Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Impersonate user header doesn't work #39907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Viktor-Bredihin opened this issue Jan 20, 2021 · 9 comments
Closed

Impersonate user header doesn't work #39907

Viktor-Bredihin opened this issue Jan 20, 2021 · 9 comments
Labels
Bug Security Status: Needs Review Status: Waiting feedback

Comments

@Viktor-Bredihin
Copy link

Symfony version(s) affected: 5.2.0

Description
https://symfony.com/doc/current/security/impersonating_user.html
the documentation says
Instead of adding a _switch_user query string parameter, you can pass the username in a HTTP_X_SWITCH_USER header. however it doesn't work, so I have to use query parameter _switch_user

How to reproduce
set up new symfony project and follow instruction from the documentation https://symfony.com/doc/current/security/impersonating_user.html using header solution instead of query parameter

Possible Solution

Additional context
@xabbuh
Copy link
Member

xabbuh commented Jan 20, 2021

Can you create a small example application that allows to reproduce your issue?

@OskarStark
Copy link
Contributor

Do you get any errors or log entries?

@stof
Copy link
Member

stof commented Jan 21, 2021

the implement seems to expect a _switch_user header (same name than the query param), not a x_switch_user one.

@Viktor-Bredihin
Copy link
Author

@stof
thanks for reply, but I tried it too and it doesn't work as well

@OskarStark
I didn't have time to prepare example yet

@jorissae
Copy link
Contributor

jorissae commented Jan 27, 2021
edited
Loading

In your security.yaml you can do it:

main:
          pattern: ^/
          switch_user:
              parameter: 'HTTP_X_SWITCH_USER'

In the listener there is: (Symfony\Component\Security\Http\Firewall\SwitchUserListener)

$username = $request->get($this->usernameParameter);
        if (null === $username || '' === $username) {
            $username = $request->headers->get($this->usernameParameter);
        }

why not do something close to that (to comply with the doc):

$username = $request->get($this->usernameParameter);
        if (null === $username || '' === $username) {
            $username = $request->headers->get($this->usernameParameter, $request->headers->get('HTTP_X_SWITCH_USER'));
        }

@fbourigault
Copy link
Contributor

fbourigault commented Mar 4, 2021
edited
Loading

The documentation is weird on this point. As ServerBag removes HTTP_ prefixes from server variables, you have to provide, with the default configuration a _Switch-User header.

Which translate to $_SERVER['HTTP__SWITCH_USER'] (note the double _ here).

If you configure parameter: HTTP_X_SWITCH_USER (which translate to $_SERVER['HTTP_HTTP_X_SWITCH_USER), you have to send a Http-X-Switch-User header to get impersonation working.

I used to configure parameter: x_switch_user so I can use X-Switch-User header.

@Gu3
Copy link

Gu3 commented Aug 4, 2021
edited
Loading

yep, works for me too if, in my config :

   switch_user:
            parameter: X-Switch-User

PS : If you use nelmios_cors, think to update the config too :

nelmio_cors:
    defaults:
        origin_regex: true
        allow_origin: ['%env(CORS_ALLOW_ORIGIN)%']
        allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
        allow_headers: ['Authorization', 'x-switch-user']

@wouterj
Copy link
Member

wouterj commented Sep 5, 2021
edited
Loading

Hi there! Is someone willing to submit a pull request to the documentation to add the small configuration example shared by @Gu3 in the header tip?

@xabbuh
Copy link
Member

xabbuh commented Oct 12, 2021

closing here as this rather looks like a documentation issue

@xabbuh xabbuh closed this as completed Oct 12, 2021
ttskch added a commit to ttskch/symfony-docs that referenced this issue Jan 17, 2022
@ttskch
Update impersonating_user.rst
21e8d67 
To use switching user feature via `HTTP_X_SWITCH_USER` header we have to set `switch_user.parameter: HTTP_X_SWITCH_USER` in security.yaml.

refs: symfony/symfony#39907
@ttskch ttskch mentioned this issue Jan 17, 2022
Merged
javiereguiluz added a commit to javiereguiluz/symfony-docs that referenced this issue Mar 21, 2022
@javiereguiluz
minor symfony#16405 [Security] Update impersonating_user.rst (ttskch)
a18880a 
This PR was merged into the 4.4 branch.

Discussion
----------

[Security] Update impersonating_user.rst

To use switching user feature via `HTTP_X_SWITCH_USER` header we have to set `switch_user.parameter: HTTP_X_SWITCH_USER` in security.yaml.

refs: symfony/symfony#39907

<!--

If your pull request fixes a BUG, use the oldest maintained branch that contains
the bug (see https://symfony.com/releases for the list of maintained branches).

If your pull request documents a NEW FEATURE, use the same Symfony branch where
the feature was introduced (and `6.x` for features of unreleased versions).

-->

Commits
-------

38b42b8 Update impersonating_user.rst
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review Status: Waiting feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@stof @wouterj @OskarStark @fbourigault @xabbuh @Viktor-Bredihin @Gu3 @jorissae @carsonbot