[Security] Various minor fixes in XML config

HeahDude · HeahDude · commit 1145042ec09d · 2020-02-16T12:21:02.000+01:00
diff --git a/security/custom_authentication_provider.rst b/security/custom_authentication_provider.rst
@@ -172,7 +172,7 @@ the value returned for the expected WSSE information, creates a token using
 that information, and passes the token on to the authentication manager. If
 the proper information is not provided, or the authentication manager throws
 an :class:`Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException`,
-a 403 Response is returned.
+a 401 Response is returned.
 
 .. note::
 
@@ -188,7 +188,7 @@ a 403 Response is returned.
 
     Returning prematurely from the listener is relevant only if you want to chain
     authentication providers (for example to allow anonymous users). If you want
-    to forbid access to anonymous users and have a nice 403 error, you should set
+    to forbid access to anonymous users and have a 404 error, you should set
     the status code of the response before returning.
 
 The Authentication Provider
diff --git a/security/entity_provider.rst b/security/entity_provider.rst
@@ -246,9 +246,9 @@ the username and then check the password (more on passwords in a moment):
                 <!-- ... -->
 
                 <provider name="our_db_provider">
-                    <!-- if you're using multiple entity managers, add:
-                         manager-name="customer" -->
                     <entity class="AppBundle:User" property="username"/>
+                    <!-- if you're using multiple entity managers -->
+                    <entity class="AppBundle:User" property="username" manager-name="customer"/>
                 </provider>
 
                 <firewall name="main" pattern="^/" provider="our_db_provider">
diff --git a/security/force_https.rst b/security/force_https.rst
@@ -33,7 +33,7 @@ to use HTTPS then you could use the following configuration:
                 <config>
                     <!-- ... -->
 
-                    <rule path="^/secure" role="ROLE_ADMIN" requires_channel="https"/>
+                    <rule path="^/secure" role="ROLE_ADMIN" requires-channel="https"/>
                 </config>
             </srv:container>
 
@@ -83,7 +83,7 @@ role:
 
                 <rule path="^/login"
                     role="IS_AUTHENTICATED_ANONYMOUSLY"
-                    requires_channel="https"
+                    requires-channel="https"
                 />
             </config>
         </srv:container>
diff --git a/security/guard_authentication.rst b/security/guard_authentication.rst
@@ -116,7 +116,7 @@ Next, make sure you've configured a "user provider" for the user:
                 <!-- ... -->
 
                 <provider name="your_db_provider">
-                    <entity class="AppBundle:User"/>
+                    <entity class="AppBundle:User" property="apiKey"/>
                 </provider>
 
                 <!-- ... -->
@@ -133,6 +133,7 @@ Next, make sure you've configured a "user provider" for the user:
                 'your_db_provider' => [
                     'entity' => [
                         'class' => 'AppBundle:User',
+                        'property' => 'apiKey',
                     ],
                 ],
             ],
@@ -187,21 +188,18 @@ This requires you to implement several methods::
          */
         public function getCredentials(Request $request)
         {
-            return [
-                'token' => $request->headers->get('X-AUTH-TOKEN'),
-            ];
+            return $request->headers->get('X-AUTH-TOKEN');
         }
 
         public function getUser($credentials, UserProviderInterface $userProvider)
         {
-            $apiKey = $credentials['token'];
-
-            if (null === $apiKey) {
+            if (null === $credentials) {
+                // The token header was empty, authentication fails with 401
                 return;
             }
 
-            // if a User object, checkCredentials() is called
-            return $userProvider->loadUserByUsername($apiKey);
+            // if a User is returned, checkCredentials() is called
+            return $userProvider->loadUserByUsername($credentials);
         }
 
         public function checkCredentials($credentials, UserInterface $user)
@@ -222,13 +220,14 @@ This requires you to implement several methods::
         public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
         {
             $data = [
+                // you may ant to customize or obfuscate the message first
                 'message' => strtr($exception->getMessageKey(), $exception->getMessageData())
 
                 // or to translate this message
                 // $this->translator->trans($exception->getMessageKey(), $exception->getMessageData())
             ];
 
-            return new JsonResponse($data, Response::HTTP_FORBIDDEN);
+            return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
         }
 
         /**
@@ -303,11 +302,11 @@ Finally, configure your ``firewalls`` key in ``security.yml`` to use this authen
             <config>
                 <!-- ... -->
 
-                <firewall name="main"
-                    pattern="^/"
-                    anonymous="true"
-                >
-                    <logoutOjso/>
+                <!-- if you want, disable storing the user in the session
+                    add 'stateless="true"' to the firewall -->
+                <firewall name="main" pattern="^/">
+                    <anonymous/>
+                    <logout/>
 
                     <guard>
                         <authenticator>AppBundle\Security\TokenAuthenticator</authenticator>
@@ -336,6 +335,8 @@ Finally, configure your ``firewalls`` key in ``security.yml`` to use this authen
                             TokenAuthenticator::class,
                         ],
                     ],
+                    // if you want, disable storing the user in the session
+                    // 'stateless' => true,
                     // ...
                 ],
             ],
diff --git a/security/json_login_setup.rst b/security/json_login_setup.rst
@@ -184,8 +184,8 @@ The security configuration should be:
                 <firewall name="main">
                     <anonymous/>
                     <json-login check-path="login"
-                                username-path="security.credentials.login"
-                                password-path="security.credentials.password"/>
+                        username-path="security.credentials.login"
+                        password-path="security.credentials.password"/>
                 </firewall>
             </config>
         </srv:container>
diff --git a/security/ldap.rst b/security/ldap.rst
@@ -152,20 +152,19 @@ use the ``ldap`` user provider.
 
             <config>
                 <provider name="my_ldap">
-                    <ldap
-                            service="Symfony\Component\Ldap\Ldap"
-                            base-dn="dc=example,dc=com"
-                            search-dn="cn=read-only-admin,dc=example,dc=com"
-                            search-password="password"
-                            default-roles="ROLE_USER"
-                            uid-key="uid"
-                    />
+                    <ldap service="Symfony\Component\Ldap\Ldap"
+                        base-dn="dc=example,dc=com"
+                        search-dn="cn=read-only-admin,dc=example,dc=com"
+                        search-password="password"
+                        default-roles="ROLE_USER"
+                        uid-key="uid"/>
                 </provider>
             </config>
         </srv:container>
 
     .. code-block:: php
 
+        // app/config/security.php
         use Symfony\Component\Ldap\Ldap;
 
         $container->loadFromExtension('security', [
@@ -358,15 +357,15 @@ Configuration example for form login
 
             <config>
                 <firewall name="main">
-                    <form-login-ldap
-                            service="Symfony\Component\Ldap\Ldap"
-                            dn-string="uid={username},dc=example,dc=com"/>
+                    <form-login-ldap service="Symfony\Component\Ldap\Ldap"
+                        dn-string="uid={username},dc=example,dc=com"/>
                 </firewall>
             </config>
         </srv:container>
 
     .. code-block:: php
 
+        // app/config/security.php
         use Symfony\Component\Ldap\Ldap;
 
         $container->loadFromExtension('security', [
@@ -394,9 +393,8 @@ Configuration example for HTTP Basic
 
             firewalls:
                 main:
-                    # ...
+                    stateless: true
                     http_basic_ldap:
-                        # ...
                         service: Symfony\Component\Ldap\Ldap
                         dn_string: 'uid={username},dc=example,dc=com'
 
@@ -411,23 +409,28 @@ Configuration example for HTTP Basic
                 https://symfony.com/schema/dic/services/services-1.0.xsd">
 
             <config>
+                <!-- ... -->
+
                 <firewall name="main" stateless="true">
-                    <http-basic-ldap service="Symfony\Component\Ldap\Ldap" dn-string="uid={username},dc=example,dc=com"/>
+                    <http-basic-ldap service="Symfony\Component\Ldap\Ldap"
+                        dn-string="uid={username},dc=example,dc=com"/>
                 </firewall>
             </config>
         </srv:container>
 
     .. code-block:: php
 
+        // app/config/security.php
         use Symfony\Component\Ldap\Ldap;
 
         $container->loadFromExtension('security', [
+            // ...
+
             'firewalls' => [
                 'main' => [
                     'http_basic_ldap' => [
                         'service' => Ldap::class,
                         'dn_string' => 'uid={username},dc=example,dc=com',
-                        // ...
                     ],
                     'stateless' => true,
                 ],
@@ -449,7 +452,6 @@ Configuration example for form login and query_string
                 main:
                     # ...
                     form_login_ldap:
-                        # ...
                         service: Symfony\Component\Ldap\Ldap
                         dn_string: 'dc=example,dc=com'
                         query_string: '(&(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))'
@@ -466,10 +468,10 @@ Configuration example for form login and query_string
 
             <config>
                 <firewall name="main">
-                    <form-login-ldap
-                            service="Symfony\Component\Ldap\Ldap"
-                            dn-string="dc=example,dc=com"
-                            query-string="(&amp;(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))"/>
+                    <!-- ... -->
+                    <form-login-ldap service="Symfony\Component\Ldap\Ldap"
+                        dn-string="dc=example,dc=com"
+                        query-string="(&amp;(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))"/>
                 </firewall>
             </config>
         </srv:container>
@@ -482,11 +484,11 @@ Configuration example for form login and query_string
         $container->loadFromExtension('security', [
             'firewalls' => [
                 'main' => [
+                    // ...
                     'form_login_ldap' => [
                         'service' => Ldap::class,
                         'dn_string' => 'dc=example,dc=com',
                         'query_string' => '(&(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))',
-                        // ...
                     ],
                 ],
             ]
diff --git a/security/multiple_guard_authenticators.rst b/security/multiple_guard_authenticators.rst
@@ -68,7 +68,7 @@ This is how your security configuration can look in action:
                 'default' => [
                     'anonymous' => null,
                     'guard' => [
-                        'entry_point' => '',
+                        'entry_point' => LoginFormAuthenticator::class,
                         'authenticators' => [
                             LoginFormAuthenticator::class,
                             FacebookConnectAuthenticator::class,
diff --git a/security/multiple_user_providers.rst b/security/multiple_user_providers.rst
@@ -149,7 +149,6 @@ the first provider is always used:
                     'pattern' => '^/',
                     'provider' => 'user_db',
                     'http_basic' => [
-                        // ...
                         'realm' => 'Secured Demo Area',
                         'provider' => 'in_memory',
                     ],
diff --git a/security/remember_me.rst b/security/remember_me.rst
@@ -348,7 +348,7 @@ service you just created:
                     <!-- ... -->
 
                     <remember-me
-                        token_provider="Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider"
+                        token-provider="Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider"
                         />
                 </firewall>
             </config>
@@ -357,6 +357,8 @@ service you just created:
     .. code-block:: php
 
         // app/config/security.php
+        use Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider;
+
         $container->loadFromExtension('security', [
             // ...
 
@@ -365,7 +367,7 @@ service you just created:
                     // ...
                     'remember_me' => [
                         // ...
-                        'token_provider' => 'Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider',
+                        'token_provider' => DoctrineTokenProvider::class,
                     ],
                 ],
             ],
diff --git a/security/user_checkers.rst b/security/user_checkers.rst
@@ -89,8 +89,9 @@ is the service id of your user checker:
 
             <config>
                 <!-- ... -->
-                <firewall name="main" pattern="^/">
-                    <user-checker>AppBundle\Security\UserChecker</user-checker>
+                <firewall name="main"
+                        pattern="^/"
+                        user-checker="AppBundle\Security\UserChecker">
                     <!-- ... -->
                 </firewall>
             </config>
@@ -100,10 +101,10 @@ is the service id of your user checker:
 
         // app/config/security.php
 
-        // ...
         use AppBundle\Security\UserChecker;
 
         $container->loadFromExtension('security', [
+            // ...
             'firewalls' => [
                 'main' => [
                     'pattern' => '^/',
