Exception thrown when user needs to be re-authenticated

[bkosborne]

Looks like #16 references this issue, but the "fix" doesn't appear to actually be a fix. I think there's a real bug present when a user needs to be re-authenticated.

My user class implements EquatableInterface and I have a method isEqualTo which determines if the serialized User object is the same as the refreshed User object. The behavior of comparing these two objects is described towards the bottom of this Cookbook page.

When the user has indeed changed, like a new role being added, my isEqualTo method properly returns false. However, I then get the following exception:

FatalErrorException: Error: Call to a member function validateCredentials() on a non-object in /Users/bkosborne/Sites/test/vendor/besimple/sso-auth-bundle/BeSimple/SsoAuthBundle/Security/Core/Authentication/Provider/SsoAuthenticationProvider.php line 78

Looks like the $token that's passed to authenticate on SsoAuthenticationProvider does not have its $manager property set. Not sure why, I've been struggling to understand the complexities of the Security component for a few days now.

[bkosborne]

Dug deeper.

When the security component compares the serialized user object (from session) with a fresh one on a new request, and the comparison fails for whatever reason, the token will be set to unauthenticated, which makes sense. This should essentially log the user out and force a re-authentication.

When you have code in your app that checks for authorization, like the isGranted method on SecurityContext (used in twig quite a but via is_granted), it first checks if the token is authenticated. If it's not, it attempts to re-authenticate that same token.

However, an SsoToken cannot be re-validated once it's already been validated, not like a UsernamePasswordToken can be. This is because with the credentials used for validation can only be used once. A UsernamePasswordToken can be re-validated over and over since the password and username are serialized with the token object in the session, and can just be verified again.

This exception is being thrown because when the SsoAuthenticationProvider attempts authentication on a token that's been de-serialized from the session. The de-serialized token doesn't have the manager object, which is the object validateCredentials is called on.

However, the real problem here is that even if it DID have the manager object, the validation would FAIL because the Cas token was already used.

I don't know the solution here. I may open a bug report w/ security component to get some feedback on these findings.

[bkosborne]

OK, looks like this can be resolved.

I believe all that needs to happen is the authentication provider first check for the existence of the manager object, which it needs for validation. If it doesn't exist, then throw an AuthenticationException.

Doing so will actually trigger the entire authentication process for the user, by running our firewall entry point, exactly what we want.

[mabzzz]

Hello,

I got the same error.
It looks like the SsoToken::unserialize() method try to unserialize the "manager" into a unused "provider":

public function serialize()
{
    return serialize(array($this->credentials, $this->manager, parent::serialize()));
}

public function unserialize($str)
{
    list($this->credentials, $this->provider, $parentStr) = unserialize($str);
    parent::unserialize($parentStr);
}