Im using FOSFacebookBundle and FOSUserBundle on Symfony 2.1.3. Have some troubles with my security settings:
imports:
- { resource: facebookParameters.ini }
security:
providers:
my_fos_facebook_provider:
id: my.facebook.user
firewalls:
main:
pattern: ^/
fos_facebook:
app_url: %facebookAppUrl%
server_url: %facebookServerUrl%
login_path: /login
check_path: /login_fb_check
default_target_path: /
provider: my_fos_facebook_provider
logout:
handlers: ["fos_facebook.logout_handler"]
anonymous: true
access_control:
- { path: ^/game, roles: ROLE_FACEBOOK }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/gameinfos, roles: IS_AUTHENTICATED_ANONYMOUSLY }
Path game should be secured by facebook login, path login and gameinfos should be free to all visitors. Ok login is fine, its accessable from everywhere, but gameinfos is not. It allways directs me to facebook when i call the path / route.
Where could be the problem?
Related
I'm making a site where everything except the actual login-form should require that the user has logged in.
I'm assuming the issue I'm having is with the security.yml which I've set up like this.
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
provider: auth_provider
pattern: .*
form_login:
login_path: /login
check_path: /login_check
logout:
path: /logout
target: /
access_control:
- { path: /login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
The firewall does indeed recognise an anonymous user and tries to send him to the login-page. However, the browser halts the request before the login form is rendered due to a redirect-loop. Which I just can't figure out how to solve.
my route file:
site_login:
path: /login
defaults: { _controller: AppBundle:Security:login }
site_login_check:
path: /login_check
defaults: { _controller: AppBundle:Security:login_check }
The controller is just:
class SecurityController extends Controller {
public function loginAction(Request $request) {
die("here1");
}
public function loginCheckAction(Request $request) {
die("here2");
}
}
Add to main firewall:
main:
anonymous: true
and to access control:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: IS_AUTHENTICATED_REMEMBERED }
example: I have this inside my firewalls
secured_area:
pattern: ^/
form_login:
check_path: /secured/login_check
login_path: /secured/login
logout:
path: /secured/logout
target: /
context: primary_auth
I would like to access to this pattern => ^/toto without login.
Please, help me ?
With this, anyone can access it.
#change with your path
security:
secured_area:
anonymous: ~
pattern: ^/
form_login:
check_path: /secured/login_check
login_path: /secured/login
logout:
path: /secured/logout
target: /
context: primary_auth
access_control:
- { path: /toto, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ , roles: ROLE_USER }
Edit :
Don't forget your anonymous : ~ (let anonymous user use it (for toto))
and let authorization via your access_control
I have Symfony2 with a login system which is working correctly, it's using table VtigerPortalinfo to get user and password, then validate.
But I have roles in another table, this table returns 1 for admin and 0 for normal user, this is the query in the repository.
public function findRolTypeByCustomerId($customerId)
{
$query = $this->getEntityManager()->createQuery("
SELECT u.cf771
FROM WbsGoclientsBundle:VtigerContactscf u
WHERE u.contactid = :customerid
")->setParameter('customerid', $customerId);
try {
$rol = $query->getSingleResult();
if($rol = 1)
return 'ROLE_AGENT';
else
return 'ROLE_USER';
}
catch (\Doctrine\ORM\NoResultException $e)
{
return null;
}
}
And this is my Security.yml
security:
encoders:
WbsGo\clientsBundle\Entity\VtigerPortalinfo: plaintext
role_hierarchy:
ROLE_ADMIN: [ROLE_USER]
providers:
user_db:
entity: { class: WbsGo\clientsBundle\Entity\VtigerPortalinfo, property: userName }
firewalls:
main:
pattern: /.*
provider: user_db
form_login:
always_use_default_target_path: true
login_path: /login
check_path: /login_check
remember_me: true
logout:
path: /logout
target: /
remember_me:
key: XXXXXXXX
lifetime: 1800
path: /.*
domain: ~
security: true
anonymous: true
access_control:
- { path: /login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /css, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /js, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /images, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /user, roles: ROLE_USER }
- { path: /admin, roles: ROLE_ADMIN }
- { path: /.*, roles: ROLE_USER }
So my question is, how can I set roles from a different table than login info? As you can see, on the repo it returns the ROLE but, I don't know how to parse it to the security stuff...
If I understand the question correctly then you just need to make your own user provider and query for the roles when myUserProvider.loadUserByUsername is called.
Pretty straight forward: http://symfony.com/doc/current/cookbook/security/custom_provider.html
Don't get confused by the web service stuff in the example. You just need to query for your user then add the roles to it.
OK I think I need hand holding..
This question is a follow on from the previous question:
Symfony2 img/LdapBundle Bad credentials error
I have split this out as its a different issue. I am getting two different issues relating to the security.yml file as described below.
I have my security.yml:
security:
firewalls:
login_firewall:
pattern: ^/login$
anonymous: ~
imag_ldap:
check_path: login_check
login_path: login
csrf_provider: form.csrf_provider
intention: authenticate
provider: ldap
logout:
path: /logout
target: /
restricted_area:
pattern: ^/
#anonymous: ~
providers:
ldap:
id: imag_ldap.security.user.provider
encoders:
IMAG\LdapBundle\User\LdapUser: plaintext
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
but im getting the following error:
LogicException: No authentication listener registered for firewall "restricted_area".
SO i tried the following:
security:
firewalls:
login_firewall:
pattern: ^/login$
anonymous: ~
imag_ldap:
check_path: login_check
login_path: login
csrf_provider: form.csrf_provider
intention: authenticate
provider: ldap
logout:
path: /logout
target: /
restricted_area:
pattern: ^/
#anonymous: ~
imag_ldap:
check_path: login_check
login_path: login
csrf_provider: form.csrf_provider
intention: authenticate
provider: ldap
logout:
path: /logout
target: /
but this causes a redirect loop.
Can anyone show me how to get this to work? I am trying to use the https://github.com/BorisMorel/LdapBundle ldap bundle to authenticate users..
According to the documentation https://github.com/BorisMorel/LdapBundle#configure-securityyml you should have one firewall with pattern: ^/ where also the login lives.
security:
firewalls:
restricted_area:
pattern: ^/
anonymous: ~
imag_ldap:
check_path: login_check
login_path: login
csrf_provider: form.csrf_provider
intention: authenticate
provider: ldap
logout:
path: /logout
target: /
providers:
ldap:
id: imag_ldap.security.user.provider
encoders:
IMAG\LdapBundle\User\LdapUser: plaintext
access_control:
- { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
Sites where you don't need authentication you have to include under acces_control with IS_AUTHENTICATED_ANONYMOUSLY role. This also applies to the profiler and toolbar in dev-enivironment (actually for FOSUserBundle, but I think this also significant for the LdapBundle). And yeah, I know the symfony documentation says to create a anonymous firewall exclusively for ^/login$, but if the bundle supports an anonymous-role it is enough to take the exclude it with acces_control as above.
- { path: ^/_wdt, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/_profiler, role: IS_AUTHENTICATED_ANONYMOUSLY }
EDIT:
And don't forget to import the routing definitions from the bundle and not define them self. see https://github.com/BorisMorel/LdapBundle#import-routing
If a logged in user goes to the login action, I want to redirect them to another page. But I can't figure out how to detect whether the user is logged in or not while inside of the loginAction method. The security context in the login action make me seem logged out when I'm not.
As a test, I'm requesting both of the following pages while I'm logged into the site. Why can't I get access to the user in the login action?
Here's my login action:
public function loginAction()
{
$token = $this->get('security.context')->getToken();
print_r(get_class($token));
// Outputs "Symfony\Component\Security\Core\Authentication\Token\AnonymousToken"
print_r($token->getUser());
// Outputs "anon."
}
Here is a generic action in the application, protected by the login:
public function regularAction()
{
$token = $this->get('security.context')->getToken();
print_r(get_class($token));
// Outputs "Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken"
print_r(get_class($token->getUser()));
// Outputs "Company\BaseBundle\Entity\User"
}
Here's my security.yml:
security:
encoders:
Company\BaseBundle\Entity\User:
algorithm: sha1
iterations: 1
encode_as_base64: false
providers:
main:
entity: { class: Company\BaseBundle\Entity\User, property: user_name }
firewalls:
login_firewall:
pattern: ^/login$
anonymous: ~
main:
pattern: ^/
form_login:
login_path: /login
check_path: /login_check
post_only: true
always_use_default_target_path: false
default_target_path: /
use_referer: true
failure_path: null
failure_forward: false
username_parameter: user_name
password_parameter: password_hash
csrf_parameter: _csrf_token
intention: authenticate
logout:
path: /logout
target: /
acl:
connection: default
EDIT: I didn't think the rest of my firewalls were pertinent, but after reading ilanco's answer, I think they might be
security:
encoders:
Company\BaseBundle\Entity\User:
algorithm: sha1
iterations: 1
encode_as_base64: false
providers:
main:
entity: { class: Company\BaseBundle\Entity\User, property: user_name }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login_firewall:
pattern: ^/login$
anonymous: ~
password_reset:
pattern: ^/passwordreset/*$
anonymous: ~
error_firewall:
pattern: ^/error/.*$
anonymous: ~
unsupported_broswers:
pattern: ^/unsupported$
anonymous: ~
security_question_firewall:
pattern: ^/user/(locked|security_question)/(new)*$
anonymous: ~
api_firewall:
pattern: ^/api/.*$
provider: main
http_basic:
realm: "Secured API Area. Login with your regular credentials"
provider: main
main:
pattern: ^/
form_login:
login_path: /login
check_path: /login_check
post_only: true
always_use_default_target_path: false
default_target_path: /
use_referer: true
failure_path: null
failure_forward: false
username_parameter: user_name
password_parameter: password_hash
csrf_parameter: _csrf_token
intention: authenticate
logout:
path: /logout
target: /
acl:
connection: default
Following ilanco's suggestion, I removed this:
login_firewall:
pattern: ^/login$
anonymous: ~
and added this directly under the providers section:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
But then I had a redirect loop error when I accessed /login.
I have struggled with this problem as well.
/login is not part of the main firewall, as such the user is not accessible there.
The way to solve this is to remove the custom firewall you have called login_firewall and allow access to /login through ACL.
Add the following code to your security.yml
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
Managed to solve this one - the problem with redirection loop is caused by the lack of access to the /login page. I've made only one firewall, set the access for anonymous: ~, defined access_control for non-users and voila!
security:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: true
anonymous: ~
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
always_use_default_target_path: true
default_target_path: /
logout:
path: /logout
target: /
providers:
main:
entity: { class: Core\UserBundle\Entity\User, property: username }
encoders:
Core\UserBundle\Entity\User:
algorithm: sha256
iterations: 10
encode_as_base64: true
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_SUPERADMIN }
- { path: ^/user, roles: ROLE_USER }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }