php - Silex, bad credentials with security firewalls and custom user provider -

May 15, 2012

i have bad credentials on login attempt security firewalls , custom user provider. here's code.

$app->register(new securityserviceprovider(), array(         'security.firewalls' => array(             'admin' => array(                 'pattern' => '^/admin',                 'form' => array('login_path' => '/login', 'check_path' => '/admin/login_check'),                 'logout' => array('logout_path' => '/admin/logout'), // url call logging out                 'users' => $app->share(function() use ($app) {                     // specific class user\userprovider                     return new userprovider();                  }),             )         ),         'security.access_rules' => array(             // can rename role_admin wish             array('^/admin', 'role_admin'),         )     ));      $app['security.encoder.digest'] = $app->share(function ($app) {         // use sha1 algorithm         // don't base64 encode password         // use 1 iteration         return new messagedigestpasswordencoder('sha1', false, 1);     });

my route :

    $app->get("/login", "site\controllers\sitecontroller::login");     $app->post("/admin/login_check", "admin\controllers\admincontroller::logincheck");

my sitecontroller function :

public function login(application $app, request $request) {     return $app['twig']->render('site/views/login.html.twig', array(         'error' => $app['security.last_error']($request),         'last_username' => $app['session']->get('_security.last_username'),     ));   }

my view :

<form action="{{ path('admin_login_check') }}" method="post">     {{ error }}     <input type="text" name="username" value="{{ last_username }}" />     <input type="password" name="password" value="" />     <input type="submit" /> </form>

my db table :

id  username    password    roles      1   admin   d033e22ae348aeb5660fc2140aec35850c4da997    role_admin

my custom user provider :

<?php namespace user\models; use app\config\pdofactory; use symfony\component\security\core\user\userproviderinterface; use symfony\component\security\core\user\userinterface; use symfony\component\security\core\user\user; use symfony\component\security\core\exception\usernamenotfoundexception; use symfony\component\security\core\exception\unsupporteduserexception;  class userprovider extends pdofactory implements userproviderinterface {      public function loaduserbyusername($username)     {                    $response = $this->db->prepare('select * users username = ?');         $response->execute(array(strtolower($username)));         if (!$user = $response->fetch()) {             throw new usernamenotfoundexception(sprintf('username "%s" not exist.', $username));         }         return new user($user['username'], $user['password'], explode(',', $user['roles']), true, true, true, true);     }      public function refreshuser(userinterface $user)     {         if (!$user instanceof user) {             throw new unsupporteduserexception(sprintf('instances of "%s" not supported.', get_class($user)));         }          return $this->loaduserbyusername($user->getusername());     }      public function supportsclass($class)     {         return $class === 'symfony\component\security\core\user\user';     }  }

my database connection :

namespace app\config;  abstract class pdofactory {      protected $db;      public function __construct()     {                        $db = new \pdo('mysql:host=localhost;dbname=silex', 'root', '');         $db->setattribute(\pdo::attr_errmode, \pdo::errmode_exception);          $this->db = $db;     } }

on login attempt, don't think access logincheck function admincontroller since doesn't echo anything:

public function logincheck(application $app, request $request) {     echo 'login-check';     $username = $request->get('username');     $password = $request->get('password');     $password = $app['security.encoder.digest']->encodepassword($password, '');     $userprovider = new userprovider();     $user = $userprovider->loaduserbyusername($username);     if ($user->getpassword() == $password){         return $app['twig']->render('admin/views/index.html.twig');     }     else{         return $app['twig']->render('site/views/login.html.twig', array(             'error' => $app['security.last_error']($request),             'last_username' => $app['session']->get('_security.last_username'),         ));     }   }

my password 'admin', used code generate database table:

echo $app['security.encoder.digest']->encodepassword('admin', '');

can tell me wrong?

edit : mistake on view, didn't use underscore before post names

<form action="{{ path('admin_login_check') }}" method="post">             {{ error }}             <input type="text" name="_username" value="{{ last_username }}" />             <input type="password" name="_password" value="" />             <input type="submit" />         </form>

and don't need route nor controller function login_check path. it's managed security firewalls. thank you help!

first of all, enable logging (via monolog provider , set $app['debug'] = true; , check logs, security component yells lots of information if logged enabled.

second, don't have create controller (not route, security provider does you) check_path, the kernel traps incoming request path , checks if credentials valid (as long don't overwrite default authentication provider, don't want go route using login form).

having said , debug code can try use plain password encoder , once working, change again (you'll need update password field on db table, of course), log tell happening (if still lost log, post also).

Search This Blog

UV code

php - Silex, bad credentials with security firewalls and custom user provider -

Comments

Post a Comment

Popular posts from this blog

asp.net mvc - SSO between MVCForum and Umbraco7 -

Python Tkinter keyboard using bind -

ubuntu - Selenium Node Not Connecting to Hub, Not Opening Port -