I am having trouble setting up a firewall. I am using beta4 so far.
Here is my security.yml:
[code]
security:
providers:
user_db:
entity: { class: mytest\TestBundle\Entity\Account,
property: email }
encoders:
mytest\TestBundle\Entity\Account: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN,
ROLE_ALLOWED_TO_SWITCH]
firewalls:
secured_area:
pattern: ^/ticket
stateless: true
security: true
http_basic:
realm: "Secured Demo Area"
provider: user_db
access_control:
#- { path: /login, roles: IS_AUTHENTICATED_ANONYMOUSLY,
requires_channel: https }
[/code]
As far as I understand so far, I request the lookup to be done using
the e-mail field of the entity "Account" and check the password using
plaintext storage.
So here is my Account class:
[code]
namespace mytest\TestBundle\Entity;
use Doctrine\ORM\Mapping as orm;
use Symfony\Component\Security\Core\User\UserInterface;
/** @orm\Entity @orm\Table(name="accounts") */
class Account implements UserInterface /*extends BaseUser*/ {
/** @orm\Id @orm\Column(type="integer") @orm
\GeneratedValue(strategy="AUTO") */
protected $id;
/** @orm\Column(type="string", length=100) */
protected $email;
/** @orm\Column(type="string", length=16, nullable=true) */
protected $login;
/** @orm\Column(type="string", length=255) */
protected $password;
/** @orm\Column(type="string", length=20) */
private $nameFirst;
/** @orm\Column(type="string", length=20) */
private $nameLast;
/** @orm\Column(type="datetime", nullable=true) */
protected $createdAt;
/** @orm\Column(type="datetime", nullable=true) */
protected $updatedAt;
public function getUsername() { return $this->login; }
public function getSalt() { return "123"; }
public function eraseCredentials() {}
public function getRoles() { return array(new Role('ROLE_USER')); }
public function equals(UserInterface $user) {
if (!$user instanceof Users) {
return false;
}
return (trim(mb_strtolower($user->email)) ==
trim(mb_strtolower($this->email)));
}
}
[/code]
When I try to request the http://hostname/app_dev.php/ticket resource
I get an http_basic popup from my browser, I enter a users e-mail and
the (in plaintext in the db stored) password and all I get is
[code]
Authentication request failed: The presented password is invalid.
[/code]
which is odd considering I am requesting a comparison with the
database password which is a plaintext string.
after seeing this, I googled a bit, then I googled some more and then
some and made the following change:
security.yml:
[code]
encoders:
mytest\TestBundle\Entity\Account:
algorithm: sha1
encode-as-base64: false
iterations: 1
[/code]
which basically tells to use hashing with sha1, without encoding as
base64 on the database. Since the whole procedure requires a salt, now
the function getSalt *SHOULD* be used so the final stored password in
the database should be "password123". I moddified the database record
to store the password as
"cbfdac6008f9cab4083784cbd1874f76618d2a97" (which is what I get using
hash('sha1', 'password123');
Now when I try to authenticate using the password 'password' I *STILL*
get the error:
[code]
Authentication request failed: The presented password is invalid.
[/code]
which is getting me to a dead end...
What am I doing wrong? How can I solve this?
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
