Symfony2 http_basic security rejects valid credentials

Question

I use Symfony Standard 2.0.0BETA1 and tried to configure http_basic authentication exactly the same as in this book chapter

security:
encoders:
    Symfony\Component\Security\Core\User\User: plaintext

providers:
    main:
        users:
            foo: { password: testing, roles: ROLE_USER }

firewalls:
    main:
        pattern:    /.*
        http_basic: true
        logout:     true

access_control:
    - { path: /.*, role: ROLE_USER }

Problem is when I try to open a page and i submit user name "foo" and password "testing" it simply loops and ask me for credential infinitely or display error page.

Steps to reproduce issue:

1. Copy security configuration from http://symfony.com/doc/current/book/security/overview.html#configuration and past it to security.yml file
2. Refresh app home page
3. Enter valid credentials

Expected behavior is to see home page but instead credentials prompt is shown.

Does anyone know why that happens and how to fix it?

Answer 1

you dont't need to modify your SymfonyProject, you need also change apache2 configuration.

sudoedit /etc/apache2/sites-enabled/[your site].conf

insert

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] 
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]

keep to restart apache2

enjoy :)

Answer 2

The same problem still occurs in the current version (Symfony version 2.1.8).

It's because of the special way that Apache + PHP as FastCGI handles HTTP auth variables.

At least, the fix for the current version is a little simplier than it was before (as compared to @Teo.sk's answer), and the instructions are available directly hardcoded as comments in the file vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/ServerBag.php of the framework:

/*
* php-cgi under Apache does not pass HTTP Basic user/pass to PHP by default
* For this workaround to work, add these lines to your .htaccess file:
* RewriteCond %{HTTP:Authorization} ^(.+)$
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
*
* A sample .htaccess file:
* RewriteEngine On
* RewriteCond %{HTTP:Authorization} ^(.+)$
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
* RewriteCond %{REQUEST_FILENAME} !-f
* RewriteRule ^(.*)$ app.php [QSA,L]
*/

In short, to fix it, all you have to do is to add the following lines to the .htaccess file of the web/ folder of your application:

RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

New info (2013-05-01): now I'm using Symfony version 2.2.1 and for the fix to work I had to add those two lines of codes right below the following line of web/.htaccess:

RewriteEngine On