English 中文(简体)
申述2 http://www.ohchr.org
原标题:Symfony2 http_basic security rejects valid credentials

I use symposiumfony Standard 2.0.0TABE1 andtries to configure http://basiccreditation really the same as in .this book chapter 

security:
encoders:
    SymfonyComponentSecurityCoreUserUser: plaintext

providers:
    main:
        users:
            foo: { password: testing, roles: ROLE_USER }

firewalls:
    main:
        pattern:    /.*
        http_basic: true
        logout:     true

access_control:
    - { path: /.*, role: ROLE_USER }

问题在于,我试图打开一页,并提交用户名称“foo”和密码“测试”,这只是空话,要求我有定论或显示错误。

复制问题的步骤:

  1. Copy security configuration from http://symfony.com/doc/current/book/security/overview.html#configuration and past it to security.yml file
  2. Refresh app home page
  3. Enter valid credentials

预期的行为是看到主页,但照样显示。

Does anyone know why that happens and how to fix it?

最佳回答

基本认证与PHP在阿帕帕奇(PHP)下做主/女农业研究组分类。

工作:

app_dev.php

if( !isset($_SERVER[ PHP_AUTH_USER ]) )
{
    if (isset($_SERVER[ HTTP_AUTHORIZATION ]) && (strlen($_SERVER[ HTTP_AUTHORIZATION ]) > 0))
    {
        list($_SERVER[ PHP_AUTH_USER ], $_SERVER[ PHP_AUTH_PW ]) = explode( : , base64_decode(substr($_SERVER[ HTTP_AUTHORIZATION ], 6)));
        if( strlen($_SERVER[ PHP_AUTH_USER ]) == 0 || strlen($_SERVER[ PHP_AUTH_PW ]) == 0 )
        {
            unset($_SERVER[ PHP_AUTH_USER ]);
            unset($_SERVER[ PHP_AUTH_PW ]);
        }
    }
}

<>strong>web/htaccess

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] 
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ app.php [QSA,L]
</IfModule>

https://github.com/symfony/symfony/issues/1813。 github issue

时间:2011-10-05 18:39:11
问题回答

问题在于,你只限制使用<代码>/*(这意味着所有途径)的用户使用ROLE_USER。

您的航海航道为/login,用户试图走任何其他道路,并改用航标。 标识路径(/login)将与出入控制模式(/.*匹配。 然后,用户将被拒绝进入,因为他没有发挥作用。 USER 现今。 安保部分将再次将用户转向标识格式,以便他能够认证作用,这种作用受到限制,并将用户改用标识格式认证。

这里是避免这一问题的简单解决办法。 可以通过启用匿名用户配置和新的出入控制项目,允许匿名用户使用标识。 在<条码>防火墙/代码>配置中添加以下内容:<条码>>> >主要,使匿名用户能够:

security:
    firewalls:
        main:
            anonymous: true

And add a new access control item to allow anonymous user to acces the /login pattern:

access_control:
    - { path: /login, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: /.*, role: ROLE_USER }

The order is important here since the rule is: first path matched wins. So the /login path must be above your pattern for other path /.*. This should resolves you redirect loop.

关于安全问题的书状文件现在正在改写,并将更详细地讨论这一问题。 它位于symfony-docs 。 https://github.com/symfony/symfony-docs/tree/security"rel=“noreferer”>security 分支。

Regards, Matt

时间:2011-05-13 18:05:47

目前的版本(Symfony版本2.1.8)。

It s because of the special way that Apache + PHP as FastCGI handles HTTP auth variables.

At least, the fix for the current version is a little simplier than it was before (as compared to @Teo.sk s answer), and the instructions are available directly hardcoded as comments in the file vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/ServerBag.php of the framework:

/*
* php-cgi under Apache does not pass HTTP Basic user/pass to PHP by default
* For this workaround to work, add these lines to your .htaccess file:
* RewriteCond %{HTTP:Authorization} ^(.+)$
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
*
* A sample .htaccess file:
* RewriteEngine On
* RewriteCond %{HTTP:Authorization} ^(.+)$
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
* RewriteCond %{REQUEST_FILENAME} !-f
* RewriteRule ^(.*)$ app.php [QSA,L]
*/

简言之,为了确定这一条,你们都必须在<条码>上添加以下内容: <代码>web/ 您的申请:

RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

www.un.org/Depts/DGACM/index_spanish.htm 新Info(2013-05-01):现在,Im 使用了第二.2.1版的同义词,在固定工作时,我不得不在以下条目下添加这两条代码:web/.htaccess:

RewriteEngine On
时间:2013-02-28 01:17:52

您不需要修改您的书名项目,你还需要改变笔记。

sudoedit /etc/apache2/sites-enabled/[yoursite].

插入

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] 
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]

a. 保留地重新启用

享有:

时间:2015-02-23 11:11:54

i 采用双管线:

 - { path: /correspondencia/recepcion/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
 - { path: /correspondencia/recepcion, role: ROLE_ADMIN }

without the last slash wrong

/correspondencia/recepcion/

good

/correspondencia/recepcion
时间:2011-12-04 19:49:58


上一篇:
下一篇:


相关问题
Signed executables under Linux

For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...

时间:2009-11-14 01:34:19 回答:10 展示:1
MALICIOUS_CODE EI_EXPOSE_REP Medium

I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...

时间:2009-11-14 00:40:10 回答:5 展示:1
XSS on jsbin.com

Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...

时间:2009-11-14 00:18:21 回答:1 展示:1
Make md5 strong

Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...

时间:2009-11-13 18:59:37 回答:5 展示:1
Why running a service as Local System is bad on windows?

I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...

时间:2009-11-13 16:51:19 回答:5 展示:1
Brute-force/DoS prevention in PHP [closed]

I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...

时间:2009-11-13 05:37:34 回答:5 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全