in fact I am directly accessing check_path. My setup includes one symfony application that acts as a backend, and several appliations that act as frontends and accept client requests. The backend provides a RESTful API for communication to frontends. In some cases, a frontend app needs to log in on the backend and even maintain a session. Since redirecting the frontend request would not make much sense and add an additional request-response cycle, I access check_path directly, providing the username and password in POST parameters, and store the session cookies returned with the response for future requests. I also added a SuccessHandler to return a 200 response instead of redirecting to the referring route. As I understand it, the listener used to do this must extend the AbstractAuthenticationListener, since it needs the success and failure handlers dealing with sessions. It is only one half of a FormAuthentication, so instead of using the UsernamePasswordFormAuthenticationListener, I could write my own Listener, but then could not overwrite the handle() method doing the previousSession check. So, IMHO, the previous session check is specific to the form authentication use case, and it should be in UsernamePasswordFormAuthenticationListener. This would require that AbstractAuthenticationListener::handle be non-final.
Stefan On Jun 18, 2011, at 10:41 AM, Johannes Schmitt wrote: > Can you explain this a bit more? This should be compatible with Ajax requests > unless the very first request goes to the check_path. I don't see when this > would happen though except for the cases stated in the exception message. > > Johannes > > > On Fri, Jun 17, 2011 at 8:28 PM, Stefan Paschke <symfony.pasc...@gmail.com> > wrote: > Hi > > commit 28bee92c75ad2e02ea229f4dd064372f00a68cdb by Johannes introduced a new > $request->hasPreviousSession() check to > AbstractAuthenticationListener::handle(), which causes authentication > requests to fail if no previous session is available, even if the actual > authentication process ran through. > I have been using the UsernamePasswordFormAuthentication without redirects > (by directly accessing the check_path and configuring a custom > successHandler, in order to authenticate via ajax or backend request), which > is not possible any more. Since AbstractAuthenticationListener::handle() is > final, there also is no easy way to change this behaviour by extending the > Listener class. So while I think the hasPreviousSession() is useful in a > regular setup, it should be configurable or at least extendable. What are > your opinions on the topic? > > best regards > > Stefan > > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to symfony-devs@googlegroups.com > To unsubscribe from this group, send email to > symfony-devs+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en > > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to symfony-devs@googlegroups.com > To unsubscribe from this group, send email to > symfony-devs+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to symfony-devs@googlegroups.com To unsubscribe from this group, send email to symfony-devs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
