password. The auth must be done at the API level, the API does not return a password for me to compare, I pass it a password and it does the check then returns to me the result of the check.
Look like i changed password_parameter to "senha", my field that holds the password. The key here is the config of security.yml. You create a void routing rule named /login_check, this is where the magic happens. The security layer intercepts your call to login_check route (this is the url that your login_form will post) and using your entity (in my case EnovaEntitiesBundle:Entidades) will do the password check for you. Dont forget to mantain one firewall to all configuration of security.yml.
> I'm not sure where the actual auth call to the API should be, of course > there is a loadByUsername() function in my UserProvider class, but this is > only to load the user, not authenticate using the password. > The auth must be done at the API level, the API does not return a password > for me to compare, I pass it a password and it does the check then returns > to me the result of the check.
Yeah, it's all much clearer now, spent some time with Johannes to
understand some of the internals of the security component.
It really helps to understand the actual code under the hood, rather than
just what you should do to make something work.
We are doing a little more than described here, am trying to find time to
document it, but this should do for most people for now.
Thanks,
Chris
On 23 August 2012 21:33, marcoiai <marco.a.si...@gmail.com> wrote:
> Look like i changed password_parameter to "senha", my field that holds the
> password. The key here is the config of security.yml. You create a void
> routing rule named /login_check, this is where the magic happens. The
> security layer intercepts your call to login_check route (this is the url
> that your login_form will post) and using your entity (in my case
> EnovaEntitiesBundle:Entidades) will do the password check for you. Dont
> forget to mantain one firewall to all configuration of security.yml.
> Em sexta-feira, 24 de fevereiro de 2012 09h21min53s UTC-2, Chris Sedlmayr
> escreveu:
>> Still a bit stuck here;
>> I'm not sure where the actual auth call to the API should be, of course
>> there is a loadByUsername() function in my UserProvider class, but this is
>> only to load the user, not authenticate using the password.
>> The auth must be done at the API level, the API does not return a
>> password for me to compare, I pass it a password and it does the check then
>> returns to me the result of the check.
>> How should I implement this?
> --
> If you want to report a vulnerability issue on symfony, please send it to
> security at symfony-project.com
> You received this message because you are subscribed to the Google
> Groups "Symfony2" group.
> To post to this group, send email to symfony2@googlegroups.com
> To unsubscribe from this group, send email to
> symfony2+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/symfony2?hl=en
> Yeah, it's all much clearer now, spent some time with Johannes to
> understand some of the internals of the security component.
> It really helps to understand the actual code under the hood, rather than
> just what you should do to make something work.
> We are doing a little more than described here, am trying to find time to
> document it, but this should do for most people for now.
> Thanks,
> Chris
> On 23 August 2012 21:33, marcoiai <marco.a.si...@gmail.com> wrote:
>> Hi. Its seamless. All you need to do is implement UserInterface.
>> There you will return your field that act as username and password, above
>> other fields (check provided links at the bottom).
>> Then, at your security.yml, theres a section like this (only to ilustrate
>> the example):
>> Look like i changed password_parameter to "senha", my field that holds
>> the password. The key here is the config of security.yml. You create a void
>> routing rule named /login_check, this is where the magic happens. The
>> security layer intercepts your call to login_check route (this is the url
>> that your login_form will post) and using your entity (in my case
>> EnovaEntitiesBundle:Entidades) will do the password check for you. Dont
>> forget to mantain one firewall to all configuration of security.yml.
>> Em sexta-feira, 24 de fevereiro de 2012 09h21min53s UTC-2, Chris Sedlmayr
>> escreveu:
>>> Still a bit stuck here;
>>> I'm not sure where the actual auth call to the API should be, of course
>>> there is a loadByUsername() function in my UserProvider class, but this is
>>> only to load the user, not authenticate using the password.
>>> The auth must be done at the API level, the API does not return a
>>> password for me to compare, I pass it a password and it does the check then
>>> returns to me the result of the check.
>>> How should I implement this?
>> --
>> If you want to report a vulnerability issue on symfony, please send it to
>> security at symfony-project.com
>> You received this message because you are subscribed to the Google
>> Groups "Symfony2" group.
>> To post to this group, send email to symfony2@googlegroups.com
>> To unsubscribe from this group, send email to
>> symfony2+unsubscribe@googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/symfony2?hl=en
> --
> If you want to report a vulnerability issue on symfony, please send it to
> security at symfony-project.com
> You received this message because you are subscribed to the Google
> Groups "Symfony2" group.
> To post to this group, send email to symfony2@googlegroups.com
> To unsubscribe from this group, send email to
> symfony2+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/symfony2?hl=en
I have the exact same requirement as you: performing the authentication at an external API level, which does not return me a password but only whether the authentication was successful or not.
I've been going through a lot of documentation to find out how to do this until I found this thread. Would you mind giving me some pointers on how you implemented this?
On Friday, August 24, 2012 3:48:04 AM UTC-4, Chris Sedlmayr wrote:
> Hey,
> Yeah, it's all much clearer now, spent some time with Johannes to > understand some of the internals of the security component. > It really helps to understand the actual code under the hood, rather than > just what you should do to make something work.
> We are doing a little more than described here, am trying to find time to > document it, but this should do for most people for now.
> Thanks, > Chris
> On 23 August 2012 21:33, marcoiai <marco....@gmail.com <javascript:>>wrote:
>> Hi. Its seamless. All you need to do is implement UserInterface.
>> There you will return your field that act as username and password, above >> other fields (check provided links at the bottom).
>> Then, at your security.yml, theres a section like this (only to ilustrate >> the example):
>> Look like i changed password_parameter to "senha", my field that holds >> the password. The key here is the config of security.yml. You create a void >> routing rule named /login_check, this is where the magic happens. The >> security layer intercepts your call to login_check route (this is the url >> that your login_form will post) and using your entity (in my case >> EnovaEntitiesBundle:Entidades) will do the password check for you. Dont >> forget to mantain one firewall to all configuration of security.yml.
>> Em sexta-feira, 24 de fevereiro de 2012 09h21min53s UTC-2, Chris Sedlmayr >> escreveu:
>>> Still a bit stuck here;
>>> I'm not sure where the actual auth call to the API should be, of course >>> there is a loadByUsername() function in my UserProvider class, but this is >>> only to load the user, not authenticate using the password. >>> The auth must be done at the API level, the API does not return a >>> password for me to compare, I pass it a password and it does the check then >>> returns to me the result of the check.
Not at all, it's probably best if I document exactly what i've done including code, makes for a clearer explanation. I wrote it in 2.0, but have since upgraded it to 2.1, which are you using?
On Thursday, August 30, 2012 2:15:35 AM UTC+1, Paulo Rodrigues Pinto wrote:
> Hey Chris
> I have the exact same requirement as you: performing the authentication at > an external API level, which does not return me a password but only whether > the authentication was successful or not.
> I've been going through a lot of documentation to find out how to do this > until I found this thread. Would you mind giving me some pointers on how > you implemented this?
> Thanks, > Paulo
> On Friday, August 24, 2012 3:48:04 AM UTC-4, Chris Sedlmayr wrote:
>> Hey,
>> Yeah, it's all much clearer now, spent some time with Johannes to >> understand some of the internals of the security component. >> It really helps to understand the actual code under the hood, rather than >> just what you should do to make something work.
>> We are doing a little more than described here, am trying to find time to >> document it, but this should do for most people for now.
>> Thanks, >> Chris
>> On 23 August 2012 21:33, marcoiai <marco....@gmail.com> wrote:
>>> Hi. Its seamless. All you need to do is implement UserInterface.
>>> There you will return your field that act as username and password, >>> above other fields (check provided links at the bottom).
>>> Then, at your security.yml, theres a section like this (only to >>> ilustrate the example):
>>> Look like i changed password_parameter to "senha", my field that holds >>> the password. The key here is the config of security.yml. You create a void >>> routing rule named /login_check, this is where the magic happens. The >>> security layer intercepts your call to login_check route (this is the url >>> that your login_form will post) and using your entity (in my case >>> EnovaEntitiesBundle:Entidades) will do the password check for you. Dont >>> forget to mantain one firewall to all configuration of security.yml.
>>> Em sexta-feira, 24 de fevereiro de 2012 09h21min53s UTC-2, Chris >>> Sedlmayr escreveu:
>>>> Still a bit stuck here;
>>>> I'm not sure where the actual auth call to the API should be, of course >>>> there is a loadByUsername() function in my UserProvider class, but this is >>>> only to load the user, not authenticate using the password. >>>> The auth must be done at the API level, the API does not return a >>>> password for me to compare, I pass it a password and it does the check then >>>> returns to me the result of the check.
On Thursday, August 30, 2012 2:54:04 PM UTC-4, Chris Sedlmayr wrote:
> Hi Paulo,
> Not at all, it's probably best if I document exactly what i've done > including code, makes for a clearer explanation. > I wrote it in 2.0, but have since upgraded it to 2.1, which are you using?
> Chris
> On Thursday, August 30, 2012 2:15:35 AM UTC+1, Paulo Rodrigues Pinto wrote:
>> Hey Chris
>> I have the exact same requirement as you: performing the authentication >> at an external API level, which does not return me a password but only >> whether the authentication was successful or not.
>> I've been going through a lot of documentation to find out how to do this >> until I found this thread. Would you mind giving me some pointers on how >> you implemented this?
>> Thanks, >> Paulo
>> On Friday, August 24, 2012 3:48:04 AM UTC-4, Chris Sedlmayr wrote:
>>> Hey,
>>> Yeah, it's all much clearer now, spent some time with Johannes to >>> understand some of the internals of the security component. >>> It really helps to understand the actual code under the hood, rather >>> than just what you should do to make something work.
>>> We are doing a little more than described here, am trying to find time >>> to document it, but this should do for most people for now.
>>> Thanks, >>> Chris
>>> On 23 August 2012 21:33, marcoiai <marco....@gmail.com> wrote:
>>>> Hi. Its seamless. All you need to do is implement UserInterface.
>>>> There you will return your field that act as username and password, >>>> above other fields (check provided links at the bottom).
>>>> Then, at your security.yml, theres a section like this (only to >>>> ilustrate the example):
>>>> Look like i changed password_parameter to "senha", my field that holds >>>> the password. The key here is the config of security.yml. You create a void >>>> routing rule named /login_check, this is where the magic happens. The >>>> security layer intercepts your call to login_check route (this is the url >>>> that your login_form will post) and using your entity (in my case >>>> EnovaEntitiesBundle:Entidades) will do the password check for you. Dont >>>> forget to mantain one firewall to all configuration of security.yml.
>>>> Em sexta-feira, 24 de fevereiro de 2012 09h21min53s UTC-2, Chris >>>> Sedlmayr escreveu:
>>>>> Still a bit stuck here;
>>>>> I'm not sure where the actual auth call to the API should be, of >>>>> course there is a loadByUsername() function in my UserProvider class, but >>>>> this is only to load the user, not authenticate using the password. >>>>> The auth must be done at the API level, the API does not return a >>>>> password for me to compare, I pass it a password and it does the check then >>>>> returns to me the result of the check.
Just wanted to let you know i've started writing this up. In between work and other commitments I should have it done (first draft) in a couple of days.
Will post it then and can get feedback on clarity.
On Thursday, August 30, 2012 9:27:07 PM UTC+1, Paulo Rodrigues Pinto wrote:
> Great! I'm kind of blocked on this so I very much appreciate it.
> I'm using 2.1.
> Paulo
> On Thursday, August 30, 2012 2:54:04 PM UTC-4, Chris Sedlmayr wrote:
>> Hi Paulo,
>> Not at all, it's probably best if I document exactly what i've done >> including code, makes for a clearer explanation. >> I wrote it in 2.0, but have since upgraded it to 2.1, which are you using?
>> Chris
>> On Thursday, August 30, 2012 2:15:35 AM UTC+1, Paulo Rodrigues Pinto >> wrote:
>>> Hey Chris
>>> I have the exact same requirement as you: performing the authentication >>> at an external API level, which does not return me a password but only >>> whether the authentication was successful or not.
>>> I've been going through a lot of documentation to find out how to do >>> this until I found this thread. Would you mind giving me some pointers on >>> how you implemented this?
>>> Thanks, >>> Paulo
>>> On Friday, August 24, 2012 3:48:04 AM UTC-4, Chris Sedlmayr wrote:
>>>> Hey,
>>>> Yeah, it's all much clearer now, spent some time with Johannes to >>>> understand some of the internals of the security component. >>>> It really helps to understand the actual code under the hood, rather >>>> than just what you should do to make something work.
>>>> We are doing a little more than described here, am trying to find time >>>> to document it, but this should do for most people for now.
>>>> Thanks, >>>> Chris
>>>> On 23 August 2012 21:33, marcoiai <marco....@gmail.com> wrote:
>>>>> Hi. Its seamless. All you need to do is implement UserInterface.
>>>>> There you will return your field that act as username and password, >>>>> above other fields (check provided links at the bottom).
>>>>> Then, at your security.yml, theres a section like this (only to >>>>> ilustrate the example):
>>>>> Look like i changed password_parameter to "senha", my field that holds >>>>> the password. The key here is the config of security.yml. You create a void >>>>> routing rule named /login_check, this is where the magic happens. The >>>>> security layer intercepts your call to login_check route (this is the url >>>>> that your login_form will post) and using your entity (in my case >>>>> EnovaEntitiesBundle:Entidades) will do the password check for you. Dont >>>>> forget to mantain one firewall to all configuration of security.yml.
>>>>> Em sexta-feira, 24 de fevereiro de 2012 09h21min53s UTC-2, Chris >>>>> Sedlmayr escreveu:
>>>>>> Still a bit stuck here;
>>>>>> I'm not sure where the actual auth call to the API should be, of >>>>>> course there is a loadByUsername() function in my UserProvider class, but >>>>>> this is only to load the user, not authenticate using the password. >>>>>> The auth must be done at the API level, the API does not return a >>>>>> password for me to compare, I pass it a password and it does the check then >>>>>> returns to me the result of the check.
> Just wanted to let you know i've started writing this up.
> In between work and other commitments I should have it done (first draft)
> in a couple of days.
> Will post it then and can get feedback on clarity.
> Chris
> On Thursday, August 30, 2012 9:27:07 PM UTC+1, Paulo Rodrigues Pinto wrote:
>> Great! I'm kind of blocked on this so I very much appreciate it.
>> I'm using 2.1.
>> Paulo
>> On Thursday, August 30, 2012 2:54:04 PM UTC-4, Chris Sedlmayr wrote:
>>> Hi Paulo,
>>> Not at all, it's probably best if I document exactly what i've done
>>> including code, makes for a clearer explanation.
>>> I wrote it in 2.0, but have since upgraded it to 2.1, which are you
>>> using?
>>> Chris
>>> On Thursday, August 30, 2012 2:15:35 AM UTC+1, Paulo Rodrigues Pinto
>>> wrote:
>>>> Hey Chris
>>>> I have the exact same requirement as you: performing the authentication
>>>> at an external API level, which does not return me a password but only
>>>> whether the authentication was successful or not.
>>>> I've been going through a lot of documentation to find out how to do
>>>> this until I found this thread. Would you mind giving me some pointers on
>>>> how you implemented this?
>>>> Thanks,
>>>> Paulo
>>>> On Friday, August 24, 2012 3:48:04 AM UTC-4, Chris Sedlmayr wrote:
>>>>> Hey,
>>>>> Yeah, it's all much clearer now, spent some time with Johannes to
>>>>> understand some of the internals of the security component.
>>>>> It really helps to understand the actual code under the hood, rather
>>>>> than just what you should do to make something work.
>>>>> We are doing a little more than described here, am trying to find time
>>>>> to document it, but this should do for most people for now.
>>>>> Thanks,
>>>>> Chris
>>>>> On 23 August 2012 21:33, marcoiai <marco....@gmail.com> wrote:
>>>>>> Hi. Its seamless. All you need to do is implement UserInterface.
>>>>>> There you will return your field that act as username and password,
>>>>>> above other fields (check provided links at the bottom).
>>>>>> Then, at your security.yml, theres a section like this (only to
>>>>>> ilustrate the example):
>>>>>> Look like i changed password_parameter to "senha", my field that
>>>>>> holds the password. The key here is the config of security.yml. You create
>>>>>> a void routing rule named /login_check, this is where the magic happens.
>>>>>> The security layer intercepts your call to login_check route (this is the
>>>>>> url that your login_form will post) and using your entity (in my case
>>>>>> EnovaEntitiesBundle:Entidades) will do the password check for you. Dont
>>>>>> forget to mantain one firewall to all configuration of security.yml.
>>>>>> Em sexta-feira, 24 de fevereiro de 2012 09h21min53s UTC-2, Chris
>>>>>> Sedlmayr escreveu:
>>>>>>> Still a bit stuck here;
>>>>>>> I'm not sure where the actual auth call to the API should be, of
>>>>>>> course there is a loadByUsername() function in my UserProvider class, but
>>>>>>> this is only to load the user, not authenticate using the password.
>>>>>>> The auth must be done at the API level, the API does not return a
>>>>>>> password for me to compare, I pass it a password and it does the check then
>>>>>>> returns to me the result of the check.
>>>>>>> How should I implement this?
>>>>>> --
> If you want to report a vulnerability issue on symfony, please send it to
> security at symfony-project.com
> You received this message because you are subscribed to the Google
> Groups "Symfony2" group.
> To post to this group, send email to symfony2@googlegroups.com
> To unsubscribe from this group, send email to
> symfony2+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/symfony2?hl=en
So to update, we are working on a complete article that I hope to add the the official docs for a wider audience. But for now you can hopefully see what you need to fill the gaps from my first draft of the entry.
On Tuesday, September 4, 2012 5:21:48 PM UTC+1, Paulo Rodrigues Pinto wrote:
> No problem Chris. I'm looking forward to give you some feedback on that.
> Thanks for the update, > Paulo
> On Tue, Sep 4, 2012 at 10:50 AM, Chris Sedlmayr <ch...@sedlmayr.co.uk<javascript:> > > wrote:
>> Hey,
>> Just wanted to let you know i've started writing this up. >> In between work and other commitments I should have it done (first draft) >> in a couple of days.
>> Will post it then and can get feedback on clarity.
>> Chris
>> On Thursday, August 30, 2012 9:27:07 PM UTC+1, Paulo Rodrigues Pinto >> wrote:
>>> Great! I'm kind of blocked on this so I very much appreciate it.
>>> I'm using 2.1.
>>> Paulo
>>> On Thursday, August 30, 2012 2:54:04 PM UTC-4, Chris Sedlmayr wrote:
>>>> Hi Paulo,
>>>> Not at all, it's probably best if I document exactly what i've done >>>> including code, makes for a clearer explanation. >>>> I wrote it in 2.0, but have since upgraded it to 2.1, which are you >>>> using?
>>>> Chris
>>>> On Thursday, August 30, 2012 2:15:35 AM UTC+1, Paulo Rodrigues Pinto >>>> wrote:
>>>>> Hey Chris
>>>>> I have the exact same requirement as you: performing the >>>>> authentication at an external API level, which does not return me a >>>>> password but only whether the authentication was successful or not.
>>>>> I've been going through a lot of documentation to find out how to do >>>>> this until I found this thread. Would you mind giving me some pointers on >>>>> how you implemented this?
>>>>> Thanks, >>>>> Paulo
>>>>> On Friday, August 24, 2012 3:48:04 AM UTC-4, Chris Sedlmayr wrote:
>>>>>> Hey,
>>>>>> Yeah, it's all much clearer now, spent some time with Johannes to >>>>>> understand some of the internals of the security component. >>>>>> It really helps to understand the actual code under the hood, rather >>>>>> than just what you should do to make something work.
>>>>>> We are doing a little more than described here, am trying to find >>>>>> time to document it, but this should do for most people for now.
>>>>>> Thanks, >>>>>> Chris
>>>>>> On 23 August 2012 21:33, marcoiai <marco....@gmail.com> wrote:
>>>>>>> Hi. Its seamless. All you need to do is implement UserInterface.
>>>>>>> There you will return your field that act as username and password, >>>>>>> above other fields (check provided links at the bottom).
>>>>>>> Then, at your security.yml, theres a section like this (only to >>>>>>> ilustrate the example):
>>>>>>> Look like i changed password_parameter to "senha", my field that >>>>>>> holds the password. The key here is the config of security.yml. You create >>>>>>> a void routing rule named /login_check, this is where the magic happens. >>>>>>> The security layer intercepts your call to login_check route (this is the >>>>>>> url that your login_form will post) and using your entity (in my case >>>>>>> EnovaEntitiesBundle:Entidades) will do the password check for you. Dont >>>>>>> forget to mantain one firewall to all configuration of security.yml.
>>>>>>> Em sexta-feira, 24 de fevereiro de 2012 09h21min53s UTC-2, Chris >>>>>>> Sedlmayr escreveu:
>>>>>>>> Still a bit stuck here;
>>>>>>>> I'm not sure where the actual auth call to the API should be, of >>>>>>>> course there is a loadByUsername() function in my UserProvider class, but >>>>>>>> this is only to load the user, not authenticate using the password. >>>>>>>> The auth must be done at the API level, the API does not return a >>>>>>>> password for me to compare, I pass it a password and it does the check then >>>>>>>> returns to me the result of the check.
>>>>>>>> How should I implement this?
>>>>>>> -- >> If you want to report a vulnerability issue on symfony, please send it to >> security at symfony-project.com
>> You received this message because you are subscribed to the Google >> Groups "Symfony2" group. >> To post to this group, send email to symf...@googlegroups.com<javascript:> >> To unsubscribe from this group, send email to >> symfony2+u...@googlegroups.com <javascript:> >> For more options, visit this group at >> http://groups.google.com/group/symfony2?hl=en
