On 16.11.2010, at 05:02, Johannes wrote: >> 5) Security layer and different authentication sources: I think Thibault >> also identified an issue when using different authentication sources, there >> was a pull request but it was lost in yesterday's github outage. > > We discussed how the security context can be serialized savely in > between requests. The main problems I recall are: > - Avoid stale user objects: > * reload user object upon every request > * user must be reloaded from same user provider (to avoid logging in > a different user with possibly higher priviledges)
I think this needs to be configurable. Depending on the use case there are many different strategies, after all this is essentially a caching problem for the most part. > - Different user providers per firewall: > * can the security context be shared, or do we need a separate > security context for each firewall? > > Config for exemplification: http://www.pastie.org/1297513 IIRC there was also the question of how to handle the fact that someone might need to be logged into multiple different systems at the same time. In other cases logging into a higher privilege system might make the lower privileges login superfluous. tricky stuff .. regards, Lukas Kahwe Smith [email protected] -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
