[FLOW3-general] Best Practices for Login/Logout

Manuel Strausz manuel.strausz at gmail.com
Sat Nov 19 02:09:23 CET 2011 

Hey guys,

I've recently struggled a bit more than expected while trying to get a 
simple login/logout usecase running smoothly.

Basically what I'm trying to do is to make the whole site protected (as 
in, needs Authentication, no Policies so far). Except for, of course, 
the login controller which is responsible for displaying the login 
template. For authentication, I call the authenticateAction in the 
AuthenticationController that is shipped with FLOW3, and I try to use 
the built-in classes and mechanisms as much as possible.

Now for my initial configuration. These are my current security settings:

     security:
       enable: yes
       authentication:
         providers:
           DefaultProvider:
             providerClass: PersistedUsernamePasswordProvider
             entryPoint:
               WebRedirect:
                 uri: login/
       firewall:
         rejectAll: n
         filters:
           -
             patternType: ControllerObjectName
             patternValue: .*\LoginController
             interceptor: AccessGrant
           -
             patternType: 
FX\Addons\Security\RequestPattern\ControllerObjectNameEx
             patternValue:
               pattern: Arbyte\Sie\Presse\.*
               exclude: .*\LoginController
             interceptor:  RequireAuthentication

The only thing that is non-standard here is the "ControllerObjectNameEx" 
which is just a simple extension of the normal pattern, to be able to 
"exclude" the LoginController from the RequireAuthentication 
interceptor. Since the LoginController lies in the same controller 
namespace as the rest of the Site that should be protected, this was the 
only feasible solution I could think of without writing overly-complex 
Regexes. Maybe something less cumbersome is possible ;)

This works all fine and dandy, but the problem is the "logout" Action.
Here I also just call the logoutAction of the supplied 
AuthenticationController, and try do some signal slot wiring to do the 
redirect after the logout. The problem: It never gets that far.

Appearently, the AuthenticationProviderManager doesn't allow to perform 
the logout if the SecurityContext wasn't initialized. Since the 
initialization is performed in a lazy way (e.g. when querying accounts, 
or tokens), it is never initialized - the firewall never tries to query 
the tokens, since it doesn't need Authentication for the 
AuthenticationController.

Do I need to include the AuthenticationController in the firewall, to 
make the security context initialized? Or could this be a bug, and the 
logout should automatically initialize the security context, if it 
wasn't already initialized?

I couldn't really find any examples for this specific problem, so I hope 
I'm not doing it totally wrong ;)

Thanks in advance & best regards,
Manuel

More information about the FLOW3-general mailing list