I'm trying to crate a chain provider for login form in my Symfony2 application (version 2.3) - this is my security Yaml:
jms_security_extra:
secure_all_services: false
expressions: true
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
chain_provider:
chain:
providers: [in_memory, fos_userbundle]
fos_userbundle:
id: fos_user.user_provider.username
in_memory:
memory:
users:
admin: { password: god, roles: [ 'ROLE_ADMIN' ] }
firewalls:
main:
pattern: ^/
form_login:
provider: chain_provider
csrf_provider: form.csrf_provider
logout: true
anonymous: true
security: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/group/, role: ROLE_ADMIN }
As you can see, I'm using FOSUserBundle (great stuff btw).
The problem is that after I login with in_memory admin user, I can't get to the /profile/ URL. I'm getting this error msg:
AccessDeniedHttpException: This user does not have access to this section
I found a cause to this - the problem is in FOS\UserBundle\Controller\ProfileController class:
public function showAction()
{
$user = $this->container->get('security.context')->getToken()->getUser();
if (!is_object($user) || !$user instanceof UserInterface) {
throw new AccessDeniedException('This user does not have access to this section.');
}
return $this->container->get('templating')->renderResponse('FOSUserBundle:Profile:show.html.'.$this->container->getParameter('fos_user.template.engine'), array('user' => $user));
}
The Controller is checking if $user object is an instance of UserInterface, which is not, because it is instance of Symfony\Component\Security\Core\User\User (plaintext encoder class).
I tried to change encoder configuration to this:
security:
encoders:
Symfony\Component\Security\Core\User\UserInterface: plaintext
But it didn't work. I found that the User class is hardcoded in numerous places with the Symfony engine.
So my question is: how to change that behaviour from security yaml? Am I missing something?
PHP documentation:
instanceof is smart enough to know that a class that implements an
interface is an instance of the interface
Symfony\Component\Security\Core\User\UserInterface implements AdvancedUserInterface which implements UserInterface.
Your problem is not the typeof check in FOS\UserBundle\Controller\ProfileController but a wrong firewall configuration or the in-memory user not receiving it's roles correctly!
Sorry, but you cant see the profile of memory user's. Profile is made only for FOS users. Thats why it must implement FOS\UserBundle\Model\UserInterface.
Related
I'm using symfony 3.2.3, and I want restrict access on same pages.
Ok, no problem! Configuring security.yml, all can be done, and actually it works in dev environment.
But, when I switch my symfony site in production mode, nothing works any more!
Switching to prod commands:
php bin\console cache:clear --env=prod --no-debug
I have 4 pages:
/homepage (can access everyone)
/lucky (can access everyone)
/auth_area (can access only logged users)
/backend (can access only ROLE_ADMIN users)
Here my security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_USER_LOGGED: IS_AUTHENTICATED_FULLY
ROLE_ADMIN: ROLE_USER_LOGGED
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
default:
anonymous: ~
http_basic: ~
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
logout:
path: /logout
target: /
access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backend, roles: ROLE_ADMIN }
- { path: ^/auth_area, roles: IS_AUTHENTICATED_FULLY }
Finally, all works fine on dev, nothing works in prod: anonymous user can access everywhere! ;(
Thanks in advance!
As written by gp_sflover in a comment:
PS: I think the first directive is always matched and cause your problem.
and in the documentation:
For each incoming request, Symfony checks each access_control entry to find one that matches the current request. As soon as it finds a matching access_control entry, it stops - only the first matching access_control is used to enforce access.
So you have to change the order of your rules and put the rule that match every request (path: ^/) at the end:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backend, roles: ROLE_ADMIN }
- { path: ^/auth_area, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
security.yml:
role_hierarchy:
admin: [test, simple]
providers:
database:
entity: { class: UserBundle:User, property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt|error)|css|images|js)/
security: false
prod:
pattern: ^/
provider: database
anonymous: true
form_login:
login_path: public_login
check_path: public_login_check
default_target_path: dashboard
always_use_default_target_path: true
csrf_provider: form.csrf_provider
logout:
path: logout
target: public_login
access_control:
- { path: ^/(.+), roles: admin }
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
When i login, I get 403 forbidden exception. Then i check profiler/security, and roles looks like that:
Roles [ROLE_USER, admin]
When i switch access control to:
- { path: ^/(.+), roles: ROLE_USER }
It works fine.
Why the hell my access control doesn't allow me to access pages with "admin" role, but does with "ROLE_USER" ?
My goal is to drop built-in roles (like ROLE_USER, ROLE_ADMIN etc), because I'm writing application for existing database, which contains already defined roles for users, so i want to use them.
I have confirmed that 'ROLE_' prefix is required - its because symfony by default use its own RoleVoter implementation.
To get rid of this prefix, custom RoleVoter is needed. To do that you need to create custom class implementing RoleVoterInterface, make it service and tag it with 'security.voter', to enforce security layer to use it instead of default one.
Read more about implementing own RoleVoters on this example.
You are not using the right syntax for roles in the Security configuration
you should change
- { path: ^/(.+), roles: admin }
To:
- { path: ^/(.+), roles: ROLE_ADMIN }
Question: I want to create an admin part in my Symfony2 website that would be available only to users with a ROLE_ADMIN
I don't know if I should create a new firewall or use acces controls. I tried to do both together but the admin part is still accessible to all users.
Currently all the website is under secured area firewall and pages i want available to anonymous are freed with access control.
Here is my security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
my_facebook_provider:
id: my_user.facebook_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login$
security: false
context: login
admin:
pattern: /admin/
form_login:
provider: fos_userbundle
check_path: /login_check
login_path: /login
anonymous: ~
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
default_target_path: tk_group_homepage
provider: fos_userbundle
remember_me: true
csrf_provider: form.csrf_provider
remember_me:
key: %secret%
lifetime: 31536000 # 365 days in seconds
fos_facebook:
app_url: "%api_facebook_name%"
server_url: "%api_facebook_server%"
check_path: /login_facebook_check
default_target_path: tk_user_homepage
provider: my_facebook_provider
logout:
path: fos_user_security_logout
target: fos_user_security_login
invalidate_session: false
context: login
access_control:
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/new, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/invitation, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/(subscribe|about|blog|press|contact), role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: IS_AUTHENTICATED_REMEMBERED }
- { path: ^/admin/, role: ROLE_ADMIN }
I am also thinking about checking in the controller is the user has an admin role and throwing an exception if not, as my admin part is only one page currently. But I do not know if it is best practice and it could be a problem if i want to extend my admin part.
And I do not want to create a new user provider as we would be only 2 admins.
Thank you very much,
Jules
You should remove the admin firewall and rely on access_control; If you have admin login form under the /admin/ URL, you of course will not be able to see it before logging in, so you should either use the /login form to sign in as admin, or modify your access_control:
- { path: ^/admin/login/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
here is what official doc says about your situation:
Multiple firewalls don't share security context If you're using multiple firewalls and you authenticate against one firewall, you will
not be authenticated against any other firewalls automatically.
Different firewalls are like different security systems. To do this
you have to explicitly specify the same Firewall Context for different
firewalls. But usually for most applications, having one main firewall
is enough.
http://symfony.com/doc/current/book/security.html#book-security-common-pitfalls
You should read the whole Common pitfalls section
If you would really really like to use different firewalls, just do as the documentation states, and share the same firewall context beetween them. This is also described in the documentation:
http://symfony.com/doc/current/reference/configuration/security.html#reference-security-firewall-context
and here is a simple example:
admin:
(... other options ...)
context: my_security_context
secured_area:
context: my_security_context
(... other options ...)
The Access Control looks for the first match.
Because of that you need to put this line:
- { path: ^/admin/, role: ROLE_ADMIN }
Before this line:
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
If you do not, /admin/whatever matches the path ^/$ and needs no ROLE_ADMIN.
I'm trying to take advantage of Symfony's authentication and authorization capabilities however I'm somewhat confused as to what my security.yml file should look like.
I'm looking to accomplish the following objectives:
1) The routes / and /join (are avilable to everyeone - no login required).
2) all other routes require a login/password.
3) the /adimin route should be futher restricted to admin users only.
4) all users should be authenticated against the database.
I have item 4 figured out (I think) - see below. I'm not sure what the administrators: word means though. Does that mean only administrators use the User class? Should that say users: or something else?
security:
encoders:
MySite\Bundle\Entity\User:
algorithm: sha1
encode_as_base64: false
iterations: 1
providers:
administrators: (??? what doest his mean ???)
entity: { class: MySiteBundle:User }
More Importantly --
For Items 1, 2, and 3 I'm not sure what to put. I have a bunch of entries under the firewalls: section and the access_control: sections however It just doesnt work or make sense. Can someone post what the security.yml should look like just by the goals I'm looking to accomplish in numbers 1 - 3?
Here is a configuration exemple from what I understood from your needs:
security:
encoders:
"MySite\Bundle\Entity\User": { algorithm: sha1, encode_as_base64: false, iterations: 1 }
providers:
database: { entity: "MySite\Bundle\Entity\User" }
firewalls:
dev:
pattern: ^/(_profiler|_wdt|css|js)
security: false
main:
pattern: ^/
provider: database
anonymous: true
# the rest of your firewall's config
access_control:
- { path: ^/(join)?$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
We configure the password encoder for the user entity and we define a provider for it.
Then we define a dev firewall to deactivate security for the debug/profiler/asset pathes and a main one that will be the real firewall for the application. This last firewall will use the previously defined user provider and allow anomymous users (important!).
Finally in the access control map, we first define a rule for the pathes allowed to anonymous users and then a generic rule that requires the user to be fully authenticated for the rest of the site.
For anyone else asking this or a similiar question, I've managed to get this working using the following settings in security.yml.
security:
encoders:
MySite\Bundle\Entity\User:
algorithm: sha1
encode_as_base64: false
iterations: 1
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
database:
entity: { class: MySiteBundle:User }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
prod:
pattern: ^/
provider: database
anonymous: true
form_login:
check_path: /login_check
login_path: /login
default_target_path: /home
always_use_default_target_path: true
logout:
path: /logout
target: /
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/build, roles: ROLE_USER }
- { path: ^/join, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
I am trying to authenticate against symfony2 firewall , here is my security config
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
in_memory:
users:
user: { password: user, roles: [ 'ROLE_USER' ] }
admin: { password: admin, roles: [ 'ROLE_ADMIN' ]}
#main:
#entity: { class: Surgeworks\CoreBundle\Entity\User, property: username}
firewalls:
public:
pattern: .*
security: false
anonymous: true
form_login:
check_path: /{_locale}/admin/logincheck
login:
pattern: ^/{_locale}/admin/login$
security: false
anonymous: ~
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
anonymous: ~
secured_area :
provider: in_memory
pattern: ^/{_locale}/admin/.*
form_login:
check_path: /{_locale}/admin/logincheck
login_path: /{_locale}/admin/login
logout:
path : /{_locale}/admin/logout
target : /{_locale}/admin/
remember_me:
key: aSecretKey
lifetime: 3600
path: /admin/
domain: ~ # Defaults to the current domain from $_SERVER
access_control:
- { path: ^/{_locale}/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/{_locale}/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ar/admin/logincheck, roles: ROLE_ADMIN }
- { path: ^/(ar|en|fr)/admin/, roles: ROLE_ADMIN }
and here is my routing in DaghoSiteBundle/Resources/config/routing.yml:
_admin:
pattern: /admin/
defaults: { _controller: DaghoSiteBundle:Login:login , _locale : ar }
requirements:
_locale: (ar|en|fr)
login:
pattern: /admin/login
defaults : { _controller: DaghoSiteBundle:Login:login , _locale : ar }
requirements:
_locale: (ar|en|fr)
logincheck:
pattern: /admin/logincheck
#defaults: { _controller: DaghoSiteBundle:Login:logincheck , _locale: ar }
#requirements:
#_locale: (ar|en|fr)
logout:
pattern: /admin/logout
I can't login through these setting ,
it always throw an exception
Unable to find the controller for path "/ar/admin/logincheck". Maybe
you forgot to add the matching route in your routing configuration
and even if had setup the route check_path page >> i would be able to view the check_path without being redirected to login page ..
/en/admin >> login page
/en/logincheck >> display the logincheck template (i.e /en/logincheck isn't behind firewall )
how to fix , or debug this issue , please advise
UPDATE:
sorry I might forget to write that i had prefixed my bundle with the {_locale} like this
in my routing.yml
DaghoSiteBundle:
resource: "#DaghoSiteBundle/Resources/config/routing.yml"
prefix: /{_locale}
requirements:
_locale: ar|en|fr
defaults: { _locale: ar }
I think you must change your route patterns to include your _locale parameter. Instead of, for example, pattern: /admin/logincheck you should use pattern: {_locale}/admin/logincheck
You can also debug your routes by using a console command app/console router:debug.
I am not 100% sure this fixes your problem, but I hope it helps you gather more info about your issue.
Why dont you try
logincheck:
pattern: /admin/login_check
#defaults: { _controller: DaghoSiteBundle:Login:logincheck , _locale: ar }
#requirements:
#_locale: (ar|en|fr)
This solved my problem, but my situation is simple and doesn't have the {_locale} functionality, but maybe it will help you anyway.
From the Security chapter of the Symf2 Book:
Common Pitfalls #3: Be sure /login_check is behind a firewall.
In your security.yml file it looks like your check_path route is /{_locale}/admin/logincheck, and your secured path is anything that's behind ^/{_locale}/admin/.*
so that seems to be good.
You might want to try removing the .* (do you really need it?)
and further down the file in the access control section you provide a specific entry to make sure the check_path requires authentication:
- { path: ^/ar/admin/logincheck, roles: ROLE_ADMIN }
Maybe try specifying this instead:
- { path: ^/{_locale}/admin/logincheck, roles: ROLE_ADMIN }
But actually, I was wondering, can you even use {placeholders} in the security.yml pattern values? I know you can in the routing file, but I'm not sure if the security yml works the same way? I don't see it being used in any examples in the main symf2 book in the security or routing chapters?