I got a very strange issue after deploying a new site.
The site uses a shop.domain.tld which is after a login. In the security.yml I defined a host parameter in my firewall and in the access_control list.
Locally (Vagrant) it works great, but online the firewall seems to be ignored.
firewalls:
admin_secured_area:
pattern: ^/admin
anonymous: ~
form_login:
login_path: admin_login
check_path: admin_authenticate
provider: entity_admin
logout:
path: admin_logout
target: /admin
shop_secured_area:
pattern: ^/
host: .%domain%
anonymous: ~
form_login:
login_path: homa_shop_login
check_path: shop_authenticate
provider: entity_user
logout:
path: shop_logout
target: /
validate:
pattern: ^/validate
security: false
access_control:
- { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/_wdt, roles: 'IS_AUTHENTICATED_ANONYMOUSLY' }
- { host: .%domain%, path:^/nl/contact, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/cart/quantity, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/validate, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/register/newcontact, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/forgot/password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .%domain%, path:^/, roles: ROLE_USER }
%domain% is set in parameters.yml as domain.tld
The routes on the subdomain are working like expected, only the firewall is ignored.
Any idea?
The site uses a shop.domain.tld
%domain% is set in parameters.yml as domain.tld
Shouldn't you define %domain% as "shop.domain.tld"?
Or you should try to remove the . (dot) before %domain%, because according to this answer and the official documentation the dot is not necessary.
Related
I configured 3 secured areas based on the user type: admin, teacher and student. When I'm accessing /admin, I'm redirected properly to /admin/login. But when I'm accessing /teacher or /student the redirection fails, although I'm being redirected to /teacher/login or /student/login I'm getting this error:
The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This is my security.yml:
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: ^/admin
form_login:
check_path: login_check
login_path: /admin/login
provider: chain_provider
csrf_provider: form.csrf_provider
default_target_path: /admin
logout: true
teacher:
pattern: ^/teacher
form_login:
check_path: login_check
login_path: /teacher/login
provider: chain_provider
csrf_provider: form.csrf_provider
default_target_path: /teacher
logout: true
student:
pattern: ^/student
form_login:
check_path: login_check
login_path: /student/login
provider: chain_provider
csrf_provider: form.csrf_provider
default_target_path: /student
logout: true
access_control:
- { path: ^/admin/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/teacher/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/teacher/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/student/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/student/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: ROLE_ADMIN }
- { path: ^/teacher, role: ROLE_TEACHER }
- { path: ^/student, role: ROLE_USER }
I need some help. What am I missing? Thanks
You've secured your login forms ... so when Symfony tries to redirect to your login form, it tries to redirect to your login form, tries to redirect to your login form, tries to redirect ...
Try this:
admin_login:
pattern: ^/admin/login
anonymous: ~
admin:
pattern: ^/admin
form_login:
login_path: /admin/login
check_path: /login_check
provider: chain_provider
csrf_provider: form.csrf_provider
default_target_path: /admin
logout:
path: /logout
target: /admin/login
teacher_login:
pattern: ^/teacher/login
anonymous: ~
teacher:
pattern: ^/teacher
form_login:
... etc ...
student_login:
pattern: ^/student/login
anonymous: ~
student:
pattern: ^/student
form_login:
.... etc ...
access_control:
- { path: ^/admin/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/teacher/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/student/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
...
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/teacher, roles: ROLE_TEACHER }
- { path: ^/student, roles: ROLE_USER }
This is covered under the heading Avoid Common Pitfalls in the Symfony Cookbook.
THE ORDER OF YOUR FIREWALLS IS IMPORTANT
Note that the 'login firewalls' are defined ahead of their partner firewalls.
Note also that I added a '/' to the front of your check_path to remind you that you need to define a route for it. If you use annotations to define your routes, you'll need to create an empty action method in a controller somewhere so that the router has something to chew on.
Your 'logout' definitions look suspect to me as well. Not saying they're completely incorrect - just that I've never seen them defined that way before and am not exactly certain how your definitions would work given what I know of Symfony.
In the case of the '/logout' paths I've defined in the example above, you would - again - need to create a valid route for these ... even though Symfony won't actually execute any 'logout' method you define in your controllers.
The logout stuff is covered HERE
I am using Symfony 2 for building a website.
The work is in progress (therefore I don't want users or search engines to access it) but my client wants to see my progress. I was thinking an easy solution was to protect the whole website with HTTP authentication using the mechanism provided by the Symfony 2 security functionality.
I am using FOSUserBundle as the website will have users that need to register and login.
This is my security.yml, which works great:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Therefore I was trying to add something else on top of it, to allow the website to be protected by HTTP Authentication.
I changed the file to:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
whole_website_provider:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
whole_website:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
- { path: ^/, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Basically I added the whole_website_provider provider, the whole_website firewall and an extra access_control.
But that didn't work: when I access the website, I get redirected to the login form, that's it.
Have you got any idea whether I can do it and how?
N.B.: I would prefer not to use any Apache feature for it.
On my opinion, what you need is not to manage users with HTTP authentication but to restrict access to your site with HTTP authentication. Don't use Symfony2 security for that.
Leave your symfony2 app security as it will be in production mode and use apache .htaccess to restrict access to the site.
Documentation is here http://httpd.apache.org/docs/2.2/howto/auth.html. You just have to add some directives in web/.htaccess, and create a user/password file as explained in the doc...
my solution in Symfony2, using the basic firewall of symfony (without FOSUserBundle):
# app/config/security.yml
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
providers:
in_memory:
memory:
users:
redattore: { password: 'somePasswordHere', roles: 'ROLE_USER' }
admin: { password: 'somePasswordHere', roles: 'ROLE_ADMIN' }
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
It works perfectly for me. It's a very basic configuration - without hashing passwords, without data base provider ("providers:" section), without https connection (everything goes in plain text throughout the internet), without logout stuff and other nice features.
I hope it will help you.
With kind regards
I am creating an application which is users only. So you HAVE to log in to access any url.
At the moment I have this:
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
default:
anonymous: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: IS_AUTHENTICATED }
- { path: ^/admin/, role: ROLE_ADMIN }
But when I log in I get stuck on the security check. What is the best way to put all my urls behind a firewall?
The acl system in symfony work as upper overriding lower ACLs.
"The order in which ACEs are checked is significant. As a general rule, you should place more specific entries at the beginning." Symfony 2 acl Doc
So:
access_control:
- { path: ^/admin/, role: ROLE_ADMIN } # 4 You override #1 for all urls beginning by admin/ by allowing it to ROLE_ADMIN
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } # 2 Same as 2
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } # 2 Same as 2
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } # 2 You have blocked all except this pas for IS_AUTHENTICATED_ANONYMOUSLY
- { path: ^/, role: IS_AUTHENTICATED } # 1 You start by blocking all
Or a complete fos user files with your parameters:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
remember_me: true
logout: true
anonymous: true
access_control: #Top override bottom, change order with CAUTION
## Admin Rule
- { path: ^/admin, role: ROLE_ADMIN }
## Anonymous FOS User Rules
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
## Block All Website to anonymous user
- { path: ^/, roles: ROLE_USER }
I have got that code. But when I go in browser to app_dev.php/login
The browser say: that the page has made too many redirects
security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
user_db:
entity: { class: DotfusionMerlinBundle:User, property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
pattern: ^/
anonymous: ~
form_login:
check_path: /login_check
login_path: /login
logout:
path: login
target: login
#anonymous: ~
#http_basic:
# realm: "Secured Demo Area"
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
routing.yml
login:
pattern: /login
defaults: { _controller: DotfusionMerlinBundle:User:login }
login_check:
pattern: /login_check
Pop this under firewalls before the secured_area entry:
login_firewall:
pattern: ^/login$
anonymous: ~
That should fix your problem. Hope that helps.
I had the same error in an application that I had to do a deployment for and the error was as well in the security.yml file but at a different setting:
I had to change the line:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: http }
to:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
Because I did a deployment with https. (Change http to https in the access control config)
I am using Symfony 2 for building a website.
The work is in progress (therefore I don't want users or search engines to access it) but my client wants to see my progress. I was thinking an easy solution was to protect the whole website with HTTP authentication using the mechanism provided by the Symfony 2 security functionality.
I am using FOSUserBundle as the website will have users that need to register and login.
This is my security.yml, which works great:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Therefore I was trying to add something else on top of it, to allow the website to be protected by HTTP Authentication.
I changed the file to:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
whole_website_provider:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
whole_website:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
- { path: ^/, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Basically I added the whole_website_provider provider, the whole_website firewall and an extra access_control.
But that didn't work: when I access the website, I get redirected to the login form, that's it.
Have you got any idea whether I can do it and how?
N.B.: I would prefer not to use any Apache feature for it.
On my opinion, what you need is not to manage users with HTTP authentication but to restrict access to your site with HTTP authentication. Don't use Symfony2 security for that.
Leave your symfony2 app security as it will be in production mode and use apache .htaccess to restrict access to the site.
Documentation is here http://httpd.apache.org/docs/2.2/howto/auth.html. You just have to add some directives in web/.htaccess, and create a user/password file as explained in the doc...
my solution in Symfony2, using the basic firewall of symfony (without FOSUserBundle):
# app/config/security.yml
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
providers:
in_memory:
memory:
users:
redattore: { password: 'somePasswordHere', roles: 'ROLE_USER' }
admin: { password: 'somePasswordHere', roles: 'ROLE_ADMIN' }
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
It works perfectly for me. It's a very basic configuration - without hashing passwords, without data base provider ("providers:" section), without https connection (everything goes in plain text throughout the internet), without logout stuff and other nice features.
I hope it will help you.
With kind regards