CODEWITHSUNDEEP
phphttpsymfonyhttp-headersfiddler
user1098965
user1098965

Reputation:

Request headers bag is missing Authorization header in Symfony 2?

I'm trying to implement a custom authentication provider in Symfony 2. I'm sending a test request using Fiddler and printing all headers server side; well, Authorization header is missing.

Am i doing something wrong?

GET /RESTfulBackend/web/index.php HTTP/1.1
Authorization: FID 44CF9590006BF252F707:jZNOcbfWmD/
Host: localhost
User-Agent: Fiddler
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3

Listener just prints the headers and quits:

class HMACListener implements ListenerInterface
{
    private $securityContext;

    private $authenticationManager;

    public function handle(GetResponseEvent $event)
    {
        $request = $event->getRequest();
        print_r($request->headers->all()); 
        die();
     }
}

Response is missing Authorization header: 

Array
(
    [host] => Array
        (
            [0] => localhost
        )
    [user-agent] => Array
        (
            [0] => Fiddler
        )
    [accept] => Array
        (
            [0] => text/html,application/xhtml+xml,application/xml
        )
    [accept-language] => Array
        (
            [0] => it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
        )
)

Upvotes: 50

Views: 45579

Answers (9)

emomaliev
emomaliev

Reputation: 2383

If you're using apache and you already have a header override set in your .htaccess file but you're still getting 401 errors

RewriteCond %{HTTP:Authorization} .+
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]

Then make sure you enable config overrides in your VirtualHost. Set the value to All for the AllowOverride parameter in the Directory tag

<VirtualHost *:80>
    ...
    <Directory /var/www/***>
        AllowOverride All
        ...
    </Directory> 

</VirtualHost>

Don't forget to restart apache after making changes

Upvotes: 0

Akambi Fagbohoun
Akambi Fagbohoun

Reputation: 661

You must add this code to a virtualhost tag

It will not work if you put it in a Directory tag.

    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

Upvotes: 66

ghaliano
ghaliano

Reputation: 415

We should authorise this header "Authorization" on the server side,

it's also simply done with nelmioCorsBundle nelmio_cors: defaults: allow_credentials: false allow_origin: [] allow_headers: [] allow_methods: [] expose_headers: [] max_age: 0 hosts: [] origin_regex: false forced_allow_origin_value: ~ paths: '^/api/': allow_origin: ['*'] allow_headers: ['Authorization']

Upvotes: 0

likeitlikeit
likeitlikeit

Reputation: 5638

Another option that worked for Apache 2.4 when other options did not was to set the CGIPassAuth option in the relevant <Directory> context, like this:

CGIPassAuth On

According to the documentation, it is available since Apache 2.4.13.

Upvotes: 7

Wilt
Wilt

Reputation: 44336

Another solution is to change your PHP handler to run PHP as Apache Module instead of as CGI application.

Upvotes: 0

mezod
mezod

Reputation: 2391

The verified solution worked for me at the time to get the Authorization header through. However, it generated an empty Authorization header when there was none in the incoming request. This is how I solved it:

RewriteEngine On
RewriteCond %{HTTP:Authorization} .+
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Upvotes: 20

matt
matt

Reputation: 440

Akambi's answer didn't work for me, but found this answer in the php website:

"Workaround for missing Authorization header under CGI/FastCGI Apache:

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

Now PHP should automatically declare $_SERVER[PHP_AUTH_*] variables if the client sends the Authorization header."

Thanks derkontrollfreak+9hy5l!

Upvotes: 34

Fabian Schmengler
Fabian Schmengler

Reputation: 24551

I had the same problem when writing a public API with custom Authorization header. To fix the HeaderBag I used a listener:

namespace My\Project\Frontend\EventListener;

use Symfony\Component\HttpFoundation\HeaderBag;

use Symfony\Component\HttpKernel\Event\GetResponseEvent;

/**
 * Listener for the REQUEST event. Patches the HeaderBag because the
 * "Authorization" header is not included in $_SERVER
 */
class AuthenticationHeaderListener
{
    /**
     * Handles REQUEST event
     *
     * @param GetResponseEvent $event the event
     */
    public function onKernelRequest(GetResponseEvent $event)
    {
        $this->fixAuthHeader($event->getRequest()->headers);
    }
    /**
     * PHP does not include HTTP_AUTHORIZATION in the $_SERVER array, so this header is missing.
     * We retrieve it from apache_request_headers()
     *
     * @param HeaderBag $headers
     */
    protected function fixAuthHeader(HeaderBag $headers)
    {
        if (!$headers->has('Authorization') && function_exists('apache_request_headers')) {
            $all = apache_request_headers();
            if (isset($all['Authorization'])) {
                $headers->set('Authorization', $all['Authorization']);
            }
        }
    }
}

and bound it to kernel.request in the service definition:

services:
  fix_authentication_header_listener:
    class: My\Project\Frontend\EventListener\AuthenticationHeaderListener
    tags:
      - { name: kernel.event_listener, event: kernel.request, method: onKernelRequest, priority: 255 }

Upvotes: 11

Mun Mun Das
Mun Mun Das

Reputation: 15002

Authorization header is used for http basic authentication which is discarded by apache if not in valid format. Try using another name.

Upvotes: 7

Related Questions