Symfony 6.3 迁移导致无状态身份验证器引发问题,强制请求保持无状态。

huangapple go评论87阅读模式
英文:

Symfony 6.3 migration causes problems with stateless authenticators forcing request to be stateless

问题

自 Symfony 6.3 开始,使用无状态认证器会强制请求保持无状态,这会导致我的自定义认证器出现问题:

我的工具本身不执行登录操作,登录是由自定义的单点登录(SSO)服务执行的,该服务会写入一个会话 ID Cookie。这个 Cookie 用于从外部服务器加载用户信息,然后由自定义认证器将其写入用户对象。该认证器不以任何方式使用内置的会话,因此它被定义为无状态:

security:
    main:
      stateless: true
      custom_authenticators: ['Auth\MySessionAuthenticator']
      entry_point: 'auth.signin_web'

对于我们的应用程序本身,我们使用独立于认证系统的内部 Symfony 会话:

framework:
    session:
        enabled: true
        handler_id: 'instance_of_redis_session_handler'
        name: 'app_sessid'

在 Symfony 6.2 中,这个配置是正常工作的,因为认证系统的 "stateless" 选项不会影响请求的无状态标志,但现在它会引发一个 "在声明请求为无状态的情况下使用了会话" 的异常。

是否有办法恢复旧的行为,还是我需要重新考虑如何连接到 Symfony 认证系统?

英文:

Since Symfony 6.3, when using a stateless authenticator it forces the request to be statless which causes problems with my setup using custom authenticators:

My tool doesn't perform the signin itself, it is performed by a custom SSO service which writes a session id cookie. This cookie is used to load the user info from a externel server to write it into the user object by a custom authenticator. This authenticator isn't using the buildin session in any way so it is defined stateless:

security:
    main:
      stateless: true
      custom_authenticators: ['Auth\MySessionAuthenticator']
      entry_point: 'auth.signin_web'

For our application itself we use the internal Symfony session independend from the auth system:

framework:
    session:
        enabled: true
        handler_id: 'instance_of_redis_session_handler'
        name: 'app_sessid'

In Symfony 6.2 this worked fine, since the auth system "stateless" option wasn't affecting the stateless flag of the request but now it causes an "Session was used while the request was declared stateless." exception.

Is there a way to get the old bahavior or do I have to rethink the way I hook into the Symfony auth system?

答案1

得分: 2

我遇到了同样的问题,并在文档中找到了新的行为 https://symfony.com/doc/current/reference/configuration/security.html#stateless

在Symfony 6.3中引入了标记路由为无状态的无状态防火墙。

这意味着如果你在防火墙中激活了无状态模式,你必须在你的路由中禁用它。例如:

controllers:
    resource:
        path: ../src/Controller/
        namespace: App\Controller
    type: attribute
    stateless: false

你可以在这里查看它的工作原理 https://symfony.com/doc/current/routing.html#stateless-routes

英文:

I facing the same problem and I found the new behaviour in docs https://symfony.com/doc/current/reference/configuration/security.html#stateless

> Stateless firewall marking routes stateless was introduced in Symfony
> 6.3.

This means that if you activate the stateless in your firewall you must deactivate it in your routes. For example:

controllers:
    resource:
        path: ../src/Controller/
        namespace: App\Controller
    type: attribute
    stateless: false

You can see how works here https://symfony.com/doc/current/routing.html#stateless-routes

huangapple
  • 本文由 发表于 2023年6月19日 21:40:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76507208.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定