I am using Symfony 2 for building a website.
The work is in progress (therefore I don't want users or search engines to access it) but my client wants to see my progress. I was thinking an easy solution was to protect the whole website with HTTP authentication using the mechanism provided by the Symfony 2 security functionality.
I am using FOSUserBundle as the website will have users that need to register and login.
This is my security.yml, which works great:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Therefore I was trying to add something else on top of it, to allow the website to be protected by HTTP Authentication.
I changed the file to:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
whole_website_provider:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
whole_website:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
- { path: ^/, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Basically I added the whole_website_provider provider, the whole_website firewall and an extra access_control.
But that didn't work: when I access the website, I get redirected to the login form, that's it.
Have you got any idea whether I can do it and how?
N.B.: I would prefer not to use any Apache feature for it.
On my opinion, what you need is not to manage users with HTTP authentication but to restrict access to your site with HTTP authentication. Don't use Symfony2 security for that.
Leave your symfony2 app security as it will be in production mode and use apache .htaccess to restrict access to the site.
Documentation is here http://httpd.apache.org/docs/2.2/howto/auth.html. You just have to add some directives in web/.htaccess, and create a user/password file as explained in the doc...
my solution in Symfony2, using the basic firewall of symfony (without FOSUserBundle):
# app/config/security.yml
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
providers:
in_memory:
memory:
users:
redattore: { password: 'somePasswordHere', roles: 'ROLE_USER' }
admin: { password: 'somePasswordHere', roles: 'ROLE_ADMIN' }
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
It works perfectly for me. It's a very basic configuration - without hashing passwords, without data base provider ("providers:" section), without https connection (everything goes in plain text throughout the internet), without logout stuff and other nice features.
I hope it will help you.
With kind regards
Related
I use the FOSuserbunble, everything was working fine and now for the
app_dev.php/login
I have a "Full authentication is required to access this resource."
500 Internal Server Error - InsufficientAuthenticationException
1 linked Exception: AccessDeniedException »
My security.yml is
# you can read more about security in the related section of the documentation
http://symfony.com/doc/current/book/security.html
security:
encoders:
OandP\UserBundle\Entity\User: sha512
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: [ROLE_CONCIERGE]
ROLE_SUPER_ADMIN: [ROLE_CONCIERGE, ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
# … le pare-feu « dev »
# Firewall principal pour le reste de notre site
dev:
pattern: ^/(_(profiler|wdt)|css|images|js|ws)/
security: false
main_login:
pattern: ^/login$
anonymous: true
main_resettingRequest:
pattern: /resetting/request$
anonymous: true
main_resettingSendEmailt:
pattern: /resetting/send-email$
anonymous: true
main_resettingCheckEmail:
pattern: /resetting/check-email$
anonymous: true
main:
pattern: ^/
anonymous: false
provider: fos_userbundle
form_login:
login_path: /login
check_path: /login_check
csrf_provider: form.csrf_provider
logout:
path: /logout
target: /
invalidate_session: false
remember_me:
key: %secret%
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/book/security.html#security-book-access-control-matching-options
access_control:
#- { path: ^/members/hello, roles: IS_AUTHENTICATED_ANONYMOUSLY }
If someone has an idea
Thank you so much for help
You haven't set up any access_controls on your site:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/profile, role: ROLE_USER }
I am using Symfony 2 for building a website.
The work is in progress (therefore I don't want users or search engines to access it) but my client wants to see my progress. I was thinking an easy solution was to protect the whole website with HTTP authentication using the mechanism provided by the Symfony 2 security functionality.
I am using FOSUserBundle as the website will have users that need to register and login.
This is my security.yml, which works great:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Therefore I was trying to add something else on top of it, to allow the website to be protected by HTTP Authentication.
I changed the file to:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
whole_website_provider:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
whole_website:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
- { path: ^/, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Basically I added the whole_website_provider provider, the whole_website firewall and an extra access_control.
But that didn't work: when I access the website, I get redirected to the login form, that's it.
Have you got any idea whether I can do it and how?
N.B.: I would prefer not to use any Apache feature for it.
On my opinion, what you need is not to manage users with HTTP authentication but to restrict access to your site with HTTP authentication. Don't use Symfony2 security for that.
Leave your symfony2 app security as it will be in production mode and use apache .htaccess to restrict access to the site.
Documentation is here http://httpd.apache.org/docs/2.2/howto/auth.html. You just have to add some directives in web/.htaccess, and create a user/password file as explained in the doc...
my solution in Symfony2, using the basic firewall of symfony (without FOSUserBundle):
# app/config/security.yml
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
providers:
in_memory:
memory:
users:
redattore: { password: 'somePasswordHere', roles: 'ROLE_USER' }
admin: { password: 'somePasswordHere', roles: 'ROLE_ADMIN' }
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
It works perfectly for me. It's a very basic configuration - without hashing passwords, without data base provider ("providers:" section), without https connection (everything goes in plain text throughout the internet), without logout stuff and other nice features.
I hope it will help you.
With kind regards
I am creating an application which is users only. So you HAVE to log in to access any url.
At the moment I have this:
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
default:
anonymous: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: IS_AUTHENTICATED }
- { path: ^/admin/, role: ROLE_ADMIN }
But when I log in I get stuck on the security check. What is the best way to put all my urls behind a firewall?
The acl system in symfony work as upper overriding lower ACLs.
"The order in which ACEs are checked is significant. As a general rule, you should place more specific entries at the beginning." Symfony 2 acl Doc
So:
access_control:
- { path: ^/admin/, role: ROLE_ADMIN } # 4 You override #1 for all urls beginning by admin/ by allowing it to ROLE_ADMIN
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } # 2 Same as 2
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } # 2 Same as 2
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } # 2 You have blocked all except this pas for IS_AUTHENTICATED_ANONYMOUSLY
- { path: ^/, role: IS_AUTHENTICATED } # 1 You start by blocking all
Or a complete fos user files with your parameters:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
remember_me: true
logout: true
anonymous: true
access_control: #Top override bottom, change order with CAUTION
## Admin Rule
- { path: ^/admin, role: ROLE_ADMIN }
## Anonymous FOS User Rules
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
## Block All Website to anonymous user
- { path: ^/, roles: ROLE_USER }
I have got that code. But when I go in browser to app_dev.php/login
The browser say: that the page has made too many redirects
security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
user_db:
entity: { class: DotfusionMerlinBundle:User, property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
pattern: ^/
anonymous: ~
form_login:
check_path: /login_check
login_path: /login
logout:
path: login
target: login
#anonymous: ~
#http_basic:
# realm: "Secured Demo Area"
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
routing.yml
login:
pattern: /login
defaults: { _controller: DotfusionMerlinBundle:User:login }
login_check:
pattern: /login_check
Pop this under firewalls before the secured_area entry:
login_firewall:
pattern: ^/login$
anonymous: ~
That should fix your problem. Hope that helps.
I had the same error in an application that I had to do a deployment for and the error was as well in the security.yml file but at a different setting:
I had to change the line:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: http }
to:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
Because I did a deployment with https. (Change http to https in the access control config)
I try the symfony cookbook and specially try the security chapter. My security.yml and routing.yml are as follows:
security.yml:
security:
encoders:
Acme\UserBundle\Entity\User:
algorithm: sha1
encode_as_base64: false
iterations: false
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
administrators:
entity: { class: AcmeUserBundle:User, property: email }
firewalls:
login_firewall:
pattern: ^/login
anonymous: ~
register_area:
pattern: ^/register
anonymous: ~
secured_area:
pattern: ^/
anonymous: ~
form_login: ~
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
routing.yml:
login:
pattern: /login
defaults: { _controller: AcmeUserBundle:Account:login }
login_check:
pattern: /login_check
Everything works fine, except that login_check says that the controller could not be found. That is exactly what the pitfall no. 3 says here:
http://symfony.com/doc/current/book/security.html#book-security-common-pitfalls
So I am not sure what I have done wrong. I know there are similar questions on Stackoverflow but I couldn't understand their solution and it didn't work for me, sry. Why is login_check not behind a firewall? I thought it would be behind secured_area because the pattern is ^/ and this clearly matches /login_check.
Question for my understanding: What does anonymous ~ exactly do?
Found it out myself.
security.yml:
security:
encoders:
Acme\UserBundle\Entity\User:
algorithm: sha1
encode_as_base64: false
iterations: false
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
administrators:
entity: { class: AcmeUserBundle:User, property: email }
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login: ~
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
As secured_area already has an anonymous: ~ there is no need to declare extra firewalls for login and register.
Your answer is in FOSUSerBundle
There is fake action in controller