Hi,
I have implemented basic support for CoSign SSO that we needed in our
sf2-based application, but there are some issues with the code I'd
like to iron-out as the code was written in a hurry a couple of months
ago (following is a description of issues I encountered back then).
The authentication itself is handled by the web server, which sets
REMOTE_USER environment variable iff the user is logged in, so I wrote
an implementation of
Symfony\Component\Security\Http\Firewall\ListenerInterface (for
reasons why I have not used AbstractPreAuthenticatedListener subclass,
see below) to check that and create/check PreAuthenticatedToken. So
far so good.
First of all, when I wanted to use switch user functionality, I found
out it does not work with pre-authenticated tokens. The reason is that
AbstractPreAuthenticatedListener checks the token that is present in
the security context and if it does not match pre-authenticated data
then the listener replaces the token with new PreAuthenticatedToken
instance. This means the UsernamePasswordToken added by
SwitchUserListener is replaced on every request (as there is no login
page, the check is made on every request).
I solved this by using a hack in custom authentication listener -
checking if the current token was created by SwitchUserListener and
retrieving the original PreAuthenticatedToken from that. I think this
could be solved in AbstractPreAuthenticatedListener directly.
Moreover, I propose to add a new
interface DecoratorTokenInterface extends TokenInterface {
/** return TokenInterface */ function getOriginalToken();
}
(or simply add such method to TokenInterface)
and new class SwitchUserToken implements DecoratorTokenInterface.
(Why is the original token stored in a role inside of an instance of
UsernamePasswordToken currently?)
That way, any authentication listener can obtain the original token(s)
in a generic way if necessary.
Secondly, when the REMOTE_USER environment variable disappears (the
user has logged out of SSO), I want to logout the user from the
application. Currently, I simply destroy the session as that was the
simplest solution, but someone might want to call logout handlers in
this case instead. One possible solution is to add a separate list of
logout handlers as a dependency to the CoSign listener (similar as
LogoutListener has), but this requires the user to add all logout
handlers manually.
The other option is to move the functionality of calling logout
listeners to a separate service (and/or convert this to an event) and
pass information to the logout handler about the reason why it was
called (initiated by user directly or by logging out of SSO system --
this is because I want to redirect the user to different URLs
depending on whether they logged out directly from the application or
the central SSO page).
Thanks for feedback.
Regards,
Martin Sucha
P.S. In case you would like to see the code, you can find it at:
http://code.google.com/p/fmfi-anketa/source/browse/src/SVT/CosignBundle/
I'll move it to a separate repository and relicense to MIT license
once finished.
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
