Fungsi firewall bagi keselamatan symfony2, curl menyerupai pelaporan ralat penyerahan borang

Question

Hello semua, kerana keperluan perniagaan, saya menggunakan borang simulasi curl dan bukannya penyerahan borang sebenar Namun, apabila log sistem menunjukkan bahawa pengesahan berjaya, ralat berlaku semasa lompatan adalah seperti berikut:

 security.INFO: User "admin" has been authenticated successfully [] []
[2015-06-10 16:50:46] event.DEBUG: Listener "Symfony\Component\Security\Http\Firewall::onKernelRequest" stopped propagation of the event "kernel.request". [] []
[2015-06-10 16:50:46] event.DEBUG: Listener "Symfony\Bundle\AsseticBundle\EventListener\RequestListener::onKernelRequest" was not called for event "kernel.request". [] []
[2015-06-10 16:50:46] event.DEBUG: Listener "Symfony\Component\HttpKernel\EventListener\ErrorsLoggerListener::injectLogger" was not called for event "kernel.request". [] []
[2015-06-10 16:50:46] event.DEBUG: Listener "Symfony\Component\HttpKernel\EventListener\ErrorsLoggerListener::injectLogger" was not called for event "kernel.request". [] []
[2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\Security\Http\Firewall\ContextListener::onKernelResponse". [] []
[2015-06-10 16:50:46] security.DEBUG: Write SecurityContext in the session [] []
[2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Bridge\Monolog\Handler\FirePHPHandler::onKernelResponse". [] []
[2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Bridge\Monolog\Handler\ChromePhpHandler::onKernelResponse". [] []
[2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\HttpKernel\EventListener\ResponseListener::onKernelResponse". [] []
[2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\Security\Http\RememberMe\ResponseListener::onKernelResponse". [] []
[2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.response" to listener "Sensio\Bundle\FrameworkExtraBundle\EventListener\CacheListener::onKernelResponse". [] []
[2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\HttpKernel\EventListener\ProfilerListener::onKernelResponse". [] []
[2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Bundle\WebProfilerBundle\EventListener\WebDebugToolbarListener::onKernelResponse". 
[] [][2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\HttpKernel\EventListener\SaveSessionListener::onKernelResponse". [] []
[2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\HttpKernel\EventListener\StreamedResponseListener::onKernelResponse". [] 
[][2015-06-10 16:50:46] event.DEBUG: Notified event "kernel.terminate" to listener "Symfony\Bundle\SwiftmailerBundle\EventListener\EmailSenderListener::onTerminate". [] []
[2015-06-10 16:50:47] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\ProfilerListener::onKernelRequest". [] []
[2015-06-10 16:50:47] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Bundle\FrameworkBundle\EventListener\SessionListener::onKernelRequest". [] []
[2015-06-10 16:50:47] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\FragmentListener::onKernelRequest". [] []
[2015-06-10 16:50:47] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\RouterListener::onKernelRequest". [] []
[2015-06-10 16:50:47] request.INFO: Matched route "home" (parameters: "_controller": "User\UserBundle\Controller\HomeController::index", "_route": "home") [] []
[2015-06-10 16:50:47] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\LocaleListener::onKernelRequest". [] []
[2015-06-10 16:50:47] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\Security\Http\Firewall::onKernelRequest". [] []
[2015-06-10 16:50:47] event.DEBUG: Notified event "kernel.exception" to listener "Symfony\Component\Security\Http\Firewall\ExceptionListener::onKernelException". [] []
[2015-06-10 16:50:47] security.INFO: Authentication exception occurred; redirecting to authentication entry point (A Token was not found in the SecurityContext.) [] []
[2015-06-10 16:50:47] security.DEBUG: Calling Authentication entry point [] []

Kod simulasi adalah seperti berikut:

Fail konfigurasi adalah sama dengan penyerahan borang, kedua-duanya adalah logintest
Walau bagaimanapun, keputusan penyerahan borang adalah betul, tetapi simulasi curl tidak betul. Anda boleh melihat bahawa token tidak diperoleh pada penghujung log, tetapi melompat terus kembali ke logintest.
Soalan saya ialah, apakah perbezaan antara simulasi curl dan penyerahan borang sebenar Tambahan pula, bagaimana symfony memantau masa penyerahan? Terima kasih semua, mencari penyelesaian.

Answer 1

Dalam Symfony, Borang akan secara automatik menambah medan tersembunyi TOKEN CSRF (nama lalai ialah _token) untuk mengelakkan penyerahan yang tidak sah Apabila borang diserahkan, sistem akan mula-mula mengesan kesahihan _token, jadi soalan Apabila anda menyerahkan menggunakan CURL, anda mesti menambah _token secara manual dan menjana TOKEN CSRF secara manual:

$intention = 'test string';
$csrf      = $this->get('form.csrf_provider');

Jana TOKEN CSRF dan:

$post_data['_token'] = $csrf->generateCsrfToken($intention);

Semak sama ada CSRF adalah sah apabila borang diserahkan:

$token = $request->get('_token');

if( $csrf->isCsrfTokenValid($intention, $token) ) {
    return new Response('CSRF Token Invalid');
}

return new Response('Success');

Sebagai alternatif, anda boleh melumpuhkan CSRF terus dalam configureOptions:

$resolver->setDefaults(array(
    'csrf_protection' => true
));