Closed
Description
Symfony version(s) affected
6.4
Description
Shibboleth may include an empty username in the REMOTE_USER
$_SERVER
parameter, which triggers the following deprecation notice:
User Deprecated: Since symfony/security-http 7.2: Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.
(source)
How to reproduce
Configure a Symfony project using a remote_user authenticator. Configure the web server to set the REMOTE_USER
$_SERVER
parameter to an empty string. Try to authenticate. Log will show deprecation notice.
Possible Solution
Update the RemoteUserAuthenticator
to return null when an empty string is detected in the REMOTE_USER
$_SERVER
parameter.
Additional Context
No response