My access control doesn't work. When I'm anonymous, I can access to the url /admin, or normally it's must be impossible.
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
default_target_path: liste_projet
always_use_default_target_path: true
login_path: /
# if you are using Symfony < 2.8, use the following config instead:
# csrf_provider: form.csrf_provider
logout: true
anonymous: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/inscription, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
Do you have an idea? A bad configuration of me? I'm using symfony3
Change
- { path: ^/admin/, role: ROLE_ADMIN }
to
- { path: ^/admin, role: ROLE_ADMIN }
Otherwise when you request the /admin page, the path won't match with the first one.
Related
So I made that Role_User could access the website only from a certain IP adress. Everything works like a charm except if a user is connecting from a different IP I try to redirecting it to /en/logout. But it pops up an error
"You must activate the logout security firewall configuration".
Really need help.
security:
encoders:
App\Entity\User: bcrypt
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
pattern: ^/
user_checker: App\Security\UserChecker
anonymous: true
stateless: false
guard:
authenticators:
- App\Security\TokenAuthenticator
remember_me:
secret: '%kernel.secret%'
lifetime: 604800
path: /
form_login:
provider: fos_userbundle
check_path: fos_user_security_check
login_path: fos_user_security_login
csrf_token_generator: security.csrf.token_manager
logout:
path: fos_user_security_logout
target: /(%app_locales%)/login
access_denied_url: /(%app_locales%)/logout
role_hierarchy:
ROLE_USER: ROLE_USER
ROLE_TEAMLEAD: ROLE_CUSTOMER
ROLE_ADMIN: ROLE_TEAMLEAD
ROLE_SUPER_ADMIN: ROLE_ADMIN
access_control:
- { path: '^/(%app_locales%)/timesheet', role: ROLE_USER, ip: [IP.IP.IP.IP] }
- { path: '^/(%app_locales%)/timesheet', role: ROLE_ADMIN }
- { path: '^/(%app_locales%)/timesheet', roles: ROLE_NO_ACCESS }
- { path: '^/(%app_locales%)$', role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: '^/(%app_locales%)/login', role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: '^/(%app_locales%)/register', role: IS_AUTHENTICATED_ANONYMOUSLY, ip: [IP.IP.IP.IP] }
- { path: '^/(%app_locales%)/resetting', role: IS_AUTHENTICATED_ANONYMOUSLY, ip: [IP.IP.IP.IP] }
- { path: '^/(%app_locales%)/', roles: ROLE_USER, ip: [IP.IP.IP.IP] }
- { path: '^/api', roles: IS_AUTHENTICATED_REMEMBERED, ip: [IP.IP.IP.IP] }
- { path: '^/(%app_locales%)/login$', roles: ROLE_NO_ACCESS }
You need to provide path to logout in your access_control list with right parameters. Now your /en/logout authorised by role ROLE_USER and ip [IP.IP.IP.IP]. You need to add next line:
access_control:
...
- { path: '^/(%app_locales%)/logout', roles: ROLE_USER }
...
As you can see I removed dependency on IP-address to be authorised on path /en/logout. Now it depends only on ROLE_USER role of your user.
I think that on top of the access_control entry that Michael posted, you should change the
access_denied_url: /(%app_locales%)/logout
into
access_denied_url: fos_user_security_logout
That seemed to be the issue in a similar case
I configured the FOSUserBundle for my symfony bundle (following the cookbook http://symfony.com/doc/1.3.x/bundles/FOSUserBundle/index.html).
When I try to access the login page I get this error:
You are not allowed to define new elements for path "security.firewalls". Please define all elements for this path in one config file.
my seurity.yml file is:
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: security.csrf.token_manager # Use form.csrf_provider instead for Symfony <2.4
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
I can't understand what's the problem, any suggestion?
Thanks in advance
the first problem I see is an indentation problem in your yaml security file :
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: security.csrf.token_manager # Use form.csrf_provider instead for Symfony <2.4
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
Check carefully documentation available at https://symfony.com/doc/master/bundles/FOSUserBundle/index.html, check routes, clear cache and you're normally done ;)
Feel free to come back here if any other problems is encountered.
Best Regards.
I'm using SF2 together with FOS user bundle.
security:
providers:
fos_userbundle:
id: fos_user.user_provider.username
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
dev:
pattern: ^/(_(profiler|wdt|error)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: false
access_control:
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
If I set my main: anonymous: false to true, I no longer get a redirect loop, but then people don't need to be logged in to access everything (which they should be!)
I think the access_control has an entry for the ^/login route so that people don't need to be authenticated, but I suspect it doesn't work.
With this statement:
anonymous: false
this is no longer valid:
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
Therefore the framework can't redirect to the login which causes the redirect loop (FOS needs anonymous to be true in order to work properly)... I don't know if it works but you could try to set
{ path: ^/*, role: ROLE_USER }
as the first or last line of the assetic control,... no guarantee it works, this is would I would try in order to create the result you are looking for
I have a little problem of logout on my admin bundle.
When I log in to admin with the In Memory, this works but I can't logout.
On the other side, logout for users works perfectly. Did I miss something ?
This is my security.yml
security:
encoders:
Esimed\FrontBundle\Entity\Company:
algorithm: sha1
encode_as_base64: false
iterations: 1
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
companies:
entity: { class: Esimed\FrontBundle\Entity\Company, property: email }
in_memory:
memory:
users:
admin: { password: adminpass, roles: 'ROLE_ADMIN' }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: ^/admin
http_basic:
realm: "Administration"
provider: in_memory
logout:
invalidate_session: true
path: /admin/company/logout
target: /
anonymous: ~
main:
pattern: ^/
form_login:
check_path: esimed_front_company_login_check
login_path: esimed_front_company_login
logout:
path: /company/logout
target: /
anonymous: ~
access_control:
- { path: ^/company/add$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company/create$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/job/view/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company/search, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company/category-list, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company/company-list, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/company, roles: ROLE_COMPANY }
- { path: ^/job, roles: ROLE_COMPANY }
- { path: ^/admin, roles: ROLE_ADMIN }
As Elnur Abdurrakhimov states for an answer to a similar question:
Since you are using HTTP authentication, the reason might be that your
browser caches your credentials and relogins automatically. Try using
HTML form authentication and see if the problem persists.
Try using the following for your security.yml
admin:
pattern: ^/admin
provider: in_memory
form_login:
check_path: /check_login
login_path: /admin/login
logout:
invalidate_session: true
path: /admin/company/logout
target: /
anonymous: ~
...
access_control:
- { path: ^/admin/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
...
This way you are still able to authenticate using the in memory provider and if you want you can still have your credentials saved by the browser but logging out will destroy the cookie and session used to authenticate you and wont automatically log you back in.
I have a symfony 2 app, with normal members and admin area, but for some reason, i can't get the admin area login part to work. Read all the questions here about the theme and try them but none of them worked for me.
The initial problem i think, is the check route is not behind the firewall, so symfony security not recognise it.
my security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
Symfony\Component\Security\Core\User\User: sha512
firewalls:
alogin:
pattern: ^/admin/login$
security: false
main:
pattern: ^/admin
provider: in_memory
form_login:
check_path: /admin/login_check
login_path: /admin/login
default_target_path: /admin/list
logout:
path: /admin/logout
target: /admin
main:
pattern: ^/(?!admin)
form_login:
provider: fos_userbundle
login_path: /
failure_handler: public.failed_login_handler
success_handler: public.success_login_handler
logout: true
anonymous: true
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_ADMIN' }
role_hierarchy:
ROLE_VIP: ROLE_USER
ROLE_ADMIN: ROLE_VIP
ROLE_SUPER_ADMIN: ROLE_ADMIN
access_control:
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/.*, role: ROLE_ADMIN }
- { path: ^/admin, role: ROLE_ADMIN }
- { path: ^/.*, role: ROLE_USER }
Without the main firewall, it's working, with it, i got 404 for the /admin/login_check.
Problem that you have 2 firewalls with the same name main. Firewall must be with unique name.