Symfony 2 receiving anonymous token after basic authentication

Question

I have a Symfony 2 app using the basic in_memory authentication (as described in the security documentation). The login works fine in our development environment(s). But on the staging server, the basic authentication doesn't seem to provide a proper token -as seen in the hereby provided logfile-; thus we keep on getting the login popup again and again.

Our security configuration:

security:
    firewalls:
        secured_area:
            pattern:    ^/
            anonymous: ~
            http_basic:
                realm: "Secured Demo Area"

    access_control:
        - { path: ^/admin, roles: [ROLE_ADMIN]}

    providers:
        in_memory:
            users:
                admin: { password: admin, roles: 'ROLE_ADMIN' }

    encoders:
        Symfony\Component\Security\Core\User\User: plaintext

This is the log output from the (successful) development environment login:

[2011-07-21 13:49:48] security.DEBUG: Read SecurityContext from the session [] []
[2011-07-21 13:49:48] security.DEBUG: Reloading user from user provider. [] []
[2011-07-21 13:49:48] security.DEBUG: Username "root" was reloaded from user provider. [] []

And this is the log output from the staging environment login:

[2011-07-21 13:53:08] security.INFO: Populated SecurityContext with an anonymous Token [] []
[2011-07-21 13:53:08] security.DEBUG: Access denied (user is not fully authenticated); redirecting to authentication entry point [] []
[2011-07-21 13:53:08] security.DEBUG: Calling Authentication entry point [] []

Thanks in advance for the help.

Answer 1

Your dev environment is probably running PHP as mod_php while your staging server is probably running it as FastCGI. By default, the PHP_AUTH_USER and PHP_AUTH_PW server variables are not filled in this context when you authenticate via HTTP basic, and these are what Symfony is using to create the Security context and validate your password.

If you're running this as FCGI on Apache you can fix this. One is to force FastCGI to pass the Authorization header, which it normally suppresses. Add this to the Apache site definition next to the other FastCGI configuration options:

FcgidPassHeader     Authorization

For other applications you may also need to mess around to a greater degree (as described here) but for Symfony just passing the header should be sufficient.