Feature #45282

Base Distribution - Work Package #45088: Improved REST support

Support for "sessionless authentication"

Added by Bastian Waidelich about 7 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Should have
Category:
Security
Start date:
2013-02-08
Due date:
2013-04-13
% Done:

100%

Estimated time:
108.00 h
PHP Version:
Has patch:
No
Complexity:

Description

Currently Flow relies on a session to be active in at least three places:

  1. \TYPO3\Flow\Security\Aspect\RequestDispatchingAspect::blockIllegalRequestsAndForwardToAuthenticationEntryPoints() calls \TYPO3\Flow\Security\Context::setInterceptedRequest() if an entryPoint is defined. Setting the intercepted request starts a session. This can be worked around by avoiding entryPoint or using requestPatterns to limit them only to certain parts of an application that allow sessions. #45100 might also be a solution for that
  2. \TYPO3\Flow\Security\Authentication\AuthenticationProviderManager::authenticate() emits the authenticatedToken signal after successful authentication which is configured to call \TYPO3\Flow\Session\SessionInterface::renewId()
  3. \TYPO3\Flow\Security\Authentication\AuthenticationProviderManager::isAuthenticated() returns FALSE if no session was started/can be resumed

Related issues

Related to TYPO3.Flow - Feature #45100: RequestDispatchingAspect should check if entry point can handle current request Under Review 2013-02-03

Associated revisions

Revision 7d79b800 (diff)
Added by Bastian Waidelich almost 7 years ago

[!!!][FEATURE] Support for "sessionless authentication"

This feature enables authentication without the need of a session to be started.
This is useful for stateless services (e.g. REST) where you don't want Flow to create
a session cookie.

This is a breaking change if you created a custom authentication provider or -token
and relied on the fact that AuthenticationProvider::authenticate() started a session.
With this change the session is started when AuthenticationToken::updateCredentials() is
called. This way the token can decide if it needs a session.
Just add a @Flow\Session(autoStart=true) to the updateCredentials() method if your custom
token relies on a session.

Change-Id: I5f86cb7a3a3fff3220d61d705f216e1b1d4f2369
Resolves: #45282
Releases: master, 2.0

Revision bd46c612 (diff)
Added by Bastian Waidelich almost 7 years ago

[BUGFIX] Fix security related functional tests

With the fix related to "sessionless authentication"
(I5f86cb7a3a3fff3220d61d705f216e1b1d4f2369) settings have been
adjusted in order to use the testing provider & token only for requests
matching a ControllerObjectName of "TYPO3\Flow\Tests\.*".

This change adjusts the tests accordingly.

Change-Id: I307cd295c43c346f18acc5c1fd2886166c10cbbb
Related: #45282
Resolves: #45953
Releases: master, 2.0

Revision 158f3519 (diff)
Added by Bastian Waidelich almost 7 years ago

[!!!][FEATURE] Support for "sessionless authentication"

This feature enables authentication without the need of a session to be started.
This is useful for stateless services (e.g. REST) where you don't want Flow to create
a session cookie.

This is a breaking change if you created a custom authentication provider or -token
and relied on the fact that AuthenticationProvider::authenticate() started a session.
With this change the session is started when AuthenticationToken::updateCredentials() is
called. This way the token can decide if it needs a session.
Just add a @Flow\Session(autoStart=true) to the updateCredentials() method if your custom
token relies on a session.

Change-Id: I5f86cb7a3a3fff3220d61d705f216e1b1d4f2369
Resolves: #45282
Releases: master, 2.0

Revision 6a94328f (diff)
Added by Bastian Waidelich almost 7 years ago

[BUGFIX] Fix security related functional tests

With the fix related to "sessionless authentication"
(I5f86cb7a3a3fff3220d61d705f216e1b1d4f2369) settings have been
adjusted in order to use the testing provider & token only for requests
matching a ControllerObjectName of "TYPO3\Flow\Tests\.*".

This change adjusts the tests accordingly.

Change-Id: I307cd295c43c346f18acc5c1fd2886166c10cbbb
Related: #45282
Resolves: #45953
Releases: master, 2.0

Revision 9feb5902 (diff)
Added by Robert Lemke almost 7 years ago

[FEATURE] Support for sessionless authentication

This feature enables authentication without the need of a session to
be started. This is useful for stateless services (e.g. REST) where
you don't want Flow to create a session cookie.

Authentication tokens which don't rely on a session simply implement
the SessionlessTokenInterface marker interface.

This patch reverts parts of the first implementation of sessionless
authentication introduced in https://review.typo3.org/#/c/18388
(commit I5f86cb7a3a3fff3220d61d705f216e1b1d4f2369).
The original implementation was a breaking change with a few
unresolved side effects.

The implementation contained in this change set is backwards
compatible with already existing authentication tokens which
relied on sessions.

This patch also contains a small speed optimization for the CSRF
Protection pattern which assumes that no account has been
authenticated yet if the Authentication Manager is still a Dependency
Proxy.

Change-Id: Iccd2b8fde6a5f37d3d434c959705a85cdcda4b11
Resolves: #45282
Resolves: #46428
Releases: master, 2.0

Revision ff5de86a (diff)
Added by Robert Lemke almost 7 years ago

[FEATURE] Support for sessionless authentication

This feature enables authentication without the need of a session to
be started. This is useful for stateless services (e.g. REST) where
you don't want Flow to create a session cookie.

Authentication tokens which don't rely on a session simply implement
the SessionlessTokenInterface marker interface.

This patch reverts parts of the first implementation of sessionless
authentication introduced in https://review.typo3.org/#/c/18388
(commit I5f86cb7a3a3fff3220d61d705f216e1b1d4f2369).
The original implementation was a breaking change with a few
unresolved side effects.

The implementation contained in this change set is backwards
compatible with already existing authentication tokens which
relied on sessions.

This patch also contains a small speed optimization for the CSRF
Protection pattern which assumes that no account has been
authenticated yet if the Authentication Manager is still a Dependency
Proxy.

Change-Id: Iccd2b8fde6a5f37d3d434c959705a85cdcda4b11
Resolves: #45282
Resolves: #46428
Releases: master, 2.0

History

#1 Updated by Gerrit Code Review about 7 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18388

#2 Updated by Bastian Waidelich about 7 years ago

  • Parent task set to #45088

#3 Updated by Gerrit Code Review almost 7 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/18388

#4 Updated by Bastian Waidelich almost 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#5 Updated by Gerrit Code Review almost 7 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/19106

#6 Updated by Gerrit Code Review almost 7 years ago

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19340

#7 Updated by Gerrit Code Review almost 7 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19340

#8 Updated by Aske Ertmann almost 7 years ago

  • Parent task deleted (#45088)

#9 Updated by Aske Ertmann almost 7 years ago

  • Parent task set to #45088

#10 Updated by Aske Ertmann almost 7 years ago

  • Estimated time set to 108.00 h

#11 Updated by Bastian Waidelich almost 7 years ago

  • Due date set to 2013-04-13

#12 Updated by Gerrit Code Review almost 7 years ago

Patch set 2 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/19106

#13 Updated by Bastian Waidelich almost 7 years ago

  • Status changed from Under Review to Resolved

#14 Updated by Gerrit Code Review almost 7 years ago

  • Status changed from Resolved to Under Review

Patch set 3 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19340

#15 Updated by Anonymous almost 7 years ago

  • Status changed from Under Review to Resolved

#16 Updated by Gerrit Code Review almost 7 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/19615

#17 Updated by Anonymous almost 7 years ago

  • Status changed from Under Review to Resolved

Also available in: Atom PDF