Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Add an option to allow path instead of service for firewalls entry points (#39520) #41339

Open
wants to merge 1 commit into
base: 7.3
Choose a base branch
from
Open

[Security] Add an option to allow path instead of service for firewalls entry points (#39520) #41339

wants to merge 1 commit into from

Conversation

johnkrovitch
Copy link
Contributor

Q A
Branch? 5.4
Bug fix? no
New feature? yes
Deprecations? no
Tickets Fix #39520
License MIT
Doc PR

Hi, this PR aims to fix #39520. It creates a new option in the firewall configuration section "entry_point_path", allowing to have a common entry point using a route instead of a service id.

Thanks !

@wouterj wouterj added this to the 5.4 milestone May 20, 2021
@carsonbot
Copy link

Hey!

I think @edefimov has recently worked with this code. Maybe they can help review this?

Cheers!

Carsonbot

@fabpot fabpot modified the milestones: 5.4, 6.1 Nov 16, 2021
@johnkrovitch
Copy link
Contributor Author

Tests fixed

@chalasr
Copy link
Member

chalasr commented Dec 3, 2021

Could we make entry_point accept a path instead of adding a new option?

@johnkrovitch
Copy link
Contributor Author

Hi,

following the previous comment of @chalasr, we can not decide on what to do : do we keep the current option entry_point which will now be either an entrypoint, a service or a path. Or should we add a new option like entry_point_path to handle the path option and activate the new PathAuthenticator ?

The first one allows to not add a new option, which is nice, but can be a bit complicated to read and debug. The second is clearer, but it add a new option and there is already a lot of option in the security.

Do you have an opinion on the topic ?

Thank you very much !

@wouterj
Copy link
Member

wouterj commented Dec 11, 2021

@chalasr see #39520 (comment) . I think the entry_point already allows too much magic strings representing all sorts of things. I'm not sure if adding yet another magic string would be good.

@fabpot fabpot modified the milestones: 6.1, 6.2 May 20, 2022
chalasr
chalasr requested changes Jun 19, 2022
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bundle+component changelogs need to be updated to mention this change

src/Symfony/Component/Security/Http/EntryPoint/RouteAuthenticationEntryPoint.php Outdated Show resolved Hide resolved
src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -440,6 +440,15 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
// Determine default entry point
$configuredEntryPoint = $firewall['entry_point'] ?? null;

// When a entry point path is configured, it overrides the default entry point
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if one set both entry_point and entry_point_path at the firewall level? Should we forbid such mix for clarity? A test would be nice for that case btw

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, if both options are set, the entry point path overrides the entry point.
It could be a good thing to throw an exception if both are set to avoid confusion and ease debug.
I try to add a test if I had the time.

@nicolas-grekas nicolas-grekas modified the milestones: 6.2, 6.3 Nov 5, 2022
@nicolas-grekas nicolas-grekas modified the milestones: 6.3, 6.4 May 23, 2023
@nicolas-grekas nicolas-grekas removed this from the 6.4 milestone Nov 15, 2023
@nicolas-grekas nicolas-grekas added this to the 7.1 milestone Nov 15, 2023
@xabbuh xabbuh modified the milestones: 7.1, 7.2 May 15, 2024
@fabpot fabpot modified the milestones: 7.2, 7.3 Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chalasr chalasr chalasr requested changes

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Feature Security Status: Needs Work
Projects
None yet
Milestone
7.3
Development

Successfully merging this pull request may close these issues.

[Security] 'entry_point' could accept a route as well, for convenience
7 participants
@johnkrovitch @carsonbot @chalasr @wouterj @fabpot @nicolas-grekas @xabbuh