From 6c9a204ebe15374ecf00bf7ef4d68d6a55f9771a Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Fri, 6 Jun 2014 14:59:18 +0200 Subject: [PATCH 1/5] [Cookbook][Security] x509 doc for pre authenticated listeners --- cookbook/security/index.rst | 1 + cookbook/security/pre_authenticated.rst | 73 +++++++++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 cookbook/security/pre_authenticated.rst diff --git a/cookbook/security/index.rst b/cookbook/security/index.rst index 9abede5ed68..a0175648843 100644 --- a/cookbook/security/index.rst +++ b/cookbook/security/index.rst @@ -16,5 +16,6 @@ Security securing_services custom_provider custom_authentication_provider + pre_authenticated target_path csrf_in_login_form diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst new file mode 100644 index 00000000000..f88ba593058 --- /dev/null +++ b/cookbook/security/pre_authenticated.rst @@ -0,0 +1,73 @@ +.. index:: + single: Security; Pre authenticated providers + +Using pre authenticated security firewalls +========================================== + +A lot of authentication modules are already provided by some webservers, +including Apache. These modules generally set some environment variables +that can be used to know which user is accessing your application. Out of the +box, Symfony supports most authentication mecanisms. +These are called *pre authenticated* requests because the user is already +authenticated when reaching your application. + +.. note:: + + An authentication provider will only inform the user provider of the username + that made the request. You will need to either use an available + :class:`Symfony\\Component\\Security\\Core\\User\\UserProviderInterface` + or implement your own: + + * :doc:`/cookbook/security/entity_provider` + * :doc:`/cookbook/security/custom_provider` + +X.509 Client certificate authentication +--------------------------------------- + +When using client certificate, your webserver is doing all the authentication +process itself. For Apache, on your VirtualHost, you may use the +``SSLVerifyClient Require`` directive. + +On your Symfony2 application security configuration, you can enable the x509 +authentication firewall: + +.. configuration-block:: + + .. code-block:: yaml + + # app/config/security.yml + security: + firewalls: + secured_area: + pattern: ^/ + x509: + provider: your_user_provider + + .. code-block:: xml + + + + + + + + + .. code-block:: php + + // app/config/security.php + $container->loadFromExtension('security', array( + 'firewalls' => array( + 'secured_area' => array( + 'pattern' => '^/' + 'x509' => array( + 'provider' => 'your_user_provider', + ), + ), + ), + )); + +By default, the firewall will provide the ``SSL_CLIENT_S_DN_Email`` variable to +your user provider, and set the ``SSL_CLIENT_S_DN`` as credentials in the +:class:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\PreAuthenticatedToken`. +You can override these by setting respectively the ``user`` and the ``credentials`` keys +in the x509 firewall configuration. From f5a6d5843063c15d7cf28c6b8a2e2ec7b1a83d68 Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Fri, 6 Jun 2014 17:21:55 +0200 Subject: [PATCH 2/5] Added pre_authenticated to map.rst --- cookbook/map.rst.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbook/map.rst.inc b/cookbook/map.rst.inc index 9eb4b0ab330..2d3e3101914 100644 --- a/cookbook/map.rst.inc +++ b/cookbook/map.rst.inc @@ -138,6 +138,7 @@ * :doc:`/cookbook/security/securing_services` * :doc:`/cookbook/security/custom_provider` * :doc:`/cookbook/security/custom_authentication_provider` + * :doc:`/cookbook/security/pre_authenticated` * :doc:`/cookbook/security/target_path` * :doc:`/cookbook/security/csrf_in_login_form` From 83c40e9049bf047229562de47dcd20cfc5f79fba Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Fri, 6 Jun 2014 17:27:45 +0200 Subject: [PATCH 3/5] Corrected pre_authenticated cookbook entry --- cookbook/security/pre_authenticated.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst index f88ba593058..07c50cd5797 100644 --- a/cookbook/security/pre_authenticated.rst +++ b/cookbook/security/pre_authenticated.rst @@ -1,14 +1,14 @@ .. index:: single: Security; Pre authenticated providers -Using pre authenticated security firewalls +Using pre Authenticated Security Firewalls ========================================== A lot of authentication modules are already provided by some webservers, including Apache. These modules generally set some environment variables -that can be used to know which user is accessing your application. Out of the -box, Symfony supports most authentication mecanisms. -These are called *pre authenticated* requests because the user is already +that can be used to determine which user is accessing your application. Out of the +box, Symfony supports most authentication mechanisms. +These requests are called *pre authenticated* requests because the user is already authenticated when reaching your application. .. note:: From 01d18fe18497899b2ec4cd101efdc79eb4b90b52 Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Fri, 6 Jun 2014 17:37:57 +0200 Subject: [PATCH 4/5] fixing last issues in pre_authenticated cookbook entry --- cookbook/security/pre_authenticated.rst | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst index 07c50cd5797..5f0ae01e195 100644 --- a/cookbook/security/pre_authenticated.rst +++ b/cookbook/security/pre_authenticated.rst @@ -21,15 +21,14 @@ authenticated when reaching your application. * :doc:`/cookbook/security/entity_provider` * :doc:`/cookbook/security/custom_provider` -X.509 Client certificate authentication +X.509 Client Certificate Authentication --------------------------------------- -When using client certificate, your webserver is doing all the authentication -process itself. For Apache, on your VirtualHost, you may use the +When using client certificates, your webserver is doing all the authentication +process itself. With Apache, for example, you would use the ``SSLVerifyClient Require`` directive. -On your Symfony2 application security configuration, you can enable the x509 -authentication firewall: +Enable the x509 authentication for a particular firewall in the security configuration: .. configuration-block:: @@ -66,8 +65,8 @@ authentication firewall: ), )); -By default, the firewall will provide the ``SSL_CLIENT_S_DN_Email`` variable to -your user provider, and set the ``SSL_CLIENT_S_DN`` as credentials in the +By default, the firewall provides the ``SSL_CLIENT_S_DN_Email`` variable to +the user provider, and sets the ``SSL_CLIENT_S_DN`` as credentials in the :class:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\PreAuthenticatedToken`. -You can override these by setting respectively the ``user`` and the ``credentials`` keys -in the x509 firewall configuration. +You can override these by setting the ``user`` and the ``credentials`` keys +in the x509 firewall configuration respectively. From 57cc9577e3f8dbd7c66e45d5cdb14588c4e89bc7 Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Sun, 8 Jun 2014 13:45:37 +0200 Subject: [PATCH 5/5] full xml config, pushed the note at the end of the entry --- cookbook/security/pre_authenticated.rst | 40 ++++++++++++++----------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst index 5f0ae01e195..1bc74d7511b 100644 --- a/cookbook/security/pre_authenticated.rst +++ b/cookbook/security/pre_authenticated.rst @@ -4,23 +4,13 @@ Using pre Authenticated Security Firewalls ========================================== -A lot of authentication modules are already provided by some webservers, +A lot of authentication modules are already provided by some web servers, including Apache. These modules generally set some environment variables -that can be used to determine which user is accessing your application. Out of the +that can be used to determine which user is accessing your application. Out of the box, Symfony supports most authentication mechanisms. These requests are called *pre authenticated* requests because the user is already authenticated when reaching your application. -.. note:: - - An authentication provider will only inform the user provider of the username - that made the request. You will need to either use an available - :class:`Symfony\\Component\\Security\\Core\\User\\UserProviderInterface` - or implement your own: - - * :doc:`/cookbook/security/entity_provider` - * :doc:`/cookbook/security/custom_provider` - X.509 Client Certificate Authentication --------------------------------------- @@ -44,12 +34,17 @@ Enable the x509 authentication for a particular firewall in the security configu .. code-block:: xml + - - - - - + + + + + + + + .. code-block:: php @@ -66,7 +61,16 @@ Enable the x509 authentication for a particular firewall in the security configu )); By default, the firewall provides the ``SSL_CLIENT_S_DN_Email`` variable to -the user provider, and sets the ``SSL_CLIENT_S_DN`` as credentials in the +the user provider, and sets the ``SSL_CLIENT_S_DN`` as credentials in the :class:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\PreAuthenticatedToken`. You can override these by setting the ``user`` and the ``credentials`` keys in the x509 firewall configuration respectively. + +.. note:: + + An authentication provider will only inform the user provider of the username + that made the request. You will need to create (or use) a "user provider" that + turns that username into a User object of your choice: + + * :doc:`/cookbook/security/custom_provider` + * :doc:`/cookbook/security/entity_provider` \ No newline at end of file