Skip to content

Commit f4249f3

Browse files
pasdelouppasdeloup
committed
improve caution about impersonation not compatible with pre authenticated firewalls
1 parent f9edfd5 commit f4249f3

File tree

2 files changed

+19
-8
lines changed

2 files changed

+19
-8
lines changed

cookbook/security/impersonating_user.rst

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,17 @@ How to Impersonate a User
66

77
Sometimes, it's useful to be able to switch from one user to another without
88
having to log out and log in again (for instance when you are debugging or trying
9-
to understand a bug a user sees that you can't reproduce). This can be easily
10-
done by activating the ``switch_user`` firewall listener:
9+
to understand a bug a user sees that you can't reproduce).
10+
11+
.. caution::
12+
13+
User impersonation is not compatible with
14+
:doc:`pre Authenticated firewalls</cookbook/security/pre_authenticated>`. The
15+
reason is that impersonation requires the authentication state to be maintained
16+
server-side but pre Authenticated information (``SSL_CLIENT_S_DN_Email``,
17+
``REMOTE_USER`` or other) is sent in each request.
18+
19+
This can be easily done by activating the ``switch_user`` firewall listener:
1120

1221
.. configuration-block::
1322

cookbook/security/pre_authenticated.rst

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,14 @@ box, Symfony supports most authentication mechanisms.
1111
These requests are called *pre authenticated* requests because the user is already
1212
authenticated when reaching your application.
1313

14+
.. caution::
15+
16+
:doc:`User impersonation </cookbook/security/impersonating_user>` is not
17+
compatible with pre Authenticated firewalls. The reason is that
18+
impersonation requires the authentication state to be maintained server-side
19+
but pre Authenticated information (``SSL_CLIENT_S_DN_Email``, ``REMOTE_USER``
20+
or other) is sent in each request.
21+
1422
X.509 Client Certificate Authentication
1523
---------------------------------------
1624

@@ -152,9 +160,3 @@ key in the ``remote_user`` firewall configuration.
152160
See :ref:`the previous note <cookbook-security-pre-authenticated-user-provider-note>`
153161
for more information.
154162

155-
.. caution::
156-
157-
:doc:`User impersonation </cookbook/security/impersonating_user>` is not
158-
compatible with ``REMOTE_USER`` based authentication. The reason is that
159-
impersonation requires the authentication state to be maintained server-side
160-
but ``REMOTE_USER`` information is sent by the browser in each request.

0 commit comments

Comments
 (0)