My current project almost all routes are protected by a form_login.
Two routes /login and /user/forgot_password should remain unprotected to be accessible by non-authenticated users.
Is there any way I can prevent access of authenticated users to this routes?
In my controller I can check for $this->getUser() however in non-secured areas the security.context is not filled with the corresponding data.
Configuration (security.yml):
security:
firewalls:
nonsecured:
pattern: ^/(login|user/forgot_password)$
security: false
secured:
pattern: ^/
# ...
You can't get the current user information without an active firewall. Here's how you can solve the problem:
Remove the nonsecured firewall so that the whole app is covered by an active firewall,
Enable anonymous access by adding anonymous: ~ to the secured firewall,
Use access control to decide who can get where:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/user/forgot-password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
To prevent access to /login and /user/forgot-password for authenticated users, you have at least these two options:
Check for the user in the controllers — the way you suggested, or
Use JMSSecurityExtraBundle's expressions:
access_control:
- { path: ^/login, access: 'isAnonymous()' }
- { path: ^/user/forgot-password, access: 'isAnonymous()' }
- { path: ^/, access: 'isAuthenticated()' }
Related
I'm deploying an express gateway to Amazon ECS container, I'm trying to figure out what is the best way to override the serviceEndpoint part if the gateway.config.yml since service URLs are obviously different.
I need to change this
serviceEndpoints:
user:
url: 'http://localhost:3001'
auth:
url: 'http://localhost:3004'
customer:
url: 'http://localhost:3002'
to this:
serviceEndpoints:
user:
url: 'http://user.service:3001'
auth:
url: 'http://auth.service:3004'
customer:
url: 'http://customer.sevice:3002'
and so forth.
I asume I could maintain 2 copies of the config file and swap them in Docker build but I asume this is not the best alternative, implementing service discovery, I asume, would be another choice.
Any ideas?
TIA!
I found the solution, the config now uses ENVIRONMENT variables as:
serviceEndpoints:
user:
url: 'http://${USER_SERVICE:-localhost}:${USER_SERVICE_PORT:-3001}'
auth:
url: 'http://${AUTH_SERVICE:-localhost}:${AUTH_SERVICE_PORT:-3004}'
customer:
url: 'http://${CUSTIMER_SERVICE:-localhost}:${CUTOMER_SERVICE_PORT:-3002}'
and everything works.
Regards.
My configurations are as below
apiEndpoints:
api:
host: '*'
paths: '/ip'
approval-engine:
host: '*'
paths: '/app/*'
serviceEndpoints:
httpbin:
url: 'https://httpbin.org'
approval-engine:
url: 'http://localhost:8001/'
With proxy as
- proxy:
- action:
serviceEndpoint: approval-engine
ignorePath: false
prependPath: false
autoRewrite : true
changeOrigin: true
When i make a request to http://localhost:8080/app/category the request is routed to localhost:8001/app/category
My question is can we route the request to http://localhost:8001/category. I want to ignore the paths:/app/ part in proxy.
To accomplish this, you'll need to use the express-gateway rewrite plugin.
You can use the eg CLI to install the plugin.
eg plugin install express-gateway-plugin-rewrite
Make sure rewrite is included in the gateway config's policies whitelist.
In the pipeline that's handling the request, you can use the rewrite plugin like so:
policies:
- rewrite:
- condition:
name: regexpmatch
match: ^/app/(.*)$
action:
rewrite: /$1
This should remove /app from the path before the request is routed to the Service Endpoint.
I'm on Symfony 2.3 and need to protect different routes with different htpasswd restrictions.
There is one on the main route / and one on another route, like for example /restricted/user.
Since http basic auth is broken in security.yml (in combination with some apache and cgi configs), I need to do this in the .htaccess, that exist in the web/ directory.
I already have the / route secured, but how can I add another route that obviously does not exist as a directory?
symfony provides a very simple way to handle this, to make areas of your website secured or even accessible by different roles you can use the access_control in your security.yml
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/restricted/user, role: ROLE_ADMIN }
Question 1
How to change the login_check route to other naming route?
For example, the login form will post to www.example.com/auth instead of www.example.com/login_check. Then the auth will perform the checking like login_check.
Question 2
How to redirect user if they try to access /login when they already authenticated?
For example, when user try to access /login, if he/she already authenticated then will be redirected to /account instead of displaying the login form.
Thank you very much.
If you are loading the routes of a bundle inside the src/Pk/AppBundle/Resources/config/routing.yml you can create an entry for the routes:
# src/Pk/AppBundle/Resources/config/routing.yml
homepage:
pattern: /
defaults: { _controller: AppBundle:Home:index }
login:
pattern: /login
defaults: { _controller: AppBundle:Auth:login}
login_check:
pattern: /auth
logout:
pattern: /logout
account:
pattern: /account
defaults: { _controller: AppBundle:Account:index}
and in your security.yml :
# app/config/security.yml
firewalls:
main:
pattern: ^/
form_login:
check_path: login_check # the name of your check route
login_path: login # the name of your login route
default_target_path: account # the name of your account route
always_use_default_target_path: true
logout:
path: logout
target: /
anonymous: ~
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
This should work using Symfony 2.6 (Documentation)
But it will allways redirect after login, if what you want is only when the client GET /login then you can use the controller:
# AppBundle:Auth
public function loginAction ()
{
if($this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_FULLY')){
return $this->redirect($this->generateUrl('account'));
}
// logic of the loginpage
}
If you want more customization you can add a Login Event Listener for it. (For example)
If I didn't miss anything it should work.
If I get you wrong, please let me know, and I hope this will help you.
I want to use passport(using paasport-facebook and qq) to authenticate user. But meeting the following error:
when I using facebook auth:
error when auth: { [InternalOAuthError: Failed to obtain access token]
name: 'InternalOAuthError',
message: 'Failed to obtain access token',
oauthError: [Error: Hostname/IP doesn't match certificate's altnames] }
when I using qq auth,I got this:
name: 'InternalOAuthError',
message: 'failed to obtain access token',
oauthError: [Error: CERT_UNTRUSTED] }
Here is my /etc/hosts file:
127.0.0.1 www.siyee.org
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
because the auth callback must be a domain, so I changed the hosts on my development environment to match the callback settings on the facebook server.It's not smart but can take effect.Any better idea?
I think the problem is in my hosts setting or certificate, but I don't know how to fix it, any kind of help would be great!
First I had to specify access to userinfo and only then - other necessary services.
scope: [
'https://www.googleapis.com/auth/userinfo.profile',
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/youtube'
]