Expression "has_role('ROLE_ADMIN')" denied access, with an Admin User - php

I encountered a problem on roles promotion in Symfony3, as the title suggests.
The error is simple :
Expression "has_role('ROLE_ADMIN')" denied access.
I promoted the user with
php bin/console fos:user:promote (etc.),
resulting in :
a:1:{i:0;s:10:"ROLE_ADMIN";}
in the database.
I also put an annotation on a my controller method :
/**
* #Security("has_role('ROLE_ADMIN')")
*/
And my security.yml looks like this :
security:
encoders:
MR\UserBundle\Entity\User: sha512
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_MODERATOR]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
main:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main_login:
pattern: ^/login$
anonymous: true
main:
pattern: ^/
anonymous: true
provider: main
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
logout:
path: fos_user_security_logout
target: /
remember_me:
secret: %secret%
access_control:
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
Do not bother with the visible increments, there are a mere effect of my copy-paste.
I hope I did not missed an obvious point, but I'd prefer it more than a nothing-solved case.
Thanks in advance


#K.F I "it worked in the morning" => I also had this issue on SF 3.X. It was not a cache problem. Just simply because I had to disconnect and reconnect to appy the new roles to my user.


I know it wasn't your problem but I solved mine after I realized that I made a mistake in my user promotion... I didn't add the ROLE_ADMIN but only ADMIN... rookie mistake

Related

Intercept the login_check path from symfony 4.4

I have a REST API made with symfony 4.4 and I am having problems in the authentication process.
Everything works fine, but I am experiencing that sometimes the login_check returns 401 Unauthorized with users who days ago could access without problems.
I am using LexikJWTAuthenticationBundle
Security:
security:
role_hierarchy:
ROLE_ADMIN: ROLE_ADMIN
ROLE_MANAGER: ROLE_MANAGER
ROLE_CLIENT: ROLE_CLIENT
ROLE_HOST: ROLE_HOST
encoders:
App\Entity\User:
algorithm: auto
providers:
app_user_provider:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/api/login
stateless: true
anonymous: true
json_login:
check_path: /api/login_check
success_handler: app.jwt_authenticator_success_handler
failure_handler: lexik_jwt_authentication.handler.authentication_failure
api:
pattern: ^/api
anonymous: true
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
main:
anonymous: ~
logout:
path: app_logout
delete_cookies: ['rhsso']
success_handler: logout_handler
# where to redirect after logout
# target: app_any_route
access_control:
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
I have no idea what is going on. I'm trying to at least log the time where the credentials are verified but I can't find a way to intercept the code for the login_check route. I don't even know where that code is in symfony security.
Any help with this?
Thanks in advance.

/api/login_check path is probably defined in /config/routes/jwt.yaml or somewere in the config/routes...
bin/console debug:router api_login_check
may or may not shed some light
and if you run
bin/console debug:container lexik_jwt_authentication.jwt_token_authenticator
you should find the class to intercept. Perhaps you could dig into the failure handler to find out why you get a 401. Token expiry sounds possible if its happening from time to time.

Symfony redirect loop to /login only on production server

Note: Obviously there are a lot of duplicate/similar questions on here, but the solutions on those questions didn't help me.
I am moving a Symfony3 app to a new server, and it's causing me a lot of problems. At the moment, when I go to the home page (or any other), I get stuck in a redirect loop to the /login path.
It has worked for a long time on MAMP and on a previous CentOS server, but now on Ubuntu it's not working. I also had some file permission issues (var/cache, var/logs), which may or may not be related.
This is my security.yml
security:
role_hierarchy:
ROLE_ADMIN: [ROLE_MOD, ROLE_ALLOWED_TO_SWITCH]
ROLE_MOD: ROLE_USER
encoders:
AppBundle\Entity\User:
algorithm: bcrypt
providers:
our_db_provider:
entity:
class: AppBundle:User
property: username
firewalls:
main:
pattern: ^/
http_basic: ~
provider: our_db_provider
anonymous: ~
switch_user: true
form_login:
login_path: login
check_path: login
csrf_token_generator: security.csrf.token_manager
logout:
path: /logout
target: /
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }

Symfony 3 Form Login

I've been trying for a couple of days now ... and still can't make this work I've read the documentation page over an over, I'm going crazy and I can't understand what is wrong.
It's very important for me to know and learn the way Symfony works because my new job requires me to work with it.
So I went to the documentation page at : http://symfony.com/doc/current/cookbook/security/entity_provider.html#security-config-entity-provider
security.yml
encoders:
Paul\FrontBundle\Entity\User:
algorithm: bcrypt
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
db_users:
entity:
class: Paul\FrontBundle\Entity\User
property: username
firewalls:
admin:
pattern: ^/admin
provider: db_users
form_login:
check_path: admin_login_check
login_path: admin_login
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
My user entity implements the UserInterface
What is wrong ?
Can anyone please explain me what I'm doing wrong ?
Thanks !

OK, so the problem was the security context, for those who are interested this link will explain more.
Now what I've done is the following:
In security.yml
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
protected_area:
pattern: ^/protected
anonymous: ~
form_login:
login_path: login
check_path: login
default_target_path: /protected
provider: database_users
logout:
path: logout
target: /
success_handler: ~
invalidate_session: true
main:
anonymous: ~
access_control:
- { path: ^/protected/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/protected, roles: ROLE_USER }
In routing.yml
login:
path: /protected/login
defaults: { _controller: PaulDemoBundle:Security:login }
login_check:
path: /login_check
logout:
path: /protected/logout
So to explain it more, The login form is now in the context of protected_area firewall before /login , after /protected/login.
Also pay attention to the access_control node.
I hope this will help others.

Symfony2 access control redirects to login

In an application I am developing, I'm having a weird issue with the access control for the security component.
I use the FOSUserBundle (of course) for users and I copied the example access control rules from the bundle documentation to my security.yml The login screen (/login) works perfectly but the issue is, all other access control rules have absolutely no effect whatsoever. When a user goes to /register for example, he is redirected to /login, the same goes for /resetting.
This is my security.yml file:
jms_security_extra:
secure_all_services: false
expressions: true
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(\_(profiler|wdt)|css|images|js)/
security: false
api:
pattern: ^/api
anonymous: false
form_login: false
provider: fos_userbundle
http_basic:
realm: "REST Service Realm"
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: ~
switch_user: { role: ROLE_SUPER_ADMIN, parameter: _impersonate }
access_control:
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/superadmin/, role: ROLE_SUPER_ADMIN }
I have tried to turn of security for paths containing /resetting and /register, but that clearly won't work since the security token still needs to be available for the FOSUserBundle controllers.
Any help would be much appreciated!

It might be to do with the order of the access_control, try putting superadmin above the others. You also don't seem to have a secured_area section (like this example from Symfony2 access control redirects to login)
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check

The problem was that another bundle was messing with each request checking if the user was logged in or not. If the user wasn't logged in, a redirect response was generated to the login page.
No idea why this was done, I think it comes from an era where the original authors had less experience with Symfony.
But so it proves again, always check the logs. Very thoroughly.

Unable to find the controller for path "/login_check" - symfony2

I know this is a common problem. And several questions on this topic have been posted. I have tried all those solutions recommended in those questions, but none worked.
I found that this problem occurs if I put my form_login behind a firewall. But I'm not having any extra layer in firewall so the path should be simple as described in documentation.
My security.yml
# app/config/security.yml
security:
encoders:
Joy\JoyBundle\Entity\User:
algorithm: sha512
encode_as_base64: true
iterations: 1
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
administrators:
entity: { class: JoyBundle:User, property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login
security: false
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
logout:
path: /logout
target: /login
access_control:
- { path: ^/signup, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_ADMIN }
My routing.yml in app/config
# app/config/routing.yml
login:
path: /login
defaults: { _controller: JoyBundle:Security:login }
login_check:
path: /login_check
joy_hello:
resource: "#JoyBundle/Resources/config/routing.yml"
prefix: /
So I'm performing login check while accessing app_dev.php/ But it's showing that error after pressing submit in login form.
Unable to find the controller for path "/login_check". Maybe you
forgot to add the matching route in your routing configuration? 404
Not Found - NotFoundHttpException
I tried
login_path: /login
check_path: /login_check
Didn't work. What I'm missing ?? Please help.....

The route login_check is not behind the firewall because the login_check route pattern matches the login firewall which has no security.
login:
pattern: ^/login # This matches /login_check
security: false
Solution 1: Change this to
login:
pattern: ^/login$
security: false
Solution 2: Remove the login firewall altogether and add this rule to access_control
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }

In security.yml try setting the provider at the secured_area section:
secured_area:
provider: administrators
pattern: ^/
anonymous: ~

Categories