I need to "close" my application only for logged users (not matter roles) so I have set access_control into:
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/forgot-password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/admin, roles: [ROLE_ADMIN, ROLE_SUPER_ADMIN] }
but I can still go into ^/ or any another page (except admin) as guest. What is bad? Here is my firewalls:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
anonymous: ~
guard:
authenticators:
- App\Security\LoginFormAuthenticator
logout:
path: app_logout
Try this please:
access_control:
- { path: ^/(register|login)?$, roles: IS_AUTHENTICATED_ANONYMOUSLY}
- { path: ^/?$, roles: ROLE_USER}
Make sure that you have and ordered Roles and access_control like:
security:
## Previous parameters
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
In the firewalls section
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/ #The most important in your case
logout: true
anonymous: true
Then in the access_controlsection you can do like this:
access_control:
#LOGIN
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/forgot-password, role: IS_AUTHENTICATED_ANONYMOUSLY }
#Default
- { path: ^/, role: ROLE_AGENT }
Related
This is my file security.yml:
security:
encoders:
H360\generalBundle\Entity\UsrUsuarios:
id: usuarios.password_encoder
providers:
usuarios:
entity: { class: H360\generalBundle\Entity\UsrUsuarios}
firewalls:
angular_area:
pattern: ^/[a-zA-Z]{2}/.*/.*/rest/
#provider: entity_admin
anonymous: ~
logout_on_user_change: true
secured_area:
pattern: ^/[a-zA-Z]{2}/
user_checker: app.users.checker
anonymous: ~
logout_on_user_change: true
guard:
authenticators:
- app.login.authenticator
- app.card.authenticator
- app.google.authenticator
entry_point: app.login.authenticator
logout:
path: usuarios_logout
target: /
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/([a-zA-Z]\d*.\d*)/extrest/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/([a-zA-Z]\d*.\d*)/restablelink/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/([a-zA-Z]\d*.\d*)/resturnocomedor/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/([a-zA-Z]\d*.\d*), roles: ROLE_USER}
So, when i upgrade to symfony 3.4, i can't do login.
I have been reading about this, but i don't know the solution ;(
When i try to log in, the page reloads itself and no error appears.
Help pls !
Solvented !!! Finally, it was a problem with the function "supports()" in my LoginAuthenticator.php. This function has to return false.
I have got a v weird issue with one of my symfony ( 2.8) apps, out of nowhere the login just stopped working, submitting the login form just brought me back to login page again, no bad credentials error and no system issue warning.
I looked at my cookies in the browser , as this worked in incognito mode, and i had 2 PHPSESSID, is this normal? removing the cookies allowed me to log in again with no issue. am trying to get to the bottom of how to reproduce this as its not something i want to go into my production env
here is the current security yml:
security:
acl:
connection: default
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_USER: ROLE_USER
ROLE_CLIENT_PROGRAMME_ADMIN: ROLE_CLIENT_PROGRAMME_ADMIN
ROLE_ADMIN: ROLE_PROGAMME_ADMIN
ROLE_SUPER_ADMIN: ROLE_SUPER_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
oauth_token:
pattern: ^/oauth/v2/token
anonymous: true
api:
pattern: ^/api
fos_oauth: true
stateless: true
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: security.csrf.token_manager # Use form.csrf_provider instead for Symfony <2.4
success_handler: auth.service.redirect.after.login
logout: true
anonymous: true
access_control:
- { path: ^/oauth/v2/token, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/user/password/reset$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/docs$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/$, roles: [ROLE_USER] }
- { path: ^/client, roles: [ROLE_CLIENT_PROGRAMME_ADMIN, ROLE_ADMIN, ROLE_SUPER_ADMIN] }
- { path: ^/portal, roles: [ROLE_ADMIN, ROLE_SUPER_ADMIN] }
- { path: ^/admin, roles: [ROLE_ADMIN, ROLE_SUPER_ADMIN] }
- { path: ^/, roles: [SECTION_CHECK, ROLE_PROGAMME_ADMIN, ROLE_SUPER_ADMIN] }
My access control doesn't work. When I'm anonymous, I can access to the url /admin, or normally it's must be impossible.
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
default_target_path: liste_projet
always_use_default_target_path: true
login_path: /
# if you are using Symfony < 2.8, use the following config instead:
# csrf_provider: form.csrf_provider
logout: true
anonymous: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/inscription, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
Do you have an idea? A bad configuration of me? I'm using symfony3
Change
- { path: ^/admin/, role: ROLE_ADMIN }
to
- { path: ^/admin, role: ROLE_ADMIN }
Otherwise when you request the /admin page, the path won't match with the first one.
I'm using SF2 together with FOS user bundle.
security:
providers:
fos_userbundle:
id: fos_user.user_provider.username
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
dev:
pattern: ^/(_(profiler|wdt|error)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: false
access_control:
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
If I set my main: anonymous: false to true, I no longer get a redirect loop, but then people don't need to be logged in to access everything (which they should be!)
I think the access_control has an entry for the ^/login route so that people don't need to be authenticated, but I suspect it doesn't work.
With this statement:
anonymous: false
this is no longer valid:
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
Therefore the framework can't redirect to the login which causes the redirect loop (FOS needs anonymous to be true in order to work properly)... I don't know if it works but you could try to set
{ path: ^/*, role: ROLE_USER }
as the first or last line of the assetic control,... no guarantee it works, this is would I would try in order to create the result you are looking for
I have a little problem of logout on my admin bundle.
When I log in to admin with the In Memory, this works but I can't logout.
On the other side, logout for users works perfectly. Did I miss something ?
This is my security.yml
security:
encoders:
Esimed\FrontBundle\Entity\Company:
algorithm: sha1
encode_as_base64: false
iterations: 1
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
companies:
entity: { class: Esimed\FrontBundle\Entity\Company, property: email }
in_memory:
memory:
users:
admin: { password: adminpass, roles: 'ROLE_ADMIN' }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: ^/admin
http_basic:
realm: "Administration"
provider: in_memory
logout:
invalidate_session: true
path: /admin/company/logout
target: /
anonymous: ~
main:
pattern: ^/
form_login:
check_path: esimed_front_company_login_check
login_path: esimed_front_company_login
logout:
path: /company/logout
target: /
anonymous: ~
access_control:
- { path: ^/company/add$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company/create$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/job/view/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company/search, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company/category-list, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company/company-list, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company, roles: ROLE_COMPANY }
- { path: ^/job, roles: ROLE_COMPANY }
- { path: ^/admin, roles: ROLE_ADMIN }
As Elnur Abdurrakhimov states for an answer to a similar question:
Since you are using HTTP authentication, the reason might be that your
browser caches your credentials and relogins automatically. Try using
HTML form authentication and see if the problem persists.
Try using the following for your security.yml
admin:
pattern: ^/admin
provider: in_memory
form_login:
check_path: /check_login
login_path: /admin/login
logout:
invalidate_session: true
path: /admin/company/logout
target: /
anonymous: ~
...
access_control:
- { path: ^/admin/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
...
This way you are still able to authenticate using the in memory provider and if you want you can still have your credentials saved by the browser but logging out will destroy the cookie and session used to authenticate you and wont automatically log you back in.