I'm starting with journey with Symfony.
At this I trying to secure my auth routes (I'm using FOSUserBundle) so I do:
access_control:
- { path: ^/logowanie$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/rejestracja, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetowanie-hasla, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backstage/, role: ROLE_ADMIN }
- { path: ^/profile/, role: ROLE_USER }
However, I can always go to these routes whether I'm logged in or not.
Where is my bad?
# To get started with security, check out the documentation:
# https://symfony.com/doc/current/security.html
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
check_path: fos_user_security_check
login_path: fos_user_security_login
logout:
path: fos_user_security_logout
target: website.home
logout: true
anonymous: true
access_control:
- { path: ^/logowanie$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/rejestracja, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetowanie-hasla, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backstage/, role: ROLE_ADMIN }
- { path: ^/profile/, role: ROLE_USER }
You should restrict access to logged-in users, now if a user is logged in, also has the role IS_AUTHENTICATED_ANONYMOUSLY, this is role hierarchy.
- { path: ^/logowanie$, role: IS_AUTHENTICATED_ANONYMOUSLY && !IS_AUTHENTICATED_FULLY }
You can use PUBLIC_ACCESS instead off IS_AUTHENTICATED_ANONYMOUSLY
access_control:
- { path: ^/logowanie$, roles: PUBLIC_ACCESS }
best regards ;)
Related
I'm currently working on a PDF generator, but I'm having a problem accessing the url.
Anyone should be able to download the PDF.
In my security.yml I currently have this:
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy: ~
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/gc/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: ROLE_USER }
- { path: ^/, role: ROLE_USER }
I would like people to have access to the following url: /admin/maintenance/pdf/{id}
So I added the following line:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/gc/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: ROLE_USER }
- { path: ^/, role: ROLE_USER }
- { path: ^/admin/maintenance/pdf/$, role: [ROLE_USER,IS_AUTHENTICATED_ANONYMOUSLY] }
But I'm still redirected to the login page when I'm not logged in.
I did several tests, and it is the following line that is problematic:
- {path: ^ /, role: ROLE_USER}
I guess I misconfigured my access to the url.
Someone can help me ?
Thank you
Items in ACL are processed sequently, so you need to put it before:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/gc/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/maintenance/pdf/$, role: [ROLE_USER,IS_AUTHENTICATED_ANONYMOUSLY] }
- { path: ^/admin, role: ROLE_USER }
- { path: ^/, role: ROLE_USER }
Move up more specific rules, so that they are matched first.
I'm following few tutorials along with the documentation, but I can't make my provided user in security.yml to log in. Here is my YML file that provides a username called user and a password userpass, as a simply user.
security:
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
encoders:
Symfony\Component\Security\Core\User\User: sha512
providers:
in_memory:
memory:
users:
user: { password: userpass, roles: ROLE_ADMIN }
firewalls:
secured_area:
anonymous: ~
pattern: ^/
form_login:
check_path: /login_check
login_path: /login
logout:
path: /logout
target: /
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
access_control:
- { path: ^/new, roles: ROLE_ADMIN }
- { path: ^/create, roles: ROLE_ADMIN }
- { path: ^/edit, roles: ROLE_ADMIN }
- { path: ^/delete, roles: ROLE_ADMIN }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
The loginAction is the same from the official documentation:
public function loginAction()
{
$authUtils = $this->get('security.authentication_utils');
$error = $authUtils->getLastAuthenticationError();
$lastUsernme = $authUtils->getLastUsername();
return $this->render('UserBundle:Login:login.html.twig', array(
'last_username' => $lastUsernme,
'error' => $error
));
}
I don't know what else I should paste here because every view, controller and route works perfectly. The only issue is that whenever I try to log in with that user and password the "BAD CREDENTIALS" message is shown.
Just use plaintext encoder in order to be able to login with "userpass" (look at the example below)
or you can encode "userpass" to sha512 and replace "userpass" by the result
encoders:
Symfony\Component\Security\Core\User\User: plaintext
This shows you the full example.
You can just pay attention to SecurityController and the security.yml file in the example then work out what else you're missing in your application.
example security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User:
algorithm: bcrypt
cost: 12
providers:
in_memory:
memory:
users:
basic:
password: $2a$12$Mnp6eUx1AJ5YABwmprcu/OHo21klIpQ/PA7D7PdKx5SA4urdav6/e #basic
roles: ROLE_USER
admin:
password: $2a$12$aRC0GRcjZS9bXfQYlpT8f.JkkrwuK0xZwKuoQ78i1CsErbHtriWLm #admin
roles: ROLE_ADMIN
super:
password: $2a$12$7SeyjOot3/3Ez1c0Dm8W0u/EenNEs8ykOl16D5aKkJkzLEq4lvXP2 #super
roles: ROLE_SUPER_ADMIN
firewalls:
dev:
pattern: ^/(_(profiler|wdt|error)|css|images|js)/
security: false
default:
anonymous: ~
http_basic: ~
form_login:
login_path: /login
check_path: /login
logout:
invalidate_session: true
path: /logout
target: /
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
access_control:
- { path: ^/backend/superadmin, role: ROLE_SUPER_ADMIN }
- { path: ^/backend/secret, role: ROLE_SUPER_ADMIN }
- { path: ^/backend, role: ROLE_ADMIN }
- { path: ^/country, role: ROLE_USER }
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
I thought I did the settings correctly when I tried going on to the homepage (/) and it redirects me to the login page (/login). However, when I click on navigation menu such as about (/about) and inventory (/inventory), the pages were shown even when I am not logged on. Currently only the homepage is redirecting to login, but I need all pages to redirect to login if users are not signed on.
Here is my security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: /
logout: true
anonymous: true
access_control:
- { path: ^/$, role: ROLE_USER }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
config.yml:
fos_user:
db_driver: orm # other valid values are 'mongodb', 'couchdb' and 'propel'
firewall_name: main
user_class: Main\UserBundle\Entity\User
Am I missing someting?
EDIT: I guess the solution was to get rid of the "$" in the access control.
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
Except with this after login it will redirect to a blank page that has a URL of /_wdt/(token number). If anyone is having problem with this the solution is to insert this setting before the "main" in the security.yml's firewall:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
Change your firewall configuration to the following:
access_control:
- { path: ^/$, role: ROLE_USER }
- { path: ^/secured, role: ROLE_USER }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
And change your routes for the secured pages to start with /secured.
UPDATE:
You can deny all the routes after / if user is not logged on by removing $ in your access control rule:
access_control:
- { path: ^/, role: ROLE_USER }
However, this will cause a redirect loop when you try to access routes that should be available to anonymous users, like /login or /register.
UPDATE 2
As #user3757305 commented below, - { path: ^/, role: ROLE_USER } can be added at the bottom. Access control rules are applied in the order they appear in the security config. That means that everything above the - { path: ^/, role: ROLE_USER } rule will not be covered by it. So, the following config should work as required:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: ROLE_USER }
In my access control I have a bunch of rules but none of them seem to be working. I belong to a group that does not have the role and I am still able to access all the routes. I tried adding dollar signs to the end of the paths but that did not work. I also tried reordering the paths and that failed as well. Any advice will help!
here is my security.yml file
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/system/staff/add, roles: ROLE_ADD_STAFF }
- { path: ^/system/staff/edit, roles: ROLE_EDIT_STAFF }
- { path: ^/system/staff, roles: ROLE_VIEW_STAFF }
- { path: ^/system/profile/edit, roles: ROLE_USER }
- { path: ^/system/profile, roles: ROLE_USER }
- { path: ^/system/officer/add, roles: ROLE_ADD_OFFICER }
- { path: ^/system/officer/edit, roles: ROLE_EDIT_OFFICER }
- { path: ^/system/officer, roles: ROLE_VIEW_OFFICER }
- { path: ^/system/job/add, roles: ROLE_ADD_JOBS }
- { path: ^/system/job/edit, roles: ROLE_EDIT_JOBS }
- { path: ^/system/job, roles: ROLE_VIEW_JOBS }
- { path: ^/system/company/add, roles: ROLE_ADD_COMPANIES }
- { path: ^/system/company/edit, roles: ROLE_EDIT_COMPANIES }
- { path: ^/system/company, role: ROLE_VIEW_COMPANIES }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/system, roles: ROLE_USER }
for example my current group does not have the ROLE_EDIT_STAFF role yet I am still able to access the path.
Every time you make a request symfony will check your access controls to find one that works.
When you request /system/staff/edit heres what happens.
For your setup it finds:
- { path: ^/system/staff/edit, roles: ROLE_EDIT_STAFF }
But since you dont have the role ROLE_EDIT_STAFF it moves on.
It now matches:
- { path: ^/system/staff, roles: ROLE_VIEW_STAFF }
Because your route does start with ^/system/staff. And you have ROLE_VIEW_STAFF so you are granted access.
In additon to that one you have:
- { path: ^/system, roles: ROLE_USER }
Which means that anyone who has the ROLE_USER can access any route that starts with /system.
Whether its /system/admin/delete-all for just /system It matches them both.
If you want to use strict route controls i would recommend dropping the ^ from the start of the routes unless you really mean to match any routes starting with what follows the ^.
I have a symfony 2.1 project using FOSUserBundle. The bundle is installed correctly. All the functionalities work properly using the default /login form.
But now I want to change the login form route to be the same as the homepage (path: /).
I tried:
changing the security.yml - login_path:
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /
logout: true
anonymous: true
and the access_control to:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/*, role: ROLE_USER }
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
When I try to access the homepage it enters a infinite redirect (I assume)
The page isn't redirecting properly Firefox has detected that the
server is redirecting the request for this address in a way that will
never complete.
Also couldn't find anything to troubleshoot this behaviour inside the FOSUserBundle documentation.
In short words: I want the first_page to act as login page.
You have a redirect loop.
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } #1
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } #2
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } #3
- { path: ^/admin/, role: ROLE_ADMIN } #4
- { path: ^/*, role: ROLE_USER } #5
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY } #6
This happens because first, you are telling access controll in #5 requires ROLE_USER BEFORE you tell it that it also requires IS_AUTHENTICATED_ANONYMOUSLY (both 5th and 6th rules match)
Access control is order sensitive, the rules apply in the order they are defined, try:
access_control:
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY } # NOTE THE $
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/*, role: ROLE_USER }
I moved the rule
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
to the begining so it matches before
- { path: ^/*, role: ROLE_USER }
I think you should change on your security.yml :
login_path: / to login_path: /login
And your access_control :
{ path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } #1
{ path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } #2
{ path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } #3
{ path: ^/admin/, role: ROLE_ADMIN } #4
Hope this help !