I'm new to Symfony3.
What should I do to change my base url https://example.com to https://example.com/is/?
The whole application should start from /is/ path.
What I have done till now is,
routing.yml
user:
resource: "#UserBundle/Resources/config/routing.yml"
prefix: /is/
app:
resource: '#AppBundle/Controller/'
type: annotation
security.yml
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/is/.*, role: ROLE_SUPER_ADMIN }
But didn't get success. Where am I wrong and what should I Do?
Edit - current behavior
Currently when I go to https://example.com/is/ It is redirecting me to https://example.com/login because of access_control in security.yml.
If I type https://example.com/is/login, It shows me 404 Path not found error.
resource: "#AppBundle/Controller/"
type: annotation
prefix: /is
Then you need to put the /login url behind IS_AUTHENTICATED_ANONYMOUSLY Or you will never access to login page when you are unlogged
access_control:
- { path: ^/is/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/is/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/is/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/is/.*, role: ROLE_SUPER_ADMIN }
In routing.yml use this yml:
resource: "#AppBundle/Controller/"
type: annotation
prefix: /is
See if that works.
EDIT #2
Also change security.yml like so:
access_control:
- { path: ^/is/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/is/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/is/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/is/.*, role: ROLE_SUPER_ADMIN }
Related
My goal is to have all routes under the firewall protected API except some.
I have firewall configuration like this:
security:
acl:
connection: default
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: fos_userbundle
check_path: /oauth/v2/auth_login_check
login_path: /oauth/v2/auth_login
anonymous: true
api:
pattern: ^/.*
fos_oauth: true
stateless: true
anonymous: false
access_control:
- { path: ^/, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
- { path: ^/doc, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
- { path: ^/resque, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
- { path: /monitor, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
- { path: /users, methods: [POST], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
- { path: /users/me/registration/confirm, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
- { path: /users/me/email/confirm, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
- { path: /instants/.*, methods: [PUT], roles: [IS_AUTHENTICATED_ANONYMOUSLY ]}
- { path: ^/_profiler, roles: [IS_AUTHENTICATED_ANONYMOUSLY]}
- { path: ^/_wdt, roles: [IS_AUTHENTICATED_ANONYMOUSLY]}
- { path: ^/_configurator, roles: [IS_AUTHENTICATED_ANONYMOUSLY]}
- { path: /.*, roles: [ IS_AUTHENTICATED_FULLY ]}
But the routes /resque, /monitor and others are not reachable without access token.
Am I doing something wrong in the configuration? Or is not possible to implement a route whitelist?
you can use exceptions in your api's pattern:
api:
pattern: ^/api(?!/doc)(?!/user/add)(?!/user/availability) # All URLs are protected except api/doc ; api/user/add ; api/user/availability
fos_oauth: true # OAuth2 protected resource
stateless: true # Do no set session cookies
anonymous: false # Anonymous access is not allowed
With this you do not need to describe
access_control:
- ...
I had same problem and I solved it by implementing another firewall. No this road OAuth token wont be checked. I put another regex routes in pattern.
And don't forget to put this firewall in front of your api firewall since you have regex "match it all"
api_anonym_area:
pattern: (^/api/users/forgotten-password/.*)
methods: [POST]
security: false
I am using Symfony 2 for building a website.
The work is in progress (therefore I don't want users or search engines to access it) but my client wants to see my progress. I was thinking an easy solution was to protect the whole website with HTTP authentication using the mechanism provided by the Symfony 2 security functionality.
I am using FOSUserBundle as the website will have users that need to register and login.
This is my security.yml, which works great:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Therefore I was trying to add something else on top of it, to allow the website to be protected by HTTP Authentication.
I changed the file to:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
whole_website_provider:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
whole_website:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
- { path: ^/, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Basically I added the whole_website_provider provider, the whole_website firewall and an extra access_control.
But that didn't work: when I access the website, I get redirected to the login form, that's it.
Have you got any idea whether I can do it and how?
N.B.: I would prefer not to use any Apache feature for it.
On my opinion, what you need is not to manage users with HTTP authentication but to restrict access to your site with HTTP authentication. Don't use Symfony2 security for that.
Leave your symfony2 app security as it will be in production mode and use apache .htaccess to restrict access to the site.
Documentation is here http://httpd.apache.org/docs/2.2/howto/auth.html. You just have to add some directives in web/.htaccess, and create a user/password file as explained in the doc...
my solution in Symfony2, using the basic firewall of symfony (without FOSUserBundle):
# app/config/security.yml
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
providers:
in_memory:
memory:
users:
redattore: { password: 'somePasswordHere', roles: 'ROLE_USER' }
admin: { password: 'somePasswordHere', roles: 'ROLE_ADMIN' }
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
It works perfectly for me. It's a very basic configuration - without hashing passwords, without data base provider ("providers:" section), without https connection (everything goes in plain text throughout the internet), without logout stuff and other nice features.
I hope it will help you.
With kind regards
I got a very strange issue after deploying a new site.
The site uses a shop.domain.tld which is after a login. In the security.yml I defined a host parameter in my firewall and in the access_control list.
Locally (Vagrant) it works great, but online the firewall seems to be ignored.
firewalls:
admin_secured_area:
pattern: ^/admin
anonymous: ~
form_login:
login_path: admin_login
check_path: admin_authenticate
provider: entity_admin
logout:
path: admin_logout
target: /admin
shop_secured_area:
pattern: ^/
host: .%domain%
anonymous: ~
form_login:
login_path: homa_shop_login
check_path: shop_authenticate
provider: entity_user
logout:
path: shop_logout
target: /
validate:
pattern: ^/validate
security: false
access_control:
- { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/_wdt, roles: 'IS_AUTHENTICATED_ANONYMOUSLY' }
- { host: .%domain%, path:^/nl/contact, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/cart/quantity, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/validate, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/register/newcontact, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/forgot/password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/, roles: ROLE_USER }
%domain% is set in parameters.yml as domain.tld
The routes on the subdomain are working like expected, only the firewall is ignored.
Any idea?
The site uses a shop.domain.tld
%domain% is set in parameters.yml as domain.tld
Shouldn't you define %domain% as "shop.domain.tld"?
Or you should try to remove the . (dot) before %domain%, because according to this answer and the official documentation the dot is not necessary.
I am creating an application which is users only. So you HAVE to log in to access any url.
At the moment I have this:
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
default:
anonymous: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: IS_AUTHENTICATED }
- { path: ^/admin/, role: ROLE_ADMIN }
But when I log in I get stuck on the security check. What is the best way to put all my urls behind a firewall?
The acl system in symfony work as upper overriding lower ACLs.
"The order in which ACEs are checked is significant. As a general rule, you should place more specific entries at the beginning." Symfony 2 acl Doc
So:
access_control:
- { path: ^/admin/, role: ROLE_ADMIN } # 4 You override #1 for all urls beginning by admin/ by allowing it to ROLE_ADMIN
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } # 2 Same as 2
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } # 2 Same as 2
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } # 2 You have blocked all except this pas for IS_AUTHENTICATED_ANONYMOUSLY
- { path: ^/, role: IS_AUTHENTICATED } # 1 You start by blocking all
Or a complete fos user files with your parameters:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
remember_me: true
logout: true
anonymous: true
access_control: #Top override bottom, change order with CAUTION
## Admin Rule
- { path: ^/admin, role: ROLE_ADMIN }
## Anonymous FOS User Rules
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
## Block All Website to anonymous user
- { path: ^/, roles: ROLE_USER }
I am using Symfony 2 for building a website.
The work is in progress (therefore I don't want users or search engines to access it) but my client wants to see my progress. I was thinking an easy solution was to protect the whole website with HTTP authentication using the mechanism provided by the Symfony 2 security functionality.
I am using FOSUserBundle as the website will have users that need to register and login.
This is my security.yml, which works great:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Therefore I was trying to add something else on top of it, to allow the website to be protected by HTTP Authentication.
I changed the file to:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
whole_website_provider:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
whole_website:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
- { path: ^/, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Basically I added the whole_website_provider provider, the whole_website firewall and an extra access_control.
But that didn't work: when I access the website, I get redirected to the login form, that's it.
Have you got any idea whether I can do it and how?
N.B.: I would prefer not to use any Apache feature for it.
On my opinion, what you need is not to manage users with HTTP authentication but to restrict access to your site with HTTP authentication. Don't use Symfony2 security for that.
Leave your symfony2 app security as it will be in production mode and use apache .htaccess to restrict access to the site.
Documentation is here http://httpd.apache.org/docs/2.2/howto/auth.html. You just have to add some directives in web/.htaccess, and create a user/password file as explained in the doc...
my solution in Symfony2, using the basic firewall of symfony (without FOSUserBundle):
# app/config/security.yml
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
providers:
in_memory:
memory:
users:
redattore: { password: 'somePasswordHere', roles: 'ROLE_USER' }
admin: { password: 'somePasswordHere', roles: 'ROLE_ADMIN' }
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
It works perfectly for me. It's a very basic configuration - without hashing passwords, without data base provider ("providers:" section), without https connection (everything goes in plain text throughout the internet), without logout stuff and other nice features.
I hope it will help you.
With kind regards