https://github.com/symfony/symfony/issues/8260
A part of the discussion
I'm experiencing an issue with HTTP Basic Auth and the
SwitchUserListener. The symptoms are that switching users just does not work:- The firewall is configured with
stateless: falseandswitch_user: true - When attempting to
GET /<existing_path>?_switch_user=<valid_other_user>, theSwitchUserListenerredirectes to/<existing_path>. - The active token still points to the 'old' user.
After some research, I found out that this behaviour is caused by two things:
- The
BasicAuthenticationListeneris built in a way that should prevent credentials being checked again when the current token is already authenticated. This condition (among others) is being tested in line 64 and evaluates to false since$token->getUsername() !== $username. This results in the token withROLE_PREVIOUS_ADMINto be overwritten inSecurityContext(line 75). - Apparently persisting a token with
ROLE_PREVIOUS_ADMINdoes not work as expected. There already is anissue for this to which I added a comment.
In general, I don't know whether this is a bug or a feature that was never planned, but I would really appreciate some feedback on this. Switching users when providing the user's credentials with every request might sound strange, but there are cases in which this makes perfect sense.
Thank you in advance,
No comments:
Post a Comment