I'm on Symfony 2.3 and need to protect different routes with different htpasswd restrictions.
There is one on the main route / and one on another route, like for example /restricted/user.
Since http basic auth is broken in security.yml (in combination with some apache and cgi configs), I need to do this in the .htaccess, that exist in the web/ directory.
I already have the / route secured, but how can I add another route that obviously does not exist as a directory?
symfony provides a very simple way to handle this, to make areas of your website secured or even accessible by different roles you can use the access_control in your security.yml
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/restricted/user, role: ROLE_ADMIN }
Related
I'm deploying an express gateway to Amazon ECS container, I'm trying to figure out what is the best way to override the serviceEndpoint part if the gateway.config.yml since service URLs are obviously different.
I need to change this
serviceEndpoints:
user:
url: 'http://localhost:3001'
auth:
url: 'http://localhost:3004'
customer:
url: 'http://localhost:3002'
to this:
serviceEndpoints:
user:
url: 'http://user.service:3001'
auth:
url: 'http://auth.service:3004'
customer:
url: 'http://customer.sevice:3002'
and so forth.
I asume I could maintain 2 copies of the config file and swap them in Docker build but I asume this is not the best alternative, implementing service discovery, I asume, would be another choice.
Any ideas?
TIA!
I found the solution, the config now uses ENVIRONMENT variables as:
serviceEndpoints:
user:
url: 'http://${USER_SERVICE:-localhost}:${USER_SERVICE_PORT:-3001}'
auth:
url: 'http://${AUTH_SERVICE:-localhost}:${AUTH_SERVICE_PORT:-3004}'
customer:
url: 'http://${CUSTIMER_SERVICE:-localhost}:${CUTOMER_SERVICE_PORT:-3002}'
and everything works.
Regards.
My configurations are as below
apiEndpoints:
api:
host: '*'
paths: '/ip'
approval-engine:
host: '*'
paths: '/app/*'
serviceEndpoints:
httpbin:
url: 'https://httpbin.org'
approval-engine:
url: 'http://localhost:8001/'
With proxy as
- proxy:
- action:
serviceEndpoint: approval-engine
ignorePath: false
prependPath: false
autoRewrite : true
changeOrigin: true
When i make a request to http://localhost:8080/app/category the request is routed to localhost:8001/app/category
My question is can we route the request to http://localhost:8001/category. I want to ignore the paths:/app/ part in proxy.
To accomplish this, you'll need to use the express-gateway rewrite plugin.
You can use the eg CLI to install the plugin.
eg plugin install express-gateway-plugin-rewrite
Make sure rewrite is included in the gateway config's policies whitelist.
In the pipeline that's handling the request, you can use the rewrite plugin like so:
policies:
- rewrite:
- condition:
name: regexpmatch
match: ^/app/(.*)$
action:
rewrite: /$1
This should remove /app from the path before the request is routed to the Service Endpoint.
Created an application from https://start.jhipster.tech/#/generate-application with JWT and Enabling Social Login, From Google generated the clientID, clientSecret and update the application.yml .
In google console's Client ID for Web application,
Authorized JavaScript origins
are specified as
http://localhost:8080
and
http://localhost:9000
The "Authorized redirect URIs" are set as http://localhost:8080/signin/google and http://localhost:9000/signin/google
After yarn install , yarn start and .mvnw ( spring-boot:run ), the application can be run at http://localhost:8080 and http://localhost:9000
Login with google works fine when application is accessed from http://localhost:8080 ,
when accessed from http://localhost:9000, the social login page says
Cannot POST /signin/google and url of the browser change to http://localhost:9000/signin/google
By default, the url for the spring social is not defined into the jhipster webpack configuration.
You should modify the file webpack/webpack.dev.js to add the /signin path to the dev server configuration as follows :
devServer: {
contentBase: './target/www',
proxy: [{
context: [
/* jhipster-needle-add-entity-to-webpack - JHipster will add entity api paths here */
'/api',
'/management',
'/swagger-resources',
'/v2/api-docs',
'/h2-console',
'/auth',
'/signin'
],
target: 'http://127.0.0.1:8080',
secure: false
}],
watchOptions: {
ignored: /node_modules/
}
}
And in the google api credentials, you should add in the redirect urls: http://localhost:9060/signin/google
Question 1
How to change the login_check route to other naming route?
For example, the login form will post to www.example.com/auth instead of www.example.com/login_check. Then the auth will perform the checking like login_check.
Question 2
How to redirect user if they try to access /login when they already authenticated?
For example, when user try to access /login, if he/she already authenticated then will be redirected to /account instead of displaying the login form.
Thank you very much.
If you are loading the routes of a bundle inside the src/Pk/AppBundle/Resources/config/routing.yml you can create an entry for the routes:
# src/Pk/AppBundle/Resources/config/routing.yml
homepage:
pattern: /
defaults: { _controller: AppBundle:Home:index }
login:
pattern: /login
defaults: { _controller: AppBundle:Auth:login}
login_check:
pattern: /auth
logout:
pattern: /logout
account:
pattern: /account
defaults: { _controller: AppBundle:Account:index}
and in your security.yml :
# app/config/security.yml
firewalls:
main:
pattern: ^/
form_login:
check_path: login_check # the name of your check route
login_path: login # the name of your login route
default_target_path: account # the name of your account route
always_use_default_target_path: true
logout:
path: logout
target: /
anonymous: ~
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
This should work using Symfony 2.6 (Documentation)
But it will allways redirect after login, if what you want is only when the client GET /login then you can use the controller:
# AppBundle:Auth
public function loginAction ()
{
if($this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_FULLY')){
return $this->redirect($this->generateUrl('account'));
}
// logic of the loginpage
}
If you want more customization you can add a Login Event Listener for it. (For example)
If I didn't miss anything it should work.
If I get you wrong, please let me know, and I hope this will help you.
My current project almost all routes are protected by a form_login.
Two routes /login and /user/forgot_password should remain unprotected to be accessible by non-authenticated users.
Is there any way I can prevent access of authenticated users to this routes?
In my controller I can check for $this->getUser() however in non-secured areas the security.context is not filled with the corresponding data.
Configuration (security.yml):
security:
firewalls:
nonsecured:
pattern: ^/(login|user/forgot_password)$
security: false
secured:
pattern: ^/
# ...
You can't get the current user information without an active firewall. Here's how you can solve the problem:
Remove the nonsecured firewall so that the whole app is covered by an active firewall,
Enable anonymous access by adding anonymous: ~ to the secured firewall,
Use access control to decide who can get where:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/user/forgot-password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
To prevent access to /login and /user/forgot-password for authenticated users, you have at least these two options:
Check for the user in the controllers — the way you suggested, or
Use JMSSecurityExtraBundle's expressions:
access_control:
- { path: ^/login, access: 'isAnonymous()' }
- { path: ^/user/forgot-password, access: 'isAnonymous()' }
- { path: ^/, access: 'isAuthenticated()' }