[Flow] Strange Issues with sessions and ACLs

Christian Loock chl at vkf-renzel.de
Thu Sep 19 10:10:20 CEST 2013 

Hello fellow Flowers,

I have encountered some unexpected behaviour when trying to create a 
Controller that should not be guarded by Flows Security Framework.

I created a controller that should be viewable by everybody. I added it 
to the Policy.yaml of my package as follows:

resources:
    methods:
        VKF.Admin.UploadController: 
'method(VKF\Admin\Controller\UploadController->.*())'

acls:
   Anonymous:
     methods:
       VKF.Admin.UploadController: GRANT
   Everybody:
     methods:
       VKF.Admin.UploadController: GRANT


However, whenever I try to call the controller I get redirected to the 
login action of my auth controller. I am not logged in. What is even 
more strange, is the error I get after I got redirected:

#1: Notice: unserialize() [<a 
href='function.unserialize'>function.unserialize</a>]: Error at offset 
5337 of 5396 bytes in 
/home/www/flow_vkf_search_chl/Packages/Framework/TYPO3.Flow/Classes/TYPO3/Flow/Cache/Frontend/VariableFrontend.php 
line 86

To get rid of this error, I need to delete my Session cookie.

The cookie is created, when I call my controller.

Here is also a message from my Security.log

13-09-19 10:07:00 60744      10.2.0.14      NOTICE Flow                 
Authentication failed: "Could not authenticate any token. Might be 
missing or wrong credentials or no authentication provider matched." 
#1222204027
13-09-19 10:07:00 60744      10.2.0.14      NOTICE Flow                 
Authentication failed: "Could not authenticate any token. Might be 
missing or wrong credentials or no authentication provider matched." 
#1222204027
13-09-19 10:07:00 60744      10.2.0.14      INFO Flow                 
Redirecting to authentication entry point with URI - undefined -

In the docs it is stated as follows:

TYPO3 Flow will always add the magic Everybody role, which you don't 
have to configure yourself. This role will also be present, if no 
account is authenticated.

So, I dont really understand why I am redirected to the login, even 
though i granted the controller to everybody....


Any ideas what I could have done wrong here?

More information about the Flow mailing list