I have multiple proivders users and admin so i have following security.yml
security:
encoders:
AppBundle\Entity\AdminUser: bcrypt
# https://symfony.com/doc/current/security.html#b-configuring-how-users-are-loaded
providers:
#in_memory:
# memory: ~
admin_db:
entity: { class: AppBundle\Entity\AdminUser, property: email }
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin_db:
provider: admin_db
anonymous: false
form_login:
login_path: login
check_path: login
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate
#http_basic: ~
# https://symfony.com/doc/current/security/form_login_setup.html
#form_login: ~
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_ADMIN }
But when i try to access login page then i see this error
This page isn’t working localhost redirected you too many times. Try
clearing your cookies. ERR_TOO_MANY_REDIRECTS
The problem is that your firewall does not allow any anonymous access as specified with anonymous: false. That means your access control for login does not work. The 2 common ways to solve this are either taking the login rout out of the firewall or allowing anonymous access and then use access_controls to require a role.
If you want to move the login route out:
firewalls:
login:
pattern: ^/login$
security: false
admin_db:
...
form_login:
login_path: login
check_path: login_check
It's important that the route login_check points to something inside your firewall. So basically anything but /login will work, e.g. login/check. In your controller you can create an empty action for this or you can point it to the same action as login.
The other solution would be even simpler in your case, as your access_control is already correct:
firewalls:
admin_db:
...
anonymous: ~
In your access control you allow anonymous access for login, but all other routes must have ROLE_ADMIN. So no other changes should be necessary.
Related
Symfony 3.0.3 I want to exclude URLs starting with /document from having to log in
My current security.yml firewalls:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
docs:
pattern: ^/document
security: false
main:
pattern: ^/
http_basic: ~
provider: our_db_provider
anonymous: ~
form_login:
login_path: /
check_path: login
logout:
path: /logout
target: /
invalidate_session: true
But this results in Error 500 : "The token storage contains no authentication token. One possible reason may be that there is no firewall configured for this URL." when visiting /document
How is your access_control configuration in security.yml. Shouldn't you allow /document for IS_AUTHENTICATED_ANONYMOUSLY?
access_control:
- { path: ^/document$, role: IS_AUTHENTICATED_ANONYMOUSLY }
In this case, you don't have to define a separate firewall for /document.
I've implemented the SimpleSamlPhpBundle in order to authenticate a user on my Symfony application via SAML/Shibboleth.
I modified my security.yml file as follows:
security:
providers:
simplesaml:
id: saxid_user_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
saml:
pattern: ^/
anonymous: true
stateless: true
simple_preauth:
authenticator: simplesamlphp.authenticator
provider: simplesaml
logout:
path: /logout
success_handler: simplesamlphp.logout_handler
access_control:
# Make imprint accessible for anonymous access
- { path: ^/imprint$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
As I have an imprint that I want to make accessible for anonymous users, I added the according line to the access_control section.
But this doesn't take effect, if I call example.com/imprint it redirects to the SimpleSAMLphp identity discovery page. Is my pattern wrong? I also tried without the trailing $ character, which didn't help.
I have updated a symfony 2.0 project to 2.5 and now i am faced with some problems with authentication:
After submitting the username and password i am authenticated. If i follow a link in the secured area or if i am refreshing the current page i get this error:
There is no user provider for user "XXX\AccountBundle\Entity\Worker".
After refreshing again i am authenticated.
After the next refresh i am not.
After refreshing again i am authenticated.
And so on …
This is my security.yml:
security:
encoders:
XXX\AccountBundle\Entity\Worker:
algorithm: sha1
iterations: 1
encode_as_base64: false
role_hierarchy:
ROLE_ACCOUNT_OWNER: [ROLE_USER]
providers:
users:
entity: { class: XXXAccountBundle:Worker, property: email }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
application:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
default_target_path: /dashboard
use_referer: true
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
logout:
path: /logout
target: /
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
If i remove the "remember me"-section i get logged out after the first request.
Because the authentication problem appeared every second call i had good reasons to check the serializable stuff of the user object. Everything was fine there, but i had to reimplement some custom functions in the UserRepository class where the user is loaded.
Because of the error message i searched for several hours at the wrong place. My security.yml setup was fine.
Now the authentication process works again :)
In an application I am developing, I'm having a weird issue with the access control for the security component.
I use the FOSUserBundle (of course) for users and I copied the example access control rules from the bundle documentation to my security.yml The login screen (/login) works perfectly but the issue is, all other access control rules have absolutely no effect whatsoever. When a user goes to /register for example, he is redirected to /login, the same goes for /resetting.
This is my security.yml file:
jms_security_extra:
secure_all_services: false
expressions: true
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(\_(profiler|wdt)|css|images|js)/
security: false
api:
pattern: ^/api
anonymous: false
form_login: false
provider: fos_userbundle
http_basic:
realm: "REST Service Realm"
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: ~
switch_user: { role: ROLE_SUPER_ADMIN, parameter: _impersonate }
access_control:
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/superadmin/, role: ROLE_SUPER_ADMIN }
I have tried to turn of security for paths containing /resetting and /register, but that clearly won't work since the security token still needs to be available for the FOSUserBundle controllers.
Any help would be much appreciated!
It might be to do with the order of the access_control, try putting superadmin above the others. You also don't seem to have a secured_area section (like this example from Symfony2 access control redirects to login)
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
The problem was that another bundle was messing with each request checking if the user was logged in or not. If the user wasn't logged in, a redirect response was generated to the login page.
No idea why this was done, I think it comes from an era where the original authors had less experience with Symfony.
But so it proves again, always check the logs. Very thoroughly.
I'm new to Symfony2 and I'm trying to create a basic registration + login system. So, with the help of the Symfony2 documentation I created this security.yml:
security:
encoders:
TestCompany\InternetBundle\Entity\Member:
algorithm: sha1
encode_as_base64: false
iterations: 1
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]
providers:
administrators:
entity: { class: TestCompanyInternetBundle:Member, property: username }
firewalls:
admin_area:
pattern: ^/admin
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
and I used this routing for it:
login_check:
pattern: /login_check
login:
pattern: /login
defaults: { _controller: TestCompanyInternetBundle:Admin:login }
According to http://symfony.com/doc/current/book/security.html#using-a-traditional-login-form I do NOT need to implement a controller for the login_check route. Yet, Symfony returns this error to me:
Unable to find the controller for path "/login_check". Maybe you forgot to add the matching route in your routing configuration?
Do you see anything I could have done wrong here? The login page is almost an exact copy of the one used in the documentation. The error occurs on the page: http://localhost/SymfonyTest/web/app_dev.php/login_check, which is the page I get sent to after using the login form.
http://symfony.com/doc/current/book/security.html#using-a-traditional-login-form
Be sure /login_check is behind a firewall.
Therefore, in your example, you have specified a prefix of /admin for your secured area, therefore your login check route should also have that prefix e.g. /admin/login_check
Next, make sure that your check_path URL (e.g. /login_check) is behind the firewall you're using for your form login (in this example, the single firewall matches all URLs, including /login_check). If /login_check doesn't match any firewall, you'll receive a Unable to find the controller for path "/login_check" exception.
Example security.yml configuration:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
pattern: ^/
form_login:
login_path: /login
check_path: /login_check
logout:
path: /demo/secured/logout
target: /demo/
anonymous: ~
....
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
I would recomend that you use the FOSUserBundle as this seems the quickest way to do what you would like to do: FOSUserBundle
Installation is very straight-forward and would allow you to get your app working in a very short amount of time. Good luck!
EDIT:
Could you post your controller TestCompanyInternetBundle:Admin:login? Does you controller extend the security controller at all?
You should also include your security.yml. Make sure you have:
firewalls:
login_firewall:
pattern: ^/login$
anonymous: ~
in your security.yml. This is a common pitfall.