I added FOSRestBundle to my symfony2 app, this app already had a public area and an admin area protected by FOSUserBundle.
My problem is, I don't get browser to prompt for user/password and also, when connecting api with curl I don't get authorized.
# app/config/security.yml
providers:
user:
id: fos_user.user_provider.username
administrator:
entity: { class: App\UserBundle\Entity\Administrator, property: login }
Now I added an api area and want to use basic http auth, so added a new provider
api_provider:
memory:
users:
user1: { password: 1234, roles: 'ROLE_API_USER' }
user2: { password: 1234, roles: 'ROLE_API_USER' }
And a new firewall:
firewalls:
backend:
pattern: ^/admin/
provider: administrator
anonymous: ~
form_login:
login_path: /admin/login
check_path: /admin/login_check
logout:
path: /admin/logout
target: /admin/
api:
pattern: ^/api/
provider: api_provider
anonymous: ~
# form_login: false # <- needed or not?
http_basic:
realm: "Api"
main:
pattern: ^/
form_login:
login_path: /login
check_path: /login_check
provider: user
csrf_provider: form.csrf_provider
logout: true
anonymous: true
At this point I leep getting a 403 - Forbidden, so if I add this so security.yml:
access_control:
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/user, role: ROLE_ADMIN_USUARIOS }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/error, role: ROLE_USER }
- { path: ^/api/, role: ROLE_API_USER }
- { path: ^/api/v1/users, role: ROLE_API_USER }
After this I get a 401 - unauthorized.
I though http basic auth forced browser to prompt for a user/pass, which doesn't happen. Although, what I will finally need is the server to accept a basic auth header in http requests like this one.
I'm I missing something?
Thanks
SOLUTION
Apparently the only way to invoke these urls now is through and http connection like curl adding authorization header, for example:
curl -u "user:pass" "http://example.com/app_dev.php/api/v1/users/1.json"
Accessing through the browser does not prompt for user/pass.
Additionally, a encoder was needed for the new provider to work properly:
# app/config/security.yml
encoders:
Symfony\Component\Security\Core\User\User: plaintext
Related
I have a problem concerning identification, authentication and redirection on Symfony2 (v2.8.9).
I installed HWIOAuthBundle in order to use the Google Sign-in and based on a User Bundle handmade. The website is completely closed to anonymous users and you need to login to use it.
My problem is that in order to access a precise URL given by someone, and land on it after you logged in via the login page, I set in the app/config/config.yml the use_referer to true.
Since then, when someone goes directly to the /login page, once he's authenticated, he's taken back to the /login page instead of being re-directed on the private homepage of the website (/hub defined by the route rnd_hub_homepage). He's taken there properly identified and authenticated but I wish he shouldn't land there but on the /hub page.
If I set the line always_use_default_target_path to true in app/config/security.yml, then the use_referer is no longer taken into account for others URLs...
Here is my extract for the file app/config/security.yml:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login$
anonymous: true
main:
pattern: ^/
anonymous: true
#logout: true
logout:
path: /logout
target: /login
oauth:
resource_owners:
google: "/login/check-google"
login_path: /login
always_use_default_target_path: false
failure_path: /login
oauth_user_provider:
service: ib_user.oauth_user_provider
access_control:
- { path: ^/hub, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/user, roles: ROLE_USER }
- { path: ^/XXX, roles: ROLE_XXX }
- { path: ^/YYY, roles: ROLE_YYY }
- { path: ^/ZZZ, roles: ROLE_ZZZ }
- { path: ^/AAA, roles: ROLE_AAA }
- { path: ^/BBB, roles: ROLE_BBB }
- { path: ^/DDD, roles: ROLE_DDD }
- { path: ^/EEE, roles: ROLE_EEE }
- { path: ^/admin, roles: ROLE_ADMIN }
And here is the extract of my app/config/config.yml file:
hwi_oauth:
firewall_names: [main]
target_path_parameter: rnd_hub_homepage
use_referer: true
resource_owners:
google:
type: google
#etc....
Thank you in advance for your various inputs on this question...
(sorry for my english, I'm french born)
I think you have defined 2 times logout configuration. Try to remove:
logout: true
I am running into an issue with setting up Authentication in Symfony 2.8 with Saml plugin (https://www.lightsaml.com/SP-Bundle/Getting-started/).
Problem:
I want to able to login via SAML and via going to admin page. The /admin/login page works fine, I see the user authenticated from the database. However, when I try to go through the Saml process, I always land on the /discovery page. When I see the logs, I do user is authenticated. So, I think I have something not correctly in security settings. Please let me know if you can help
Here are the settings from
config/security.yml file:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login_firewall:
pattern: ^/saml/login$
anonymous: ~
discovery_firewall:
pattern: ^/saml/discovery$
anonymous: ~
secured_area:
pattern: ^/
anonymous: ~
light_saml_sp:
provider: db_provider # user provider name configured in step 9
#user_creator: user_creator # name of the user creator service created in step 10
login_path: /saml/login
check_path: /saml/login_check
default_target_path: /profile
form_login:
login_path: /admin/login
check_path: /admin/login_check
default_target_path: /
remember_me: true
logout:
path: /logout
target: /
# activate different ways to authenticate
# http_basic: ~
# http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate
# form_login: ~
# http://symfony.com/doc/current/cookbook/security/form_login_setup.html
access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/profile, roles: ROLE_USER }
I switched to my prod environemnt today and started testing. Everything is working great with my admin user. The problem is when I switch to another user, that has a role PROVIDER. This user is only able to add products or import them in admin panel. However, when I go to admin dashboard I get these errors:
Warning: Missing argument 1 for Sonata\AdminBundle\Admin\Admin::__construct(), called in C:\wamp\www\karpedeal_b2c\vendor\ed\blog-bundle\Security\Authorization\Voter\ArticleVoter.php on line 37 and defined in C:\wamp\www\karpedeal_b2c\app\cache\prod\classes.php on line 5473
No idea whats going on since in DEV environment everything works. I can login with provider user, import products etc... in prod, i cant.
For some reason it is trying to access somethin in the blog bundle, however this user does not have any rights to blogs... What is the problem then?
role_hierarchy:
ROLE_PROVIDER: [ROLE_USER, ROLE_SONATA_PROVIDER]
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_PROVIDER, ROLE_SONATA_ADMIN, ROLE_BLOG_USER, ROLE_BLOG_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
ROLE_SONATA_PROVIDER:
- ROLE_MP_SHOP_ADMIN_PRODUCT_LIST
- ROLE_MP_SHOP_ADMIN_PRODUCT_VIEW
- ROLE_MP_SHOP_ADMIN_IMPORTER_LIST
- ROLE_MP_SHOP_ADMIN_IMPORT_SCHEMA_CREATE
- ROLE_MP_SHOP_ADMIN_IMPORT_SCHEMA_LIST
SONATA:
- ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT # if you are using acl then this line must be commented
ROLE_SONATA_EMPLOYEE:
- ROLE_MP_SHOP_ADMIN_PRODUCT_LIST
- ROLE_MP_SHOP_ADMIN_PRODUCT_VIEW
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
logout:
path: /admin/logout
anonymous: true
main:
pattern: ^/
context: user
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
#use_forward: false
check_path: fos_user_security_check
#failure_path: null
always_use_default_target_path: false
default_target_path: profile
logout:
path: fos_user_security_logout
oauth:
resource_owners:
facebook: "/login/check-facebook"
login_path: /login
failure_path: /login
oauth_user_provider:
service: my_user_provider
anonymous: true
default:
anonymous: ~
# activate different ways to authenticate
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be access without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/admin/, role: [ROLE_PROVIDER, ROLE_ADMIN, ROLE_SONATA_ADMIN, ROLE_SONATA_PROVIDER] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
acl:
connection: default
UPDATE:
When changing AppKernel $kernel = new AppKernel('prod', true);everything works, so the debugger is causing the problems? How can that be?
I created 3 tools for my customers. Each customer has to access to one, two, or three tools, depending on what he paid.
I'm now trying to connect these 3 tools to the same UserBundle. Each tool has its own subdomain : tool1.mysite.com ; tool2.mysite.com and tool3.mysite.com.
I defined 3 roles, 1 for each tool. I kept only one firewall, the main one from the FOSUserBundle, defined on the host .mysite.com in order to cover all subdomains.
My problem is : I can use the login page in any subdomains, but it seems that the logged user is kept only on the subdomains he logged. If I login like "User1" on "Tool1" I won't be logged on Tool2. And if I logged as User2 on Tool2, I'll still be as "User1" on "Tool1".
I don't know how to change this behaviour ?
Thank you so much !
My security.yml is the following :
firewalls:
main:
pattern: ^/
host: .mysite.com
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
path: /logout
target: /login
anonymous: true
access_control:
- { host: .mysite.com, path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { host: .mysite.com, path: ^/admin/, role: ROLE_ADMIN }
- { host: .mysite.com, path: ^/register, role: ROLE_ADMIN }
- { host: .mysite.com, path: ^/resetting, role: ROLE_ADMIN }
- { host: tool1.mysite.com, path: ^/tool1, role: ROLE_TOOL1 }
- { host: tool2.mysite.com, path: ^/tool2, role: ROLE_TOOL2 }
- { host: tool3.cospirit.com, path: ^/tool3, role: ROLE_TOOL3 }
role_hierarchy:
ROLE_TOOL1: [ROLE_USER]
ROLE_TOOL2: [ROLE_USER]
ROLE_TOOL3: [ROLE_USER]
It seems to work better by adding this in the config.yml file :
framework:
session:
name: SFSESSIDCSMT
cookie_domain: .mysite.com
I don't know which solution is the better one ?
Because it's different subdomains, and symfony store the login data in cookies, you will have separate data for every subdomains.
I would recommend you to create 3 firewalls, and add to all of them the context key, and just add a common value.
firewalls:
main:
pattern: ^/
host: main.mysite.com
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
path: /logout
target: /login
anonymous: true
context: main_context
second:
pattern: ^/
host: first.mysite.com
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
path: /logout
target: /login
anonymous: true
context: main_context
For this to work, maybe you also have to change the cookie settings for symfony, but I would first try out this solution.
I'm working on a project with Symfony2 where you must be logged to be able to see the website. I am using FOSUserBundle to create the member area. Here is the idea : if an anonymous comes to the website, I systematically redirect to the login page.
Here is my security.yml :
providers:
fos_userbundle:
id: fos_user.user_manager
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
realm: "Acces reserve"
login:
pattern: ^/(login$|register|resetting)
anonymous: true
main:
pattern: ^/
form_login:
provider: fos_userbundle
remember_me: true
remember_me:
key: %secret%
anonymous: true
logout: true
access_control:
- { path: ^/backoffice, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
I think there is no reason for it not to work ; here is the problem now. I observed that I'm not logged the same in /login and in others areas. For example, if I log myself then I'm the user named "admin" with role "ROLE_USER" on the website BUT if I go then to /login, I'm logged as "anon" with no role at all.
Same problem but more boring: when a new user register, he's log on the /login page but not on the other pages... So he's always redirect to /login and the logout doesn't change anything. :/
Do you have an idea ?
Thanks !
P.S. : Is it possible to manually clean all sessions in Symfony2 ? 'cause I would like to be able to try other things but in Chrome I just can't do anything for now... I tryed clear the browser cache and cookies, clear Symfony cache, etc... Nothing changes, I'm still logged as "admin" on the /login page -_-
The thing is you specified the fos_userbundle provider only for main firewall, not for login and dev firewalls. So fos_userbundle isn't used for /login page at all.
The documentation says you should use this config:
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
remember_me: true
remember_me:
key: %secret%
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backoffice, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }