3
votes

I've been working on a custom authentication system with Symfony 2.1. After a lot of battle with Symfony I've got something that working but not fully...

Problem : After the login (through a form), the user is logged but not authenticated.

Context : Since users have to submit their credentials through an HTML form, I had to create a listener that extends AbstractAuthenticationListener.

Question : Shouldn't the listener automatically add the token to the SecurityContext ? If this is not the case, should I do that manually ?

Process :

User submits his credentials through HTML form

Listener intercepts request and runs attemptAuthentication

Listener calls AuthenticationManager's (implements AuthenticationProviderInterface) authenticate method

AuthenticationManager calls the UserProvider (implements UserProviderInterface) to retrieve user's data from my webservice.

UserProvider returns a User class implementing UserInterface

AuthenticationManager creates a Token implementing TokenInterface.

AuthenticationManager returns the token to the listener.

Listener's attemptAuthentication returns token from AuthenticationManager's method : authenticate

User is logged but not authenticated.

I haven't shown code samples to avoid overloading the post. If needed I'll edit the post.

1
When everything is working properly, all the listener.attemptAuthentication has to do is return the authenticated token which in turn comes from the authenticationManager.authenticate. No need to explicitly set it in security.context. First step is to verify that the token is actually authenticated since various other listeners come in to play. Is the authenticated token a UsernamePasswordToken? - Cerad
The authenticated token is an instance of my CustomToken as defined in the authenticationManager.support method. - SupaCoco
the description of your process help me a lot to understand the workflow of everything. Im implemeting a custom authentication provider based on BorisMorel LdapBundle and your question asnwered all my questions! Thanks!! :) - João Alves

1 Answers

2
votes

I found my mistake...

Once logged in, the AuthenticationSuccessHandler redirects the user to the url I want. This action triggers a refreshUser from the UserProvider.

This function was hard-coded with a test user different than the user I was logged in with. Once the function returns a user equal to the one stored in the token the problem is solved.