From f4249f3fb0855ee9ab048b33c7fe6401fffc403d Mon Sep 17 00:00:00 2001
From: Jean Pasdeloup <jpasdeloup@sedona.fr>
Date: Wed, 22 Jun 2016 10:37:07 +0200
Subject: [PATCH 1/2] improve caution about impersonation not compatible with
 pre authenticated firewalls

---
 cookbook/security/impersonating_user.rst | 13 +++++++++++--
 cookbook/security/pre_authenticated.rst  | 14 ++++++++------
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/cookbook/security/impersonating_user.rst b/cookbook/security/impersonating_user.rst
index edd9f035383..4c1e20e59db 100644
--- a/cookbook/security/impersonating_user.rst
+++ b/cookbook/security/impersonating_user.rst
@@ -6,8 +6,17 @@ How to Impersonate a User
 
 Sometimes, it's useful to be able to switch from one user to another without
 having to log out and log in again (for instance when you are debugging or trying
-to understand a bug a user sees that you can't reproduce). This can be easily
-done by activating the ``switch_user`` firewall listener:
+to understand a bug a user sees that you can't reproduce).
+
+.. caution::
+
+    User impersonation is not compatible with
+    :doc:`pre Authenticated firewalls</cookbook/security/pre_authenticated>`. The
+    reason is that impersonation requires the authentication state to be maintained
+    server-side but pre Authenticated information (``SSL_CLIENT_S_DN_Email``,
+    ``REMOTE_USER`` or other) is sent in each request.
+
+This can be easily done by activating the ``switch_user`` firewall listener:
 
 .. configuration-block::
 
diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst
index 2d8e6202528..35875ac2da0 100644
--- a/cookbook/security/pre_authenticated.rst
+++ b/cookbook/security/pre_authenticated.rst
@@ -11,6 +11,14 @@ box, Symfony supports most authentication mechanisms.
 These requests are called *pre authenticated* requests because the user is already
 authenticated when reaching your application.
 
+.. caution::
+
+    :doc:`User impersonation </cookbook/security/impersonating_user>` is not
+    compatible with pre Authenticated firewalls. The reason is that
+    impersonation requires the authentication state to be maintained server-side
+    but pre Authenticated information (``SSL_CLIENT_S_DN_Email``, ``REMOTE_USER``
+    or other) is sent in each request.
+
 X.509 Client Certificate Authentication
 ---------------------------------------
 
@@ -152,9 +160,3 @@ key in the ``remote_user`` firewall configuration.
     See :ref:`the previous note <cookbook-security-pre-authenticated-user-provider-note>`
     for more information.
 
-.. caution::
-
-    :doc:`User impersonation </cookbook/security/impersonating_user>` is not
-    compatible with ``REMOTE_USER`` based authentication. The reason is that
-    impersonation requires the authentication state to be maintained server-side
-    but ``REMOTE_USER`` information is sent by the browser in each request.

From b5354e5868eb6f0c3e654b4257cd24c49bcd6e8a Mon Sep 17 00:00:00 2001
From: Jean Pasdeloup <jpasdeloup@sedona.fr>
Date: Wed, 22 Jun 2016 11:26:19 +0200
Subject: [PATCH 2/2] fix pre Authenticated -> pre-authenticated

---
 cookbook/security/impersonating_user.rst | 2 +-
 cookbook/security/pre_authenticated.rst  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cookbook/security/impersonating_user.rst b/cookbook/security/impersonating_user.rst
index 4c1e20e59db..23706b9bfef 100644
--- a/cookbook/security/impersonating_user.rst
+++ b/cookbook/security/impersonating_user.rst
@@ -13,7 +13,7 @@ to understand a bug a user sees that you can't reproduce).
     User impersonation is not compatible with
     :doc:`pre Authenticated firewalls</cookbook/security/pre_authenticated>`. The
     reason is that impersonation requires the authentication state to be maintained
-    server-side but pre Authenticated information (``SSL_CLIENT_S_DN_Email``,
+    server-side but pre-authenticated information (``SSL_CLIENT_S_DN_Email``,
     ``REMOTE_USER`` or other) is sent in each request.
 
 This can be easily done by activating the ``switch_user`` firewall listener:
diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst
index 35875ac2da0..032c55a55c8 100644
--- a/cookbook/security/pre_authenticated.rst
+++ b/cookbook/security/pre_authenticated.rst
@@ -14,9 +14,9 @@ authenticated when reaching your application.
 .. caution::
 
     :doc:`User impersonation </cookbook/security/impersonating_user>` is not
-    compatible with pre Authenticated firewalls. The reason is that
+    compatible with pre-authenticated firewalls. The reason is that
     impersonation requires the authentication state to be maintained server-side
-    but pre Authenticated information (``SSL_CLIENT_S_DN_Email``, ``REMOTE_USER``
+    but pre-authenticated information (``SSL_CLIENT_S_DN_Email``, ``REMOTE_USER``
     or other) is sent in each request.
 
 X.509 Client Certificate Authentication