Symfony 身份验证 API 密钥丢失会话

Question

我正在按照本指南http://symfony.com/doc/current/cookbook/security/api_key_authentication.html 通过 API KEY 进行身份验证。

在调用最后一个方法身份验证令牌后，我可以登录用户，但它不会保留会话。

return new PreAuthenticatedToken(
        $user,
        $apiKey,
        $providerKey,
        $user->getRoles()
    );

我还尝试使用以下方法进行身份验证：

$user = new User("Test", null, array("ROLE_USER"));
$token = new UsernamePasswordToken($user, null, 'secured_area', $user->getRoles());
$this->get('security.context')->setToken($token);
$this->get('session')->set('_security_secured_area',serialize($token));

在这两种情况下，我只能让用户登录一个页面，而不是所有项目。

安全就像指南：

firewalls:
    secured_area:
        pattern: ^/testproject
        stateless: true
        simple_preauth:
            authenticator: apikey_authenticator

谢谢

[更新]

$user = new ApiKeyUserProvider();
$user = $user->loadUserByUsername("111111");

$apiKeyProvider = $this->get('apikey_authenticator');
$token = $apiKeyProvider->authenticateToken("111111",$user);
$this->get('security.context')->setToken($token);
$this->get('session')->set('_security_secured_area',serialize($token));

loadUserByUsername 就像 symfony 指南。

谢谢

Answer 1

我遇到了同样的问题，发现 apiKey 被保存为 Token 凭据。如果您不设置以下内容，这些将被删除：

security:
    erase_credentials:    false

Answer 2

如果您正确遵循本指南，身份验证应该会自动进行。您只需将参数apikey 附加到请求的末尾即可。

IE：

www.mydomain.com/testproject/get-some-random-data?apikey=vdsadbrfadbfda

Symfony 将在您的防火墙中接收此请求并通过 ApiKeyAuthenticator 运行它。

如果您想将该身份验证保存在会话中，以便后续请求不需要apikey，那么您可以在security.yml 中将stateless 配置更改为false

所以改变：

firewalls:
    secured_area:
        pattern: ^/testproject
        stateless: true
        simple_preauth:
            authenticator: apikey_authenticator

收件人：

firewalls:
    secured_area:
        pattern: ^/testproject
        stateless: false
        simple_preauth:
            authenticator: apikey_authenticator

看看：http://symfony.com/doc/current/cookbook/security/api_key_authentication.html#cookbook-security-api-key-session

您是否在 UserProvider 中实现了refreshUser 方法？

public function refreshUser(UserInterface $user)
{
    // this is used for storing authentication in the session
    // but in this example, the token is sent in each request,
    // so authentication can be stateless. Throwing this exception
    // is proper to make things stateless
    throw new UnsupportedUserException();
}

需要成为：

public function refreshUser(UserInterface $user)
{
    // $user is the User that you set in the token inside authenticateToken()
    // after it has been deserialized from the session

    // you might use $user to query the database for a fresh user
    // $id = $user->getId();
    // use $id to make a query

    // if you are *not* reading from a database and are just creating
    // a User object (like in this example), you can just return it
    return $user;
}