gremo/hmac-authentication-bundle

Symfony 包,用于添加 REST HMAC HTTP 身份验证

v1.1.2 2019-06-05 23:02 UTC

This package is auto-updated.

Last update: 2024-09-16 19:01:05 UTC


README

Latest stable Downloads total GitHub issues

Symfony 包,用于添加 REST HMAC HTTP 身份验证。

安装

{
    "require": {
        "gremo/hmac-authentication-bundle": "~1.0"
    },
}

在您的 app/AppKernel.php 中注册该包

    public function registerBundles()
    {
        $bundles = array(
            // ...
            new Gremo\HmacAuthenticationBundle\GremoHmacAuthenticationBundle(),
        );
        
        // ...
    }

配置

不需要。

使用方法

security.yml 中使用 hmac 键保护应用的一部分

# ...
firewalls:
    # ...
    hmac_secured:
        pattern: ^/api
        stateless: true  # HMAC is stateless!
        hmac:
            auth_header: Authorization # Name of the header to inspect
            service_label: HMAC        # Service name/id
            algorithm: sha256          # Hashing algoritm, see hash_algos()
            verify_headers: []         # Array or comma-separated list of headers

工作原理

身份验证管理器将检查具有以下模式的 auth_header 标头

<auth_header>: <service_label> <client_id>:<signature>

如果服务标签匹配,则管理器使用 <client_id> 用户名加载用户。密码用于重新计算签名,base64 编码已散列的规范字符串

<canonical_string> = <http_method> + "\n" +
                     <path_with_sorted_query_string> + "\n" +
                     <verify_header1> + "\n" +
                     <verify_header2> + "\n" +
                     ...
                     <verify_headerN>;

注意,在计算签名之前,对 查询参数和头部进行排序

以下为 配置示例

security:
    # ...
    providers:
        in_memory:
            memory:
                users:
                    foo: { password: bar }

    firewalls:
        hmac_secured:
            pattern: ^/
            stateless: true
            provider: in_memory
            hmac:
                auth_header: Authorization
                service_label: HMAC
                algorithm: sha256
                verify_headers: [Date, Accept, Content-MD5]

        # ...

原始 HTTP 请求

GET /?b=c&a= HTTP/1.1
Accept: application/json
Host: localhost:8080
Authorization: HMAC foo:ZWQyNmYwZWM1MmZkYmIyNTgzYjJiYWQ2Zjg3OGJkYjIzNzU2YTBlYjQ3NGY5ZDg1YWE5ZjYwN2Q1ODg1NWI1MQ==
Date: Mon, 26 Mar 2007 19:37:58 +0000

规范字符串 如下(注意换行符,其中应出现 Content-MD5

GET
/?a=&b=c
application/json

Mon, 26 Mar 2007 19:37:58 +0000

散列值 如下(明文密码为 bar

ed26f0ec52fdbb2583b2bad6f878bdb23756a0eb474f9d85aa9f607d58855b51

最终得到 base64 编码值(这是 Authorization 头部的签名)

ZWQyNmYwZWM1MmZkYmIyNTgzYjJiYWQ2Zjg3OGJkYjIzNzU2YTBlYjQ3NGY5ZDg1YWE5ZjYwN2Q1ODg1NWI1MQ==