英文:
Symfony 6.3 migration causes problems with stateless authenticators forcing request to be stateless
问题
自 Symfony 6.3 开始,使用无状态认证器会强制请求保持无状态,这会导致我的自定义认证器出现问题:
我的工具本身不执行登录操作,登录是由自定义的单点登录(SSO)服务执行的,该服务会写入一个会话 ID Cookie。这个 Cookie 用于从外部服务器加载用户信息,然后由自定义认证器将其写入用户对象。该认证器不以任何方式使用内置的会话,因此它被定义为无状态:
security:
main:
stateless: true
custom_authenticators: ['Auth\MySessionAuthenticator']
entry_point: 'auth.signin_web'
对于我们的应用程序本身,我们使用独立于认证系统的内部 Symfony 会话:
framework:
session:
enabled: true
handler_id: 'instance_of_redis_session_handler'
name: 'app_sessid'
在 Symfony 6.2 中,这个配置是正常工作的,因为认证系统的 "stateless" 选项不会影响请求的无状态标志,但现在它会引发一个 "在声明请求为无状态的情况下使用了会话" 的异常。
是否有办法恢复旧的行为,还是我需要重新考虑如何连接到 Symfony 认证系统?
英文:
Since Symfony 6.3, when using a stateless authenticator it forces the request to be statless which causes problems with my setup using custom authenticators:
My tool doesn't perform the signin itself, it is performed by a custom SSO service which writes a session id cookie. This cookie is used to load the user info from a externel server to write it into the user object by a custom authenticator. This authenticator isn't using the buildin session in any way so it is defined stateless:
security:
main:
stateless: true
custom_authenticators: ['Auth\MySessionAuthenticator']
entry_point: 'auth.signin_web'
For our application itself we use the internal Symfony session independend from the auth system:
framework:
session:
enabled: true
handler_id: 'instance_of_redis_session_handler'
name: 'app_sessid'
In Symfony 6.2 this worked fine, since the auth system "stateless" option wasn't affecting the stateless flag of the request but now it causes an "Session was used while the request was declared stateless." exception.
Is there a way to get the old bahavior or do I have to rethink the way I hook into the Symfony auth system?
答案1
得分: 2
我遇到了同样的问题,并在文档中找到了新的行为 https://symfony.com/doc/current/reference/configuration/security.html#stateless
在Symfony 6.3中引入了标记路由为无状态的无状态防火墙。
这意味着如果你在防火墙中激活了无状态模式,你必须在你的路由中禁用它。例如:
controllers:
resource:
path: ../src/Controller/
namespace: App\Controller
type: attribute
stateless: false
你可以在这里查看它的工作原理 https://symfony.com/doc/current/routing.html#stateless-routes
英文:
I facing the same problem and I found the new behaviour in docs https://symfony.com/doc/current/reference/configuration/security.html#stateless
> Stateless firewall marking routes stateless was introduced in Symfony
> 6.3.
This means that if you activate the stateless in your firewall you must deactivate it in your routes. For example:
controllers:
resource:
path: ../src/Controller/
namespace: App\Controller
type: attribute
stateless: false
You can see how works here https://symfony.com/doc/current/routing.html#stateless-routes
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论