I'm having trouble getting security to work the way I want it.
I want administration part to be protected so only people with ROLE_ADMIN can access it. And that works just fine. However, I want my unprotected/public area to be able to differentiate between ROLE_ADMIN and IS_AUTHENTICATED_ANONYMOUSLY.
I can't make it work though. After I log in into admin section. I can see in toolbar that I'm authenticated and have ROLE_ADMIN, but as soon as I go back to public section of the website it turns into anonymously authenticated.
Here is security setup I currently have:
jms_security_extra:
secure_all_services: false
expressions: true
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
in_memory:
memory:
users:
myusername: { password: mypassword, roles: [ 'ROLE_ADMIN' ] }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login_area:
pattern: ^/login$
anonymous: ~
secured_area:
pattern: ^/admin|^/login_check$|^/logout$
form_login: ~
logout: ~
public_area:
pattern: ^/
anonymous: ~
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: [ROLE_ADMIN, IS_AUTHENTICATED_ANONYMOUSLY] }
As you can see I tried adding both ROLE_ADMIN and IS_AUTHENTICATED_ANONYMOUSLY roles to '^/' path in access control, but it doesn't change anything.
I searched both Symfony2 book and Cookbook entries but didn't find anything that would help me regarding this problem.
Ok, and just 20 minutes later, after digging the Symfony2 book for the third time I found this:
Multiple firewalls don't share security context
If you're using multiple firewalls and you authenticate against one firewall, you will not be authenticated against any other firewalls automatically.
It was enough to just use one firewall on '^/' pattern and set access_control to this:
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
Related
I have the below security.yml file. I am trying to reach the route '/test', and after logging in, i get stuck in a loop.
Can someone please point out where things are messed up? I'm stumped.
# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
IMAG\LdapBundle\Users\LdapUser: plaintext
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
ldap:
id: imag_ldap.security.user.provider
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
public:
pattern: ^/login
security: false
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
restricted_area:
pattern: ^/
anonymous: ~
imag_ldap:
check_path: login_check
login_path: login
intention: authenticate
provider: ldap
logout:
path: /logout
target: /
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/cookbook/security/access_control.html
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
change login pattern if your login check path is "login_check"
public:
pattern: ^/login$
I'm using Symfony 2.3 and I've created a custom user provider and everything works fine so far except for that following message shows:
Weird thing is that for example in Twig I can do:
{{ app.user.username }}
And it prints fine the username of the logged user.
I've tracked the printing of that message in this view and this is the corresponding controller.
Seems that the class SecurityDataCollector is initialized with a parameter of type SecurityContextInterface with a value of $this->get('security.context', ContainerInterface::NULL_ON_INVALID_REFERENCE)
The problem seems to be that security.context does not exists and I don't know how to set that security context and in the example they don't set them. How can I fix this?
---- app/config/security.yml ----
security:
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
encoders:
Company\Shared\CompanyldapBundle\Security\User\ldapUser: plaintext
providers:
ldap_user_provider:
id: ldap_user_provider
firewalls:
main:
provider: ldap_user_provider
pattern: ^/
form_login:
login_path: login
check_path: login_check
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/(_(profiler|wdt)|css|images|js)/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: ROLE_USER }
I can't understand why anonimous user can access to routes I want to protect "^/nodes$" and "^/destinations$".
Where I'm wrong? I've read with attention this resource http://symfony.com/doc/current/book/security.html but anyway those url can viewed by anonimous!
This is my security.yml:
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
in_memory:
memory:
users:
user: { password: athena_user_2014, roles: [ 'ROLE_USER' ] }
admin: { password: athenaspa2014, roles: [ 'ROLE_ADMIN' ] }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
pattern: ^/backend
form_login:
check_path: /backend/login_check
login_path: /backend/login
csrf_provider: form.csrf_provider
logout:
path: /backend/logout
target: /
#http_basic:
# realm: "Secured Demo Area"
access_control:
- { path: ^/nodes, roles: ROLE_ADMIN }
- { path: ^/destinations, roles: ROLE_ADMIN }
Your paths are not part of any of your firewall-patterns. You could make the following changes for it to work:
firewalls:
secured_area:
pattern: ^/
...
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backend, role: ROLE_ADMIN }
- { path: ^/node, role: ROLE_ADMIN }
...
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
The last path is pretty much, what anonymous: true does. When no other access-control matched, the user is not required to be logged in. If you want to be more restrictive, you could do it like the first path ^/login$ which specifies which routes require authentication. Be aware, that the first matching route is used, so be careful of how you order them.
Alternatively you could add another firewall. But keep in mind, that each firewall provides a separate login.
You can also test your routes from the console using the php app/console router-commands. If you are not sure how to use them just type php app/console help router:match for instance
I am following this tutorial Custom Password Authenticator and get the following error when I try to implement the simple form:
InvalidConfigurationException: Unrecognized options "simple_form" under "security.firewalls.main"
This is my security.yml
security:
encoders:
GigCapitol/MasterBundle/Entity/User: plaintext
role_hierarchy:
ROLE_USER: ROLE_USER
ROLE_ADMIN: ROLE_ADMIN
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
users:
entity: { class: GigCapitolMasterBundle:User, property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
anonymous: ~
provider: users
simple-form:
authenticator: MasterAuthenticator
login_path: master_index
check_path: master_login_check
access_control:
- { path: /, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
What seems to be the issue here?
It seems the correct key is "simple_form", and you have "simple-form".
It seems i had version 2.0 or so, simple_form was implemented in 2.2
So I've mangaged to get the FOSFacebook bundle integrated into my app alongside the FOSUser bundle. Now it's working properly on my dev server minus a few bugs but it works.
UPDATE: So for some reason facebook is setting the cookie to mysite.com.au instead of subdomain.mysite.com which means that it fails to pick up on the cookie and goes to the default failure page which is /facebook/login.
Now for some reason when I deployed it to my live server, which has the same address(I'm changing my hosts file to simulate the domain) when I try to login I get
"No route found for "GET /facebook/login"
If I try to access this page on the dev, I get the same message, but normally it logs me in and then redirects me to the index.
On the live it gets stuck on /facebook/login
Here's my security.yml
security:
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_manager
my_fos_facebook_provider:
id: my.facebook.user
factories:
- "%kernel.root_dir%/../vendor/bundles/FOS/FacebookBundle/Resources/config/security_factories.xml"
firewalls:
public:
pattern: ^/
fos_facebook:
app_url: "(set to the apps.facebook link I have)"
server_url: "http://testbed.mysite.com/app_dev.php/"
check_path: /facebook/check
login_path: /facebook/login
default_target_path: /
provider: my_fos_facebook_provider
form_login:
success_handler: authentication_handler
failure_handler: authentication_handler
provider: fos_userbundle
anonymous: true
logout: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/testing/secure/, role: IS_AUTHENTICATED_FULLY }
- { path: ^/admin/secure/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
If you need a look at any other files, let me know
Obviously there is no route for /facebook/login but I believe it's supposed to be that way.
Any ideas people?
Just define login_path as the default path set up in the security.yml :
_security_login:
pattern: /login
requirements:
_scheme: https
_security_check:
pattern: /login_check
requirements:
_scheme: https
_security_logout:
pattern: /logout
requirements:
_scheme: https
You can define your own controller for login_path if you need some specific treatment but you don't have to !
It turns out that somehow on my live site I'd forgotten to setup parameters.ini correctly and as such whenever I attempted to login it'd fail but never actually fully fail.