[SecurityBundle] Authentication entry point is only registered with firewall exception listener, not with authentication listeners

Author: Reinier Kip

DependencyInjection/SecurityExtension.php

@@ -333,8 +333,11 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
             ;
         }
 
+        // Determine default entry point
+        $defaultEntryPoint = isset($firewall['entry_point']) ? $firewall['entry_point'] : null;
+
         // Authentication listeners
-        list($authListeners, $defaultEntryPoint) = $this->createAuthenticationListeners($container, $id, $firewall, $authenticationProviders, $defaultProvider);
+        list($authListeners, $defaultEntryPoint) = $this->createAuthenticationListeners($container, $id, $firewall, $authenticationProviders, $defaultProvider, $defaultEntryPoint);
 
         $listeners = array_merge($listeners, $authListeners);
 
@@ -346,11 +349,6 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
         // Access listener
         $listeners[] = new Reference('security.access_listener');
 
-        // Determine default entry point
-        if (isset($firewall['entry_point'])) {
-            $defaultEntryPoint = $firewall['entry_point'];
-        }
-
         // Exception listener
         $exceptionListener = new Reference($this->createExceptionListener($container, $firewall, $id, $defaultEntryPoint));
 
@@ -370,11 +368,10 @@ private function createContextListener($container, $contextKey)
         return $this->contextListeners[$contextKey] = $listenerId;
     }
 
-    private function createAuthenticationListeners($container, $id, $firewall, &$authenticationProviders, $defaultProvider)
+    private function createAuthenticationListeners($container, $id, $firewall, &$authenticationProviders, $defaultProvider, $defaultEntryPoint)
     {
         $listeners = array();
         $hasListeners = false;
-        $defaultEntryPoint = null;
 
         foreach ($this->listenerPositions as $position) {
             foreach ($this->factories[$position] as $factory) {

Tests/Functional/Bundle/FirewallEntryPointBundle/DependencyInjection/FirewallEntryPointExtension.php

@@ -0,0 +1,26 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallEntryPointBundle\DependencyInjection;
+
+use Symfony\Component\Config\FileLocator;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Loader\XmlFileLoader;
+use Symfony\Component\HttpKernel\DependencyInjection\Extension;
+
+class FirewallEntryPointExtension extends Extension
+{
+    public function load(array $config, ContainerBuilder $container)
+    {
+        $loader = new XmlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
+        $loader->load('services.xml');
+    }
+}

Tests/Functional/Bundle/FirewallEntryPointBundle/FirewallEntryPointBundle.php

@@ -0,0 +1,18 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallEntryPointBundle;
+
+use Symfony\Component\HttpKernel\Bundle\Bundle;
+
+class FirewallEntryPointBundle extends Bundle
+{
+}

Tests/Functional/Bundle/FirewallEntryPointBundle/Resources/config/services.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" ?>
+<container xmlns="http://symfony.com/schema/dic/services"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+           xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+    <services>
+        <service id="firewall_entry_point.entry_point.stub"
+                 class="Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallEntryPointBundle\Security\EntryPointStub"
+        />
+    </services>
+</container>

Tests/Functional/Bundle/FirewallEntryPointBundle/Security/EntryPointStub.php

@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallEntryPointBundle\Security;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+
+class EntryPointStub implements AuthenticationEntryPointInterface
+{
+    const RESPONSE_TEXT = '2be8e651259189d841a19eecdf37e771e2431741';
+
+    public function start(Request $request, AuthenticationException $authException = null)
+    {
+        return new Response(self::RESPONSE_TEXT);
+    }
+}

Tests/Functional/FirewallEntryPointTest.php

@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
+
+use Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallEntryPointBundle\Security\EntryPointStub;
+
+/**
+ * @group functional
+ */
+class FirewallEntryPointTest extends WebTestCase
+{
+    public function testItUsesTheConfiguredEntryPointWhenUsingUnknownCredentials()
+    {
+        $client = $this->createClient(array('test_case' => 'FirewallEntryPoint'));
+        $client->insulate();
+
+        $client->request('GET', '/secure/resource', array(), array(), array(
+            'PHP_AUTH_USER' => 'unknown',
+            'PHP_AUTH_PW'   => 'credentials',
+        ));
+
+        $this->assertEquals(
+            EntryPointStub::RESPONSE_TEXT,
+            $client->getResponse()->getContent(),
+            "Custom entry point wasn't started"
+        );
+    }
+
+    protected function setUp()
+    {
+        parent::setUp();
+
+        $this->deleteTmpDir('FirewallEntryPoint');
+    }
+
+    protected function tearDown()
+    {
+        parent::tearDown();
+
+        $this->deleteTmpDir('FirewallEntryPoint');
+    }
+}

Tests/Functional/app/FirewallEntryPoint/bundles.php

@@ -0,0 +1,7 @@
+<?php
+
+return array(
+    new Symfony\Bundle\FrameworkBundle\FrameworkBundle(),
+    new Symfony\Bundle\SecurityBundle\SecurityBundle(),
+    new Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallEntryPointBundle\FirewallEntryPointBundle(),
+);

Tests/Functional/app/FirewallEntryPoint/config.yml

@@ -0,0 +1,33 @@
+framework:
+    secret:        test
+    csrf_protection:
+        enabled: true
+    router:        { resource: "%kernel.root_dir%/%kernel.test_case%/routing.yml" }
+    validation:    { enabled: true, enable_annotations: true }
+    form: ~
+    test: ~
+    default_locale: en
+    session:
+        storage_id:     session.storage.mock_file
+    profiler: { only_exceptions: false }
+
+services:
+    logger: { class: Symfony\Component\HttpKernel\Log\NullLogger }
+
+security:
+    firewalls:
+        secure:
+            pattern: ^/secure/
+            http_basic: { realm: "Secure Gateway API" }
+            entry_point: firewall_entry_point.entry_point.stub
+        default:
+            anonymous: ~
+    access_control:
+        - { path: ^/secure/, roles: ROLE_SECURE }
+    providers:
+        in_memory:
+            memory:
+                users:
+                    john: { password: doe, roles: [ROLE_SECURE] }
+    encoders:
+        Symfony\Component\Security\Core\User\User: plaintext

Tests/Functional/app/FirewallEntryPoint/routing.yml

@@ -0,0 +1,2 @@
+secure_resource:
+    path: /secure/resource