/**
* Calls the authentication manager to authenticate all active tokens
* and redirects to the original intercepted request on success if there
* is one stored in the security context. If no intercepted request is
* found, the function simply returns.
*
* If authentication fails, the result of calling the defined
* $errorMethodName is returned.
*
* Note: Usually there is no need to override this action. You should use
* the according callback methods instead (onAuthenticationSuccess() and
* onAuthenticationFailure()).
*
* @return string
* @Flow\SkipCsrfProtection
*/
public function authenticateAction()
{
$authenticationException = null;
try {
$this->authenticationManager->authenticate();
} catch (\TYPO3\Flow\Security\Exception\AuthenticationRequiredException $exception) {
$authenticationException = $exception;
}
if ($this->authenticationManager->isAuthenticated()) {
$storedRequest = $this->securityContext->getInterceptedRequest();
if ($storedRequest !== null) {
$this->securityContext->setInterceptedRequest(null);
}
return $this->onAuthenticationSuccess($storedRequest);
} else {
$this->onAuthenticationFailure($authenticationException);
return call_user_func(array($this, $this->errorMethodName));
}
}
/**
* Receive an SSO authentication callback and trigger authentication
* through the SingleSignOnProvider.
*
* GET /sso/authentication/callback?...
*
* @param string $callbackUri
* @return void
*/
public function callbackAction($callbackUri)
{
try {
$this->authenticationManager->authenticate();
} catch (\TYPO3\Flow\Security\Exception\AuthenticationRequiredException $exception) {
$authenticationException = $exception;
}
if ($this->authenticationManager->isAuthenticated()) {
$storedRequest = $this->securityContext->getInterceptedRequest();
if ($storedRequest !== NULL) {
$this->securityContext->setInterceptedRequest(NULL);
$this->redirectToRequest($storedRequest);
} else {
// TODO Do we have to check the URI?
$this->redirectToUri($callbackUri);
}
} else {
throw new \Flowpack\SingleSignOn\Client\Exception('Could not authenticate in callbackAction triggered by the SSO server.', 1366613161, isset($authenticationException) ? $authenticationException : NULL);
}
}
/**
* Advices the dispatch method so that illegal action requests are blocked before
* invoking any controller.
*
* The "request" referred to within this method is an ActionRequest or some other
* dispatchable request implementing RequestInterface. Note that we don't deal
* with HTTP requests here.
*
* @Flow\Around("setting(TYPO3.Flow.security.enable) && method(TYPO3\Flow\Mvc\Dispatcher->dispatch())")
* @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint The current joinpoint
* @return mixed Result of the advice chain
* @throws \Exception|\TYPO3\Flow\Security\Exception\AccessDeniedException
* @throws \Exception|\TYPO3\Flow\Security\Exception\AuthenticationRequiredException
*/
public function blockIllegalRequestsAndForwardToAuthenticationEntryPoints(JoinPointInterface $joinPoint)
{
$request = $joinPoint->getMethodArgument('request');
if (!$request instanceof ActionRequest || $this->securityContext->areAuthorizationChecksDisabled()) {
return $joinPoint->getAdviceChain()->proceed($joinPoint);
}
try {
$this->firewall->blockIllegalRequests($request);
return $joinPoint->getAdviceChain()->proceed($joinPoint);
} catch (AuthenticationRequiredException $exception) {
$response = $joinPoint->getMethodArgument('response');
$entryPointFound = FALSE;
/** @var $token \TYPO3\Flow\Security\Authentication\TokenInterface */
foreach ($this->securityContext->getAuthenticationTokens() as $token) {
$entryPoint = $token->getAuthenticationEntryPoint();
if ($entryPoint !== NULL) {
$entryPointFound = TRUE;
if ($entryPoint instanceof WebRedirect) {
$this->securityLogger->log('Redirecting to authentication entry point', LOG_INFO, $entryPoint->getOptions());
} else {
$this->securityLogger->log('Starting authentication with entry point of type ' . get_class($entryPoint), LOG_INFO);
}
$this->securityContext->setInterceptedRequest($request->getMainRequest());
$entryPoint->startAuthentication($request->getHttpRequest(), $response);
}
}
if ($entryPointFound === FALSE) {
$this->securityLogger->log('No authentication entry point found for active tokens, therefore cannot authenticate or redirect to authentication automatically.', LOG_NOTICE);
throw $exception;
}
} catch (AccessDeniedException $exception) {
$this->securityLogger->log('Access denied', LOG_WARNING);
throw $exception;
}
return NULL;
}
