-1

I am trying to debug a Resque setup in an (inherited) app, and so I found that there is a route for resque at /hidden/resque that would be nifty to access, but I am unable to access the route. I am wondering what I need to do ... When I try to access that route I get a HTTP 500 due to this error being thrown:

Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException: Full authentication is required to access this resource.

I have tried accessing it both as a web page (after authenticating as an admin role on a different route) and using curl -H 'Authorization: Basic 9339034147964aebec6716c0110311d1' 'https://web.mysite/hidden/resque' -v. No go.

So what constitues "full authentication"? I am already logged in as an admin user on one of the other routes. Would I need to add anything more to the below config? This has not been setup by me, so I would not know if it ever worked.

app/config/routing.yml

ResqueBundle:
    resource: "@ResqueBundle/Resources/config/routing.xml"
    prefix:   /hidden/resque

app/config/security.yml

access_control:
  - { path: ^/hidden, roles: ROLE_ADMIN }

According to the docs:

IS_AUTHENTICATED_FULLY: This is similar to IS_AUTHENTICATED_REMEMBERED, but stronger. Users who are logged in only because of a "remember me cookie" will have IS_AUTHENTICATED_REMEMBERED but will not have IS_AUTHENTICATED_FULLY.

How can I be "more logged in" than using a cookie? Should I send a basic auth header with username and password base64 encoded?

yivi
  • 42,438
  • 18
  • 116
  • 138
oligofren
  • 20,744
  • 16
  • 93
  • 180
  • Say you login by presenting a username and password that is checked and authorized internally in the web app. A session gets created that refers to that authorized user and approved by the username/password presentation. You are now fully authenticated. A cookie gets placed in the browser that states this occurred at some point in the last two weeks. Session ends the next day, seven days later the user comes back and the remember me cookie logs them in. Now that session marks that user as authenticated but not fully, by remembering (from the cookie). – Jared Farrish Dec 21 '21 at 13:32
  • In other words, it's a way to enforce a username/password (or similar) authorized the session before allowing some (probably destructive or intrusive) controller to work. – Jared Farrish Dec 21 '21 at 13:36

1 Answers1

0

If you ask for full authentication.

I.E:

 /**
 * Requiring IS_AUTHENTICATED_FULLY
 *
 * @IsGranted("IS_AUTHENTICATED_FULLY", message="Nope, no access")
 */

Then when you are logging in with an user, your Authorization Checker must have granted you the IS_AUTHENTICATED_FULLY status in order to have access.

As explained in the docs:

IS_AUTHENTICATED_FULLY: This is similar to IS_AUTHENTICATED_REMEMBERED, but stronger. Users who are logged in only because of a "remember me cookie" will have IS_AUTHENTICATED_REMEMBERED but will not have IS_AUTHENTICATED_FULLY.

You will be completely Authenticated if you manually log in, and not via a cookie. If you are using a command that remembers your credentials, that might be the issue.

Check Doc nº3 to see whether your actual way of entering that route falls inside the IS_REMEMBERED status. Even maybe you end up prefering using the less restrictive IS_AUTHENTICATED_REMEMBERED

Check the different documentations here:

  1. https://symfony.com/doc/3.4/security.html#checking-to-see-if-a-user-is-logged-in-is-authenticated-fully
  2. https://symfony.com/doc/3.4/security.html#learn-more
  3. https://symfony.com/doc/3.4/security/remember_me.html
  4. https://symfony.com/doc/3.4/components/security/authorization.html#authorization-checker
  5. https://github.com/symfony/symfony/blob/3.4/src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
S. Dre
  • 647
  • 1
  • 4
  • 18
  • 1
    you are referring to the current docs in your links while the OP have tagged symfony 3.4 version. are you sure nothing is changed? PS: DW is not mine. – gp_sflover Dec 21 '21 at 13:10
  • True, you are right, didn't realize the tag. I will update the links and take a look for any changes. EDIT: I don't see any changes that derail this answer. And don't worry, DW don't bother me when there is a reason behind. – S. Dre Dec 21 '21 at 13:26
  • What does "manually log in" mean? I mean, if you logout, you will initially be redirected to a login page, which upon completion will redirect you to another page. That page will then remember that you are logged in using a cookie, so I don't see how you can escape the cookie bit. – oligofren Dec 21 '21 at 16:14
  • 1
    @oligofren Here is the documentation for [Symfony's Remember Me feature](https://symfony.com/doc/current/security/remember_me.html), which is a special cookie, not a session(-related) cookie. If you're hitting the "not fully logged in", you're seeing the remember me cookie in use. – Jared Farrish Dec 21 '21 at 16:23
  • Yes, but it is not the same to log in through entering your password than by being remembered. If you close your browser, you enter your page, and you are still loged in, you are not "manually logging in". – S. Dre Dec 21 '21 at 20:53