merged branch gigablah/security-flags (PR #573)

This PR was merged into the master branch. Commits ------- e21b3803 Support 'security' and 'stateless' flags in security config Discussion ---------- Support 'security' and 'stateless' flags in security config `'security' => false` will disable the firewall (for a particular area) even if there are listeners configured. `'stateless' => true` will prevent `ContextListener` from getting registered. --------------------------------------------------------------------------- by davedevelopment at 2013-01-05T15:01:38Z I'm not sure I understand what you'd use these flags for, perhaps some documentation would be useful? On Jan 5, 2013 10:05 AM, "Chris Heng" <notifications@github.com> wrote: > 'security' => false will disable the firewall even if there are listeners > configured. > > 'stateless' => true will prevent ContextListener from getting registered. > ------------------------------ > You can merge this Pull Request by running: > > git pull https://github.com/gigablah/Silex security-flags > > Or view, comment on, or merge it at: > > https://github.com/fabpot/Silex/pull/573 > Commit Summary > > - Support 'security' and 'stateless' flags in security config > > File Changes > > - *M* src/Silex/Provider/SecurityServiceProvider.php (10) > > Patch Links > > - https://github.com/fabpot/Silex/pull/573.patch > - https://github.com/fabpot/Silex/pull/573.diff > > — > Reply to this email directly or view it on GitHub<https://github.com/fabpot/Silex/pull/573>. > > --------------------------------------------------------------------------- by gigablah at 2013-01-05T15:30:13Z These are the same flags you can use in Symfony2. I guess `'security' => false` by itself isn't too useful, but you could hypothetically do something like: ```php $app->register(new SecurityServiceProvider(), array( 'security.firewalls' => array( 'api' => array( 'pattern' => '^/api', 'stateless' => true, 'security' => !$app['debug'], 'oauth' => true ) ) )); ``` Which will (a) turn off oauth access token authentication when you're debugging (b) turn off read/write on the session during authentication, which isn't wanted since the oauth access token is sent for each request. --------------------------------------------------------------------------- by davedevelopment at 2013-01-06T20:48:20Z Sorry, I think I got confused by the security flag, I understand the stateless one. --------------------------------------------------------------------------- by stof at 2013-01-06T21:13:04Z The goal of the ``security`` flag is to create a firewall pattern without firewall. The only reason for this is to whitelist a pattern by placing it before another pattern without having to create a crazy regex --------------------------------------------------------------------------- by fabpot at 2013-01-18T15:00:19Z Can you also update the documentation about these two new settings? Thanks. --------------------------------------------------------------------------- by gigablah at 2013-01-19T04:37:08Z It's done. Added a section for Stateless Authentication, and a tip for the `security` flag.

merged branch gigablah/security-flags (PR #573)
This PR was merged into the master branch. Commits ------- e21b3803 Support 'security' and 'stateless' flags in security config Discussion ---------- Support 'security' and 'stateless' flags in security config `'security' => false` will disable the firewall (for a particular area) even if there are listeners configured. `'stateless' => true` will prevent `ContextListener` from getting registered. --------------------------------------------------------------------------- by davedevelopment at 2013-01-05T15:01:38Z I'm not sure I understand what you'd use these flags for, perhaps some documentation would be useful? On Jan 5, 2013 10:05 AM, "Chris Heng" <notifications@github.com> wrote: > 'security' => false will disable the firewall even if there are listeners > configured. > > 'stateless' => true will prevent ContextListener from getting registered. > ------------------------------ > You can merge this Pull Request by running: > > git pull https://github.com/gigablah/Silex security-flags > > Or view, comment on, or merge it at: > > https://github.com/fabpot/Silex/pull/573 > Commit Summary > > - Support 'security' and 'stateless' flags in security config > > File Changes > > - *M* src/Silex/Provider/SecurityServiceProvider.php (10) > > Patch Links > > - https://github.com/fabpot/Silex/pull/573.patch > - https://github.com/fabpot/Silex/pull/573.diff > > — > Reply to this email directly or view it on GitHub<https://github.com/fabpot/Silex/pull/573>. > > --------------------------------------------------------------------------- by gigablah at 2013-01-05T15:30:13Z These are the same flags you can use in Symfony2. I guess `'security' => false` by itself isn't too useful, but you could hypothetically do something like: ```php $app->register(new SecurityServiceProvider(), array( 'security.firewalls' => array( 'api' => array( 'pattern' => '^/api', 'stateless' => true, 'security' => !$app['debug'], 'oauth' => true ) ) )); ``` Which will (a) turn off oauth access token authentication when you're debugging (b) turn off read/write on the session during authentication, which isn't wanted since the oauth access token is sent for each request. --------------------------------------------------------------------------- by davedevelopment at 2013-01-06T20:48:20Z Sorry, I think I got confused by the security flag, I understand the stateless one. --------------------------------------------------------------------------- by stof at 2013-01-06T21:13:04Z The goal of the ``security`` flag is to create a firewall pattern without firewall. The only reason for this is to whitelist a pattern by placing it before another pattern without having to create a crazy regex --------------------------------------------------------------------------- by fabpot at 2013-01-18T15:00:19Z Can you also update the documentation about these two new settings? Thanks. --------------------------------------------------------------------------- by gigablah at 2013-01-19T04:37:08Z It's done. Added a section for Stateless Authentication, and a tip for the `security` flag.
e82a9a3b · Fabien Potencier · ecb5d9c5 · e21b3803 · e82a9a3b · e82a9a3b
Commit e82a9a3b authored Jan 19, 2013 by Fabien Potencier
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 3 deletions

doc/providers/security.rst doc/providers/security.rst +32 -0

src/Silex/Provider/SecurityServiceProvider.php src/Silex/Provider/SecurityServiceProvider.php +7 -3

No files found.
--- a/doc/providers/security.rst
+++ b/doc/providers/security.rst
@@ -247,6 +247,21 @@ The order of the firewall configurations is significant as the first one to
 match wins. The above configuration first ensures that the ``/login`` URL is
 not secured (no authentication settings), and then it secures all other URLs.

+.. tip::
+
+    You can toggle all registered authentication mechanisms for a particular
+    area on and off with the ``security`` flag::
+
+        $app['security.firewalls'] = array(
+            'api' => array(
+                'pattern' => '^/api',
+                'security' => $app['debug'] ? false : true,
+                'wsse' => true,
+
+                // ...
+            ),
+        );
+
 Adding a Logout
 ~~~~~~~~~~~~~~~

@@ -561,6 +576,23 @@ argument of your authentication factory (see above).
 This example uses the authentication provider classes as described in the
 Symfony `cookbook`_.

+Stateless Authentication
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+By default, a session cookie is created to persist the security context of
+the user. However, if you use certificates, HTTP authentication, WSSE and so
+on, the credentials are sent for each request. In that case, you can turn off
+persistence by activating the ``stateless`` authentication flag::
+
+    $app['security.firewalls'] = array(
+        'default' => array(
+            'stateless' => true,
+            'wsse' => true,
+
+            // ...
+        ),
+    );
+
 Traits
 ------


--- a/src/Silex/Provider/SecurityServiceProvider.php
+++ b/src/Silex/Provider/SecurityServiceProvider.php
@@ -158,9 +158,11 @@ class SecurityServiceProvider implements ServiceProviderInterface
                $entryPoint = null;
                $pattern = isset($firewall['pattern']) ? $firewall['pattern'] : null;
                $users = isset($firewall['users']) ? $firewall['users'] : array();
-                unset($firewall['pattern'], $firewall['users']);
+                $security = isset($firewall['security']) ? (Boolean) $firewall['security'] : true;
+                $stateless = isset($firewall['stateless']) ? (Boolean) $firewall['stateless'] : false;
+                unset($firewall['pattern'], $firewall['users'], $firewall['security'], $firewall['stateless']);

-                $protected = count($firewall);
+                $protected = false === $security ? false : count($firewall);

                $listeners = array('security.channel_listener');

@@ -173,7 +175,9 @@ class SecurityServiceProvider implements ServiceProviderInterface
                        $app['security.context_listener.'.$name] = $app['security.context_listener._proto']($name, array($app['security.user_provider.'.$name]));
                    }

-                    $listeners[] = 'security.context_listener.'.$name;
+                    if (false === $stateless) {
+                        $listeners[] = 'security.context_listener.'.$name;
+                    }

                    $factories = array();
                    foreach ($positions as $position) {