bug #42354 [Ldap][Security] Make LdapAuthenticator an EntryPoint (dcp-dev, chalasr)

fabpot · fabpot · commit d499ecde6f81 · 2021-09-26T18:35:00.000+02:00
This PR was merged into the 5.3 branch. Discussion ---------- [Ldap][Security] Make LdapAuthenticator an EntryPoint | Q | A | ------------- | --- | Branch? | 5.3 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #42346 | License | MIT | Doc PR | N/A I added `@chalasr`'s recommandations given in symfony/symfony#42346 (comment) Commits ------- 4daad9e784 Fix decorating non-entrypoint authenticators 0b0c15c019 [Ldap] Make LdapAuthenticator an EntryPoint
diff --git a/EntryPoint/Exception/NotAnEntryPointException.php b/EntryPoint/Exception/NotAnEntryPointException.php
@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\EntryPoint\Exception;
+
+/**
+ * Thrown by generic decorators when a decorated authenticator does not implement
+ * {@see AuthenticationEntryPointInterface}.
+ *
+ * @author Robin Chalas <robin.chalas@gmail.com>
+ */
+class NotAnEntryPointException extends \RuntimeException
+{
+}
diff --git a/Firewall/ExceptionListener.php b/Firewall/ExceptionListener.php
@@ -31,6 +31,7 @@
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\Util\TargetPathTrait;
 
@@ -195,11 +196,7 @@ private function handleLogoutException(ExceptionEvent $event, LogoutException $e
     private function startAuthentication(Request $request, AuthenticationException $authException): Response
     {
         if (null === $this->authenticationEntryPoint) {
-            if (null !== $this->logger) {
-                $this->logger->notice(sprintf('No Authentication entry point configured, returning a %s HTTP response. Configure "entry_point" on the firewall "%s" if you want to modify the response.', Response::HTTP_UNAUTHORIZED, $this->firewallName));
-            }
-
-            throw new HttpException(Response::HTTP_UNAUTHORIZED, $authException->getMessage(), $authException, [], $authException->getCode());
+            $this->throwUnauthorizedException($authException);
         }
 
         if (null !== $this->logger) {
@@ -219,7 +216,11 @@ private function startAuthentication(Request $request, AuthenticationException $
             }
         }
 
-        $response = $this->authenticationEntryPoint->start($request, $authException);
+        try {
+            $response = $this->authenticationEntryPoint->start($request, $authException);
+        } catch (NotAnEntryPointException $e) {
+            $this->throwUnauthorizedException($authException);
+        }
 
         if (!$response instanceof Response) {
             $given = get_debug_type($response);
@@ -237,4 +238,13 @@ protected function setTargetPath(Request $request)
             $this->saveTargetPath($request->getSession(), $this->firewallName, $request->getUri());
         }
     }
+
+    private function throwUnauthorizedException(AuthenticationException $authException)
+    {
+        if (null !== $this->logger) {
+            $this->logger->notice(sprintf('No Authentication entry point configured, returning a %s HTTP response. Configure "entry_point" on the firewall "%s" if you want to modify the response.', Response::HTTP_UNAUTHORIZED, $this->firewallName));
+        }
+
+        throw new HttpException(Response::HTTP_UNAUTHORIZED, $authException->getMessage(), $authException, [], $authException->getCode());
+    }
 }
