Symfony Security return a 500 AccessDenied instead of a 403 with HttpException

[Rebolon]

No description provided.

[Rebolon]

a comment is added on this old long issue symfony/symfony#8467

[Rebolon]

when i look at the Security component documentation https://symfony.com/doc/master/bundles/SensioFrameworkExtraBundle/annotations/security.html

I can see that we have to specify the status_code if we want an HTTP Exception instead of an AccessDeniedException

But it's impossible to setup this status_code param with Api-platform. So i opened a new issue ta ask some helps about it : api-platform/api-platform#519

[Rebolon]

The only solution i see for instance is to add a listener for Api:

<?php
namespace App\EventSubscriber;

use ApiPlatform\Core\EventListener\EventPriorities;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;

final class ApiAuthSubscriber implements EventSubscriberInterface
{
    public static function getSubscribedEvents()
    {
        return [
            KernelEvents::EXCEPTION => ['from500to405', EventPriorities::PRE_RESPOND],
        ];
    }

    public function from500to405(GetResponseForExceptionEvent $event): void
    {
        $exception = $event->getException();

        if ($exception instanceof AccessDeniedException
        || $exception instanceof InsufficientAuthenticationException) {
            $httpException = new HttpException(403, $exception->getMessage(), $exception->getPrevious());
            $event->setException($httpException);
        }
    }
}

So maybe i have to do the same thing for the whole Sf4 project but it sounds crazy, the framework should do this or allow us to configure this...

[Rebolon]

I also opened an issue to symfoney : Security + JSON_LOGIN return an HTTP 500 instead of an HTTP 403 #25806
The problem seems related to the json_login security system

[Rebolon]

I expect this to be a 'normal behavior' of json_login but not documented finely on Symfony docs. I don't see anything wrong in security.yaml that would explain this.
I think that json_login, alone, will lead to this 500.
To prevent this behavior, you seems to have to implement guard authentification https://symfony.com/doc/current/security/guard_authentication.html or with an Api Key authenticator like it's described here https://symfony.com/doc/current/security/api_key_authentication.html

I'm waiting for confirmation from here symfony/symfony#25806