From 34ad1b5773820bc4c80b17d3984aedae1691a8c1 Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Fri, 6 Jun 2014 14:28:59 +0200 Subject: [PATCH 1/7] [Security] Added remote_user firewall info and documentation for pre authenticated firewalls --- reference/configuration/security.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst index 2eda8410c86..340d9af8c3a 100644 --- a/reference/configuration/security.rst +++ b/reference/configuration/security.rst @@ -121,6 +121,9 @@ Each part will be explained in the next section. stateless: false x509: provider: some_key_from_above + # new in Symfony 2.6 + remote_user: + provider: some_key_from_above http_basic: provider: some_key_from_above http_digest: From 8465d465f8cde4a60d35a776313bee363f38e577 Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Fri, 6 Jun 2014 14:56:44 +0200 Subject: [PATCH 2/7] [Reference][Configuration] Removed version added for remote_user --- reference/configuration/security.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst index 340d9af8c3a..66c15ae0916 100644 --- a/reference/configuration/security.rst +++ b/reference/configuration/security.rst @@ -121,7 +121,6 @@ Each part will be explained in the next section. stateless: false x509: provider: some_key_from_above - # new in Symfony 2.6 remote_user: provider: some_key_from_above http_basic: From 86ba188bbe274d9e1d9b3d392e2c57a737eb63cd Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Thu, 12 Jun 2014 17:34:04 +0200 Subject: [PATCH 3/7] rebased using x509 pr, added remote_user pre authenticated part --- cookbook/security/pre_authenticated.rst | 66 ++++++++++++++++++++++++- 1 file changed, 65 insertions(+), 1 deletion(-) diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst index fe77000422c..d5490fde519 100644 --- a/cookbook/security/pre_authenticated.rst +++ b/cookbook/security/pre_authenticated.rst @@ -66,6 +66,8 @@ the user provider, and sets the ``SSL_CLIENT_S_DN`` as credentials in the You can override these by setting the ``user`` and the ``credentials`` keys in the x509 firewall configuration respectively. +.. _cookbook-security-pre-authenticated-user-provider-note: + .. note:: An authentication provider will only inform the user provider of the username @@ -76,4 +78,66 @@ in the x509 firewall configuration respectively. provider, see: * :doc:`/cookbook/security/custom_provider` - * :doc:`/cookbook/security/entity_provider` \ No newline at end of file + * :doc:`/cookbook/security/entity_provider` + +REMOTE_USER based Authentication +-------------------------------- + +.. versionadded:: 2.6 + REMOTE_USER pre authenticated firewall was introduced in Symfony 2.6. + +A lot of authentication modules, like ``auth_kerb` for Apache provide the username +using the ``REMOTE_USER`` environment variable. This variable can be trusted by +the application since the authentication happened before the request reached it. + +To configure Symfony using the ``REMOTE_USER` environment variable, simply enable the +corresponding firewall in your security configuration: + +.. configuration-block:: + + .. code-block:: yaml + + # app/config/security.yml + security: + firewalls: + secured_area: + pattern: ^/ + remote_user: + provider: your_user_provider + + .. code-block:: xml + + + + + + + + + + + + + .. code-block:: php + + // app/config/security.php + $container->loadFromExtension('security', array( + 'firewalls' => array( + 'secured_area' => array( + 'pattern' => '^/' + 'remote_user' => array( + 'provider' => 'your_user_provider', + ), + ), + ), + )); + +The firewall will then provide the ``REMOTE_USER`` environment variable to +your user provider. You can change the variable name used by setting the ``user`` +key in the ``remote_user`` firewall configuration. + +.. note:: + + Just like for X509 authentication, you will need to configure a "user provider". + See :ref:`the note about it `. From be0d866de3fe6392d1dceddbff08d0e31025dc9e Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Thu, 12 Jun 2014 19:08:02 +0200 Subject: [PATCH 4/7] fix missing backtick, rephrased bottom note --- cookbook/security/pre_authenticated.rst | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst index d5490fde519..640fc9f5cf7 100644 --- a/cookbook/security/pre_authenticated.rst +++ b/cookbook/security/pre_authenticated.rst @@ -73,8 +73,8 @@ in the x509 firewall configuration respectively. An authentication provider will only inform the user provider of the username that made the request. You will need to create (or use) a "user provider" that is referenced by the ``provider`` configuration parameter (``your_user_provider`` - in the configuration example). This provider will turn the username into a User - object of your choice. For more information on creating or configuring a user + in the configuration example). This provider will turn the username into a User + object of your choice. For more information on creating or configuring a user provider, see: * :doc:`/cookbook/security/custom_provider` @@ -86,11 +86,11 @@ REMOTE_USER based Authentication .. versionadded:: 2.6 REMOTE_USER pre authenticated firewall was introduced in Symfony 2.6. -A lot of authentication modules, like ``auth_kerb` for Apache provide the username -using the ``REMOTE_USER`` environment variable. This variable can be trusted by +A lot of authentication modules, like ``auth_kerb` for Apache provide the username +using the ``REMOTE_USER`` environment variable. This variable can be trusted by the application since the authentication happened before the request reached it. -To configure Symfony using the ``REMOTE_USER` environment variable, simply enable the +To configure Symfony using the ``REMOTE_USER`` environment variable, simply enable the corresponding firewall in your security configuration: .. configuration-block:: @@ -140,4 +140,5 @@ key in the ``remote_user`` firewall configuration. .. note:: Just like for X509 authentication, you will need to configure a "user provider". - See :ref:`the note about it `. + See :ref:`the note previous note ` + for more information. From b8a0eb2660c073c4742c85f47cfa3109314106af Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Wed, 25 Jun 2014 14:19:25 +0200 Subject: [PATCH 5/7] fixes missing backtick --- cookbook/security/pre_authenticated.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst index 640fc9f5cf7..394ae4f739e 100644 --- a/cookbook/security/pre_authenticated.rst +++ b/cookbook/security/pre_authenticated.rst @@ -86,7 +86,7 @@ REMOTE_USER based Authentication .. versionadded:: 2.6 REMOTE_USER pre authenticated firewall was introduced in Symfony 2.6. -A lot of authentication modules, like ``auth_kerb` for Apache provide the username +A lot of authentication modules, like ``auth_kerb`` for Apache provide the username using the ``REMOTE_USER`` environment variable. This variable can be trusted by the application since the authentication happened before the request reached it. From e6aa73314d5e092bedd2d4b468c3e278d4feabcd Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Wed, 24 Sep 2014 16:58:43 +0200 Subject: [PATCH 6/7] swapped comment and opening in xml configuration example --- cookbook/security/pre_authenticated.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst index 394ae4f739e..63405fb7f53 100644 --- a/cookbook/security/pre_authenticated.rst +++ b/cookbook/security/pre_authenticated.rst @@ -34,8 +34,8 @@ Enable the x509 authentication for a particular firewall in the security configu .. code-block:: xml - + @@ -107,8 +107,8 @@ corresponding firewall in your security configuration: .. code-block:: xml - + From f36c45e3a81fb9ec21b67474a66d9ed6709928ba Mon Sep 17 00:00:00 2001 From: Maxime Douailin Date: Tue, 7 Oct 2014 15:35:35 +0200 Subject: [PATCH 7/7] uppercase title --- cookbook/security/pre_authenticated.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst index 63405fb7f53..7a0775a8ab8 100644 --- a/cookbook/security/pre_authenticated.rst +++ b/cookbook/security/pre_authenticated.rst @@ -80,7 +80,7 @@ in the x509 firewall configuration respectively. * :doc:`/cookbook/security/custom_provider` * :doc:`/cookbook/security/entity_provider` -REMOTE_USER based Authentication +REMOTE_USER Based Authentication -------------------------------- .. versionadded:: 2.6