Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-23904

ezpublish_legacy_sso causes infinite redirect loop on /login

    Details

    • Sprint:
      Pollux Core S5

      Description

      When using the legacy_sso_handler feature, described in https://doc.ez.no/display/EZP/Authentication in eZ Publish 5.4, the login will not work as expected:

      • Returning a valid user in the legacy sso handler will result in authentication failure ( "A valid username and password is required to login.")
      • Returning a false result in the sso handler will result in an infinite redirect loop. After this it is necessary to remove the session cookie, otherwise any page will result in a redirect loop.
      Steps to reproduce:
      • enable ezpublish_legacy_sso in security.yml:

        security:
            firewalls:
                ezpublish_front:
                    pattern: ^/
                    anonymous: ~
                    # Adding the following entry will activate the use of old SSO handlers.
                    ezpublish_legacy_sso: ~
        

      • Implement a simple sso_handler, such as the example in http://share.ez.no/learn/ez-publish/using-a-sso-in-ez-publish
      Note:

      This appears to be a regression of some sort, as the behavior in eZ Publish 5.3 is correct.

      1. isGranted-normal.html
        12 kB
        Gunnstein Lye
      2. isGranted-sso.html
        7 kB
        Gunnstein Lye

        Activity

        Hide
        Gunnstein Lye added a comment - - edited

        Second possible fix approach: Catch the missing token exception, and disregard it when in the context of running a legacy SSO handler. But how can we detect that context? Can we pass a new parameter to the legacy kernel closure, which indicates that we should not check for user auth?

        --- a/eZ/Bundle/EzPublishLegacyBundle/LegacyMapper/Security.php
        +++ b/eZ/Bundle/EzPublishLegacyBundle/LegacyMapper/Security.php
        @@ -17,6 +17,7 @@ use eZ\Publish\Core\MVC\Legacy\LegacyEvents;
         use ezpWebBasedKernelHandler;
         use eZUser;
         use Symfony\Component\EventDispatcher\EventSubscriberInterface;
        +use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
         use Symfony\Component\Security\Core\SecurityContextInterface;
         
         /**
        @@ -104,7 +105,14 @@ class Security implements EventSubscriberInterface
                 // IS_AUTHENTICATED_FULLY inherits from IS_AUTHENTICATED_REMEMBERED.
                 // User can be either authenticated by providing credentials during current session
                 // or by "remember me" if available.
        -        return $this->securityContext->isGranted( 'IS_AUTHENTICATED_REMEMBERED' );
        +        try {
        +            $isGranted = $this->securityContext->isGranted( 'IS_AUTHENTICATED_REMEMBERED' );
        +        }
        +        catch (AuthenticationCredentialsNotFoundException $e) {
        +            // TODO: This is okay, if we are in the context of running a legacy SSO handler. How to detect that?
        +            $isGranted = true;
        +        }
        +        return $isGranted;
             }
         
             /**
        

        Show
        Gunnstein Lye added a comment - - edited Second possible fix approach: Catch the missing token exception, and disregard it when in the context of running a legacy SSO handler. But how can we detect that context? Can we pass a new parameter to the legacy kernel closure, which indicates that we should not check for user auth? --- a/eZ/Bundle/EzPublishLegacyBundle/LegacyMapper/Security.php +++ b/eZ/Bundle/EzPublishLegacyBundle/LegacyMapper/Security.php @@ -17,6 +17,7 @@ use eZ\Publish\Core\MVC\Legacy\LegacyEvents; use ezpWebBasedKernelHandler; use eZUser; use Symfony\Component\EventDispatcher\EventSubscriberInterface; +use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException; use Symfony\Component\Security\Core\SecurityContextInterface;   /** @@ -104,7 +105,14 @@ class Security implements EventSubscriberInterface // IS_AUTHENTICATED_FULLY inherits from IS_AUTHENTICATED_REMEMBERED. // User can be either authenticated by providing credentials during current session // or by "remember me" if available. - return $this->securityContext->isGranted( 'IS_AUTHENTICATED_REMEMBERED' ); + try { + $isGranted = $this->securityContext->isGranted( 'IS_AUTHENTICATED_REMEMBERED' ); + } + catch (AuthenticationCredentialsNotFoundException $e) { + // TODO: This is okay, if we are in the context of running a legacy SSO handler. How to detect that? + $isGranted = true; + } + return $isGranted; }   /**
        Hide
        Jérôme Vieilledent (Inactive) added a comment -

        Please check https://github.com/ezsystems/LegacyBridge/pull/6 . 1st commit might fix this issue.

        Show
        Jérôme Vieilledent (Inactive) added a comment - Please check https://github.com/ezsystems/LegacyBridge/pull/6 . 1st commit might fix this issue.
        Hide
        Gunnstein Lye added a comment -

        Yep, https://github.com/ezsystems/LegacyBridge/commit/132d0f90208c02b5e91a1c592b2f56b48a9de05f fixes the issue. Thanks JV! Pending QA after that is merged.

        Show
        Gunnstein Lye added a comment - Yep, https://github.com/ezsystems/LegacyBridge/commit/132d0f90208c02b5e91a1c592b2f56b48a9de05f fixes the issue. Thanks JV! Pending QA after that is merged.
        Show
        Jérôme Vieilledent (Inactive) added a comment - Fixed in LegacyBridge master: https://github.com/ezsystems/LegacyBridge/commit/132d0f90208c02b5e91a1c592b2f56b48a9de05f
        Hide
        Pedro Resende (Inactive) added a comment -

        Tested and approved by Q.A. on eZ Publish 5.4
        Tested on eZ Publish 5.3, but it wasn't reproducible

        Show
        Pedro Resende (Inactive) added a comment - Tested and approved by Q.A. on eZ Publish 5.4 Tested on eZ Publish 5.3, but it wasn't reproducible

          People

          • Assignee:
            Unassigned
            Reporter:
            Joao Inacio (Inactive)
          • Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Time Spent - 4 days, 1 hour, 35 minutes Remaining Estimate - 1 day, 6 hours, 30 minutes
              1d 6h 30m
              Logged:
              Time Spent - 4 days, 1 hour, 35 minutes Remaining Estimate - 1 day, 6 hours, 30 minutes
              4d 1h 35m

                Agile