RemoteUserAuthenticator triggers Symfony 8 deprecation notice #59584
Comments
|
I'm testing a PR for this and will link to issue when complete. |
|
I fail to see how you can experience this with Symfony 5.4 (which does not receive bugfixes anymore by the way) while the deprecation was introduced in 7.2. |
|
The release page shows 5.4 as accepting security fixes only. Since this is part of the Security component, I figured that's where the change should be made. Although the deprecation was introduced in 7.2, it revealed a bug in the If I'm mistaken, please let me know which branch you'd prefer and I'll submit a new PR. |
|
As per a PR comment, I've switched the PR base branch to 6.4. |
|
Apologies; I ran into some trouble rebasing the commit for a test case from my previous PR so I created a new branch/PR to be safe. |
…precation notice (phasdev) This PR was merged into the 6.4 branch. Discussion ---------- [Security] Return null instead of empty username to fix deprecation notice | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #59584 | License | MIT `RemoteUserAuthenticator` may return an empty string when extracting a username from the configured `$_SERVER` parameter (e.g. `REMOTE_USER`). An empty username triggers the `User Deprecated: Since symfony/security-http 7.2: Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.` Return `null` instead of empty username to skip authenticator when username is empty and fix Symfony 8 deprecation notice. Commits ------- a8516b7 [Security] Return null instead of empty username to fix deprecation notice
Symfony version(s) affected
6.4
Description
Shibboleth may include an empty username in the
REMOTE_USER$_SERVERparameter, which triggers the following deprecation notice:User Deprecated: Since symfony/security-http 7.2: Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.(source)How to reproduce
Configure a Symfony project using a remote_user authenticator. Configure the web server to set the
REMOTE_USER$_SERVERparameter to an empty string. Try to authenticate. Log will show deprecation notice.Possible Solution
Update the
RemoteUserAuthenticatorto return null when an empty string is detected in theREMOTE_USER$_SERVERparameter.Additional Context
No response
The text was updated successfully, but these errors were encountered: