I've created a Bundle named "User". In the general routing I added /user to every UserBundle url. So, for example, when I define the route /list in the UserBundle the real path is http://myapp.loc/user/list.
I'm trying to force user to login to use this website, an I'm doing this:
security:
firewalls:
login_firewall:
pattern: ^/user/login
anonymous: ~
secured_area:
pattern: ^/
form_login:
login_path: user_login
check_path: user_login_check
default_target_path: /
logout:
path: /user_logout
target: user_login
remember_me:
key: atipics-soft2012
lifetime: 3600
access_control:
- { path: ^/, roles: ROLE_USER }
providers:
users:
entity: { class: MyApp\UserBundle\Entity\User, property:email }
encoders:
MyApp\UserBundle\Entity\User: { algorithm: sha512, iterations: 10 }
I'm getting an error like this:
InvalidConfigurationException: Invalid configuration for path
"security.firewalls.secured_area": The check_path "user_login_check"
for login method "form_login" is not matched by the firewall pattern
"^/".
What could be the problem?
Of couse I've added this route in the routes file.
I don't know if it's a bug or was intented this way, but check_path doesn't accept route names. You have to set it to a path.
Related
My application is separated in three parts:
administration: ^/backend protected by ip
secured area: ^/member protected by login
public routes: ^/
Everything works fine except the access_denied_url. I tried specifying a route name as well as a plain path.
When I access /backend from an ip other than the configured one I get the following message:
Full authentication is required to access this resource.
500 Internal Server Error - InsufficientAuthenticationException
1 linked Exception: AccessDeniedException ยป
In dev environment this exception isn't catched at all leading to a fatal error but shouldn't the access_denied_url option somehow redirect to the given url anyway?
This is my security.yml:
security:
firewalls:
backend:
pattern: ^/backend
anonymous: ~
access_denied_url: /403
main:
pattern: ^/
anonymous: ~
form_login:
success_handler: my_auth_handler
failure_handler: my_auth_handler
use_referer: true
check_path: login_check
logout:
path: /logout
success_handler: my_auth_handler
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
access_control:
- { path: ^/backend, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1] }
- { path: ^/backend, roles: ROLE_NO_ACCESS }
- { path: ^/userlounge, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
providers:
frontend:
id: my_user_provider
encoders:
My\FrontEndBundle\User\MyUser:
algorithm: md5
encode_as_base64: false
iterations: 1
Thanks in advance for any help!
access_denied_url only works when the user's token is not anonymous and rememberme.
For more detail, see:
https://github.com/symfony/symfony/blob/2.6/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php#L120
https://github.com/symfony/symfony/blob/2.6/src/Symfony/Component/Security/Core/Authentication/AuthenticationTrustResolver.php#L65
I think you should try to specify the option access_denied_url on the security node not on the specific firewall (backend) because I think it might be the other firewall throwing the AccessDenied Exception.
Source: http://symfony.com/doc/current/reference/configuration/security.html
Alternatively you can create an AcccessDeniedListener, see this page for a tutorial: http://www.insanevisions.com/articles/view/symfony-2-access-denied-listener
I am trying to set up user and security management in a first test application of mine and I have come to be a bit lost as to what does what.
My setup thus far: Symfony 2.5, SonataUserBundle (and with it FOSUserBundle)
In my app/config/config.yml, I have the following settings that I make out to be relevant in terms of managing site security (most taken over from the setup instructions of the various bundles I included):
imports:
- { resource: security.yml }
[...]
fos_user:
firewall_name: main
[...]
security:
# FOSUserBundle config
# cf. https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/doc/index.md#step-4-configure-your-applications-securityyml
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
# end of FOSUserBundle config
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be access without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
My app/config/security.yml looks as follows:
security:
# added with Sonata User Bundle
encoders:
FOS\UserBundle\Model\UserInterface: sha512
# end
providers:
in_memory:
memory: ~
# added with Sonata User Bundle
fos_userbundle:
id: fos_user.user_manager
# end
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# added with Sonata User Bundle
# -> custom firewall for the admin area of the URL
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
logout:
path: /admin/logout
anonymous: true
# -> end custom configuration
# default login area for standard users
# This firewall is used to handle the public login area
# This part is handled by the FOS User Bundle
main:
pattern: /(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
logout: true
anonymous: true
# end
default:
anonymous: ~
# Sonata
acl:
connection: default
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
SONATA:
- ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT # if you are using acl then this line must be commented
Here are my questions:
Precedence of configurations
Based on my understanding of the "patterns" of Symfony thus far, anything in security.yml is loaded first and would thus take precedence over any new definitions for identical parameters further down in my config.yml. Is that correct?
Duplicate definitions
It seems to me that the following are defined twice, once in security.yml, once in config.yml:
The provider for FOSUserBundle (different values, fos_user.user_manager and fos_user.user_provider.username)
The encoder for FOS\UserBundle\Model\UserInterface
The pattern for the main firewall (^/vs. .*)
Are these indeed defining the same? Is it safe to assume that in all these cases, only those settings defined in security.yml apply?
Best practices
How should security-related definitions generally be divided between security.yml and config.yml (and other potential locations)?
As Cerad mentionned in a comment, you have the same section security: in both files.
Look at the start of the app/config/config.yml file:
imports:
- { resource: security.yml }
This means that the security.yml file will be imported when the config.yml file will be parsed by Symfony2. So you can keep only the security: section in the app/config/security.yml file in order to define the security configuration.
This is the default configuration, see these files in the official GitHub repository:
app/config/config.yml (no security: section)
app/config/security.yml (contains a security: section)
How is it possible to get app.user from unsecure area?
So I have secured area which starts from ^/user.
But I need to display logout form on area which is accessible for everyone and not secured. How is this possible? My security.yml:
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
###:
algorithm: sha512
encode-as-base64: true
iterations: 10
###:
algorithm: sha512
encode-as-base64: true
iterations: 10
role_hierarchy:
providers:
admin:
name: admin
entity: { class: ###, property: login }
user:
name: user
entity: { class: ###, property: login }
firewalls:
admin:
pattern: ^/admin
form_login:
login_path: ###_login
check_path: ###_login_process
default_target_path: /admin/dashboard
anonymous: ~
logout:
path: /admin/logout
target: /admin/login
provider: admin
remember_me:
key: "###"
lifetime: 604800
path: /
domain: ~
user:
pattern: ^/user
form_login:
login_path: ###_login
check_path: ###_login_process
default_target_path: ###
anonymous: ~
logout:
path: /user/logout
target: /user/login
provider: user
remember_me:
key: "###"
lifetime: 604800
path: /
domain: ~
access_control:
- { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, roles: ROLE_ADMIN }
- { path: ^/user/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/user/, roles: ROLE_USER }
Well I changed a little bit my security.yml. So currently everything works ok.
user:
pattern: ^/
access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
...
UPDATE 1
It seems that line in access_controll is not required. Moreover by some reason(might be cache) anonymoous users were accessing /user areas
You can get app.user in some unsecured area because Symfony security relies on 2 different mechanisms: authentication and authorization.
Authentication is defined by firewalls. As soon as you get under a firewall, you get a token and eventually a app.user, even if it is anonymous.
Authorization is related to access_control rules. It is a second step, you can't put access control rules outside of a firewall. There you will deal with the ROLE requirement, in example if ROLE_ANONYMOUS is enoug, if you want ROLE_USER...
One more thing: to complexify a little further, a firewall can allow or disallow anonymous users. By default it is true, as it is required to have you login and login_check paths under yoru firewall though you cant' require there users to have a role other than ROLE_ANONYMOUS (if you do so, you will have an infinite loop).
I am using Symfony-2 to implement my application.
I need my login and logout routes to have some placeholders, but I don't manage to define it well in routing.yml and security.yml files.
I want to have something like:
www.mysite.com/{client_slug}/panel
and under it other secured pages:
www.mysite.com/{client_slug}/panel/.*
When someone tries to navigate to one of these pages, he/she should be redirected to:
www.mysite.com/{client_slug}/login
and after clicking logout, user should be redirected to something like:
www.mysite.com/{client_slug}/goodbye
I tried several things (http://forum.symfony-project.org/viewtopic.php?f=23&t=37809) but at the moment the only thing I achieved was that in my login url the text {client_slug} appears:
www.mysite.com/my-cliend-slug/panel
redirects to
www.mysite.com/{client_slug}/login
security.yml
firewalls:
main:
pattern: /.*
form_login:
check_path: /login_check
login_path: _security_login
logout:
path: /logout
target: /goodbye
security: true
anonymous: true
routing.yml
_security_login:
pattern: /{_client_slug}/login
defaults: { _controller: MyAppBackendBundle:Security:login }
_security_check:
pattern: /login_check
_security_logout:
pattern: /logout
_admin_panel:
pattern: /{_client_slug}/panel
defaults: { _controller: MyAppBackendBundle:AdminPanel:index }
Any ideas?
I had the exact same problem. I've read everything from here (http://forum.symfony-project.org/viewtopic.php?f=23&t=37809) and for me it works with a few extra lines.
Here is my security.yml
login_area:
pattern: ^/[A-Za-z0-9\-\_]+/login$
anonymous: ~
secured_area:
pattern: ^/[A-Za-z0-9\-\_]+/.*
form_login:
login_path: login
check_path: login_check
logout:
path: logout
target: /
remember_me:
key: "%secret%"
lifetime: 31536000
path: /
domain: ~
The login and login_path definitions:
login:
pattern: /{_client}/login
defaults: { _controller: GNCApplicationBaseBundle:Security:login }
login_check:
pattern: /{_client}/login_check
And I made an EventListener, which will be called at the kernel.request event:
acme.system.client.listener:
class: Acme\System\ClientBundle\EventListener\ClientListener
arguments: [#router, #doctrine.orm.entity_manager]
tags:
- { name: kernel.event_listener, event: kernel.request, method: onKernelRequest, priority: 10 }
The important attribute is the priority. In the Symfony Documentation (http://symfony.com/doc/current/reference/dic_tags.html#kernel-event-listener) it shows that the RouterListener starts with a priority 32 and the Firewall at 8. So I choose to call my custom EventListener right before the Firewall and set the _client-attribute manually in the router-context:
public function onKernelRequest(GetResponseEvent $event) {
$clientIdentifier = $event->getRequest()->attributes->get('_client');
$this->router->getContext()->setParameter('_client', $clientIdentifier);
}
And it works well for me.
I'm currently using Symfony 2.2.0-RC3.
I am trying to authenticate against symfony2 firewall , here is my security config
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
in_memory:
users:
user: { password: user, roles: [ 'ROLE_USER' ] }
admin: { password: admin, roles: [ 'ROLE_ADMIN' ]}
#main:
#entity: { class: Surgeworks\CoreBundle\Entity\User, property: username}
firewalls:
public:
pattern: .*
security: false
anonymous: true
form_login:
check_path: /{_locale}/admin/logincheck
login:
pattern: ^/{_locale}/admin/login$
security: false
anonymous: ~
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
anonymous: ~
secured_area :
provider: in_memory
pattern: ^/{_locale}/admin/.*
form_login:
check_path: /{_locale}/admin/logincheck
login_path: /{_locale}/admin/login
logout:
path : /{_locale}/admin/logout
target : /{_locale}/admin/
remember_me:
key: aSecretKey
lifetime: 3600
path: /admin/
domain: ~ # Defaults to the current domain from $_SERVER
access_control:
- { path: ^/{_locale}/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/{_locale}/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ar/admin/logincheck, roles: ROLE_ADMIN }
- { path: ^/(ar|en|fr)/admin/, roles: ROLE_ADMIN }
and here is my routing in DaghoSiteBundle/Resources/config/routing.yml:
_admin:
pattern: /admin/
defaults: { _controller: DaghoSiteBundle:Login:login , _locale : ar }
requirements:
_locale: (ar|en|fr)
login:
pattern: /admin/login
defaults : { _controller: DaghoSiteBundle:Login:login , _locale : ar }
requirements:
_locale: (ar|en|fr)
logincheck:
pattern: /admin/logincheck
#defaults: { _controller: DaghoSiteBundle:Login:logincheck , _locale: ar }
#requirements:
#_locale: (ar|en|fr)
logout:
pattern: /admin/logout
I can't login through these setting ,
it always throw an exception
Unable to find the controller for path "/ar/admin/logincheck". Maybe
you forgot to add the matching route in your routing configuration
and even if had setup the route check_path page >> i would be able to view the check_path without being redirected to login page ..
/en/admin >> login page
/en/logincheck >> display the logincheck template (i.e /en/logincheck isn't behind firewall )
how to fix , or debug this issue , please advise
UPDATE:
sorry I might forget to write that i had prefixed my bundle with the {_locale} like this
in my routing.yml
DaghoSiteBundle:
resource: "#DaghoSiteBundle/Resources/config/routing.yml"
prefix: /{_locale}
requirements:
_locale: ar|en|fr
defaults: { _locale: ar }
I think you must change your route patterns to include your _locale parameter. Instead of, for example, pattern: /admin/logincheck you should use pattern: {_locale}/admin/logincheck
You can also debug your routes by using a console command app/console router:debug.
I am not 100% sure this fixes your problem, but I hope it helps you gather more info about your issue.
Why dont you try
logincheck:
pattern: /admin/login_check
#defaults: { _controller: DaghoSiteBundle:Login:logincheck , _locale: ar }
#requirements:
#_locale: (ar|en|fr)
This solved my problem, but my situation is simple and doesn't have the {_locale} functionality, but maybe it will help you anyway.
From the Security chapter of the Symf2 Book:
Common Pitfalls #3: Be sure /login_check is behind a firewall.
In your security.yml file it looks like your check_path route is /{_locale}/admin/logincheck, and your secured path is anything that's behind ^/{_locale}/admin/.*
so that seems to be good.
You might want to try removing the .* (do you really need it?)
and further down the file in the access control section you provide a specific entry to make sure the check_path requires authentication:
- { path: ^/ar/admin/logincheck, roles: ROLE_ADMIN }
Maybe try specifying this instead:
- { path: ^/{_locale}/admin/logincheck, roles: ROLE_ADMIN }
But actually, I was wondering, can you even use {placeholders} in the security.yml pattern values? I know you can in the routing file, but I'm not sure if the security yml works the same way? I don't see it being used in any examples in the main symf2 book in the security or routing chapters?