Request headers bag is missing Authorization header in Symfony 2?
Solution 1
You must add this code to a virtualhost tag
It will not work if you put it in a Directory tag.
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
Solution 2
Akambi's answer didn't work for me, but found this answer in the php website:
"Workaround for missing Authorization header under CGI/FastCGI Apache:
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
Now PHP should automatically declare $_SERVER[PHP_AUTH_*] variables if the client sends the Authorization header."
Thanks derkontrollfreak+9hy5l!
Solution 3
The verified solution worked for me at the time to get the Authorization header through. However, it generated an empty Authorization header when there was none in the incoming request. This is how I solved it:
RewriteEngine On
RewriteCond %{HTTP:Authorization} .+
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
Solution 4
I had the same problem when writing a public API with custom Authorization
header. To fix the HeaderBag
I used a listener:
namespace My\Project\Frontend\EventListener;
use Symfony\Component\HttpFoundation\HeaderBag;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
/**
* Listener for the REQUEST event. Patches the HeaderBag because the
* "Authorization" header is not included in $_SERVER
*/
class AuthenticationHeaderListener
{
/**
* Handles REQUEST event
*
* @param GetResponseEvent $event the event
*/
public function onKernelRequest(GetResponseEvent $event)
{
$this->fixAuthHeader($event->getRequest()->headers);
}
/**
* PHP does not include HTTP_AUTHORIZATION in the $_SERVER array, so this header is missing.
* We retrieve it from apache_request_headers()
*
* @param HeaderBag $headers
*/
protected function fixAuthHeader(HeaderBag $headers)
{
if (!$headers->has('Authorization') && function_exists('apache_request_headers')) {
$all = apache_request_headers();
if (isset($all['Authorization'])) {
$headers->set('Authorization', $all['Authorization']);
}
}
}
}
and bound it to kernel.request
in the service definition:
services:
fix_authentication_header_listener:
class: My\Project\Frontend\EventListener\AuthenticationHeaderListener
tags:
- { name: kernel.event_listener, event: kernel.request, method: onKernelRequest, priority: 255 }
Solution 5
Authorization header is used for http basic authentication which is discarded by apache if not in valid format. Try using another name.
Related videos on Youtube
Polmonino
Updated on July 09, 2022Comments
-
Polmonino almost 2 years
I'm trying to implement a custom authentication provider in Symfony 2. I'm sending a test request using Fiddler and printing all headers server side; well,
Authorization
header is missing.Am i doing something wrong?
GET /RESTfulBackend/web/index.php HTTP/1.1 Authorization: FID 44CF9590006BF252F707:jZNOcbfWmD/ Host: localhost User-Agent: Fiddler Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Listener just prints the headers and quits:
class HMACListener implements ListenerInterface { private $securityContext; private $authenticationManager; public function handle(GetResponseEvent $event) { $request = $event->getRequest(); print_r($request->headers->all()); die(); } }
Response is missing
Authorization
header:Array ( [host] => Array ( [0] => localhost ) [user-agent] => Array ( [0] => Fiddler ) [accept] => Array ( [0] => text/html,application/xhtml+xml,application/xml ) [accept-language] => Array ( [0] => it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 ) )
-
Wilt about 9 yearspossible duplicate of Authorization header missing in django rest_framework, is apache to blame?
-
Wilt over 8 yearsCheck also the answers here in this similar question
-
-
Polmonino over 11 yearsThanks. How for example Amazon S3 can use it? s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html
-
Mun Mun Das over 11 yearsWell if you see Apache implementation it expects the request token to be base_64 encoded string and on server side it base64_decodes the string and set
PHP_AUTH_USER
andPHP_AUTH_PW
server variable. As you see the implementation is server specific. So Amazon S3 web servers have implemented the scheme differently. -
Polmonino over 11 yearsWhat you would suggest then? using apache_request_headers() (apache specific) or using a custom header?
-
Mun Mun Das over 11 yearsYou can make an apache module to make your authentication scheme compliance with http basic authentication. For example check this module. Or you can use custom header e.g
X-FID-Authorization
. -
chacham15 over 10 yearsthis worked like a charm for me, can you just explain what it does?
-
webaba almost 10 yearsThank you that works, however there might be a problem. It looks like an authorization header field gets created even if it's not present in the incoming request. This should not be the behavior
-
Poiple Shadow over 9 yearsAFAIK Apache will accept any format Authorization header. It is PHP which discards anything else than valid Basic or Digest header.
-
mezod over 9 yearsthat is right, it is creating an authorization header field even when none in the request, any ideas on the matter?
-
mezod over 9 yearsI added the following to the .htaccess: RewriteCond %{HTTP:Authorization} .+
-
Loïc Faugeron about 9 yearsNote that you need to intall PHP's Apache extension, in order to have the apache_request_headers function available.
-
Jorj over 8 yearsNot a good solution though because it will be slower as module than as CGI. Also there are problems with the rights in cache and logs folder during the development.
-
Wilt over 8 years@Jorj "problems" can you be more specific? I bet it is just a matter of configuration. It is a working solution. Never said it was the "best". That is a matter of opinion..
-
Jorj over 8 yearsSure, here is what happens: as a developer on a unix box you would create files under your user, right ? Then you would launch some commands from your console which would create files in cache and logs folder. If PHP is configured as module in Apache it will run with Apache's user, that is "www" or "nobody" or something similar. As a result it will try to overwrite the files created by you in cache and logs folders and it will throw errors because they belongs to another owner. Of course, there are workarounds to this too, but still is an additional headache.
-
Wilt over 8 yearsThis is exactly the same as the answer here.
-
Mohamed Nagy about 8 yearsthis answer is working fine with http request, but it is not working with https requests
-
anna over 7 yearsThank you. Do you know why the header is not sent?
-
Artur Cichosz over 7 yearsIn my case it only works if the URL does not contain the bootstrap-script e.g. server.tld/some/path. It does not work for the following URL server.tld/app_dev.php/some/path
-
Artur Cichosz over 7 yearsIt seems that we can use the header name ''Php-Auth-Digest" as an alternative to "Authorization". see Symfony\Component\HttpFoundation\ServerBag::getHeaders()
-
Twisty over 7 yearsApplied this fix but it's still not responding to 401 header in my script.
-
tom10271 about 7 yearsThis is the only solution works,
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
's one is not working -
G_Gus almost 7 yearsThis is what worked for me. Otherwise the Authorization header was simply missing from both getallheaders and $_SERVER
-
Vahid Amiri over 6 yearsWorked when I added it to
.htaccess
-
Zorox almost 5 yearsWorked in .htaccess too
-
Omar Tariq over 4 yearsThis worked for me by adding it in the VirtualHost config file. It should work fine in .htaccess too, just make sure there is no proxies, container etc in between before the request reaches your app.
-
Cristian Budzicz almost 4 yearswhere is the virtualhost tag? in my .htaccess i dont see it
-
Oleg almost 2 yearsUsing symfony 5.4, - GetResponseEvent was renamed to RequestEvent.