Task #44542

Mention the risk of requestPatterns regarding foreign package's SecurityContext usage

Added by Adrian Föder almost 9 years ago. Updated almost 9 years ago.

Status:
New
Priority:
Should have
Assignee:
Category:
- Documentation -
Target version:
-
Start date:
2013-01-15
Due date:
% Done:

0%

Estimated time:
Sprint:
PHP Version:
Has patch:
No
Complexity:

Description

If someone sets a RequestPattern to his package's namespace, for example

security:
  authentication:
    providers:
      DefaultProvider:
        provider: 'PersistedUsernamePasswordProvider'
        requestPatterns:
         controllerObjectName: 'Acme\.+'

This will have an evil side effect when using and relying on foreign package's SecurityContext usage, because the foreign (controller) request won't involve the above authentication provider since the RequestPattern does (of course) not match.

The foreign package is requested, for example via a Widget; the widget includes the SecurityContext, the SecurityContext tries to authenticate the tokens; but since the DefaultProvider token has the requestPattern set and does not match for this widget's request; the token will be deactivated and may result into actually no authentication taking place.
As a result, the SecurityContext has no tokens and is unable to conduct any authentication, account retrieval etc.

This seems "as programmed", but should be emphasized in the documentation http://flow.typo3.org/documentation/guide/partiii/security.html#request-patterns as a .. caution note or similar.

#1

Updated by Sebastian Kurfuerst almost 9 years ago

also see https://review.typo3.org/#/c/17582/ for a related change

Also available in: Atom PDF