Task #44542
Mention the risk of requestPatterns regarding foreign package's SecurityContext usage
| Status: | New | Start date: | 2013-01-15 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | Adrian Föder | % Done: | 0% |
|
| Category: | - Documentation - | |||
| Target version: | - | |||
| Sprint: | Has patch: | No | ||
| PHP Version: | Complexity: |
Description
If someone sets a RequestPattern to his package's namespace, for example
1security:
2 authentication:
3 providers:
4 DefaultProvider:
5 provider: 'PersistedUsernamePasswordProvider'
6 requestPatterns:
7 controllerObjectName: 'Acme\.+'
This will have an evil side effect when using and relying on foreign package's SecurityContext usage, because the foreign (controller) request won't involve the above authentication provider since the RequestPattern does (of course) not match.
The foreign package is requested, for example via a Widget; the widget includes the SecurityContext, the SecurityContext tries to authenticate the tokens; but since the DefaultProvider token has the requestPattern set and does not match for this widget's request; the token will be deactivated and may result into actually no authentication taking place.
As a result, the SecurityContext has no tokens and is unable to conduct any authentication, account retrieval etc.
This seems "as programmed", but should be emphasized in the documentation http://flow.typo3.org/documentation/guide/partiii/security.html#request-patterns as a .. caution note or similar.
History
#1 Updated by Sebastian Kurfuerst over 2 years ago
also see https://review.typo3.org/#/c/17582/ for a related change