/** * Check for a possible CSRF attack in REST API * * @param GetResponseEvent $event * @return mixed * @throws AuthenticationException */ public function handle(GetResponseEvent $event) { $request = $event->getRequest(); // check for a special "anti-CSRF" header in AJAX calls if (!$request->headers->has('X-WSSE') && !$request->headers->has('X-CSRF-Header')) { throw new AuthenticationException('Possible CSRF attack detected'); } return parent::handle($event); }
/** * @test */ public function handleReturnResponse() { $token = new Token('someuser', 'somedigest', 'someproviderkey'); $token->setAttribute('nonce', 'somenonce'); $token->setAttribute('created', '2010-12-12 20:00:00'); $response = new Response(); $this->authenticationManager->expects($this->once())->method('authenticate')->with($token)->will($this->returnValue($response)); $this->responseEvent->expects($this->once())->method('setResponse')->with($response); $this->request->headers->add(array('X-WSSE' => 'UsernameToken Username="******", PasswordDigest="somedigest", Nonce="somenonce", Created="2010-12-12 20:00:00"')); $listener = new Listener($this->securityContext, $this->authenticationManager, 'someproviderkey', $this->authenticationEntryPoint); $listener->handle($this->responseEvent); }