I've got a wired problem with the symfony 2 security component. Due to the fact that the {{ app.user }} object is only available within the secured area, I set the firewall pattern to ^/. Now I want to "unsecured" some pages, like registration. I've tried this by using access_control but it doesn't work.
Here is my security.yml
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/account/login$
security: false
account_area:
pattern: ^/
form_login:
check_path: /account/login_check
login_path: /account/login
default_target_path: /account
remember_me:
key: blaBlubKey
lifetime: 3600
path: /
domain: ~
logout:
path: /account/logout
target: /
access_control:
#works
- { path: ^/backend, roles: ROLE_USER }
#works not
- { path: ^/registration, roles: IS_AUTHENTICATED_ANONYMOUSLY }
Thanks in advance!
Worth mentioning is that the best practice here is to use only one firewall with access_control for login page. Why? What would You do if the logged user tries to access the /login page? You won't be able to check in controller if he is authenticated and redirect him, because the user will be authenticated to your main firewall, but not to the login firewall, as they are separate security systems.
Here is the security.yml that works great for me:
security:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: true
anonymous: ~
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
always_use_default_target_path: true
default_target_path: /
logout:
path: /logout
target: /
providers:
main:
entity: { class: Core\UserBundle\Entity\User, property: username }
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_SUPERADMIN }
- { path: ^/user, roles: ROLE_USER }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
USe anynymous directive in account_area:
account_area:
pattern: ^/
anonymous: ~
Related
I am running into an issue with setting up Authentication in Symfony 2.8 with Saml plugin (https://www.lightsaml.com/SP-Bundle/Getting-started/).
Problem:
I want to able to login via SAML and via going to admin page. The /admin/login page works fine, I see the user authenticated from the database. However, when I try to go through the Saml process, I always land on the /discovery page. When I see the logs, I do user is authenticated. So, I think I have something not correctly in security settings. Please let me know if you can help
Here are the settings from
config/security.yml file:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login_firewall:
pattern: ^/saml/login$
anonymous: ~
discovery_firewall:
pattern: ^/saml/discovery$
anonymous: ~
secured_area:
pattern: ^/
anonymous: ~
light_saml_sp:
provider: db_provider # user provider name configured in step 9
#user_creator: user_creator # name of the user creator service created in step 10
login_path: /saml/login
check_path: /saml/login_check
default_target_path: /profile
form_login:
login_path: /admin/login
check_path: /admin/login_check
default_target_path: /
remember_me: true
logout:
path: /logout
target: /
# activate different ways to authenticate
# http_basic: ~
# http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate
# form_login: ~
# http://symfony.com/doc/current/cookbook/security/form_login_setup.html
access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/profile, roles: ROLE_USER }
I'm creating a website with Symfony 2.8 and FOSUserBundle for authentication.
I want the website to be public to anyone, and the back-office (with the prefix /admin) to be accessed after login authentication.
I just keep getting the error:
The check_path "/login_check" for login method "form_login" is not
matched by the firewall pattern "^/admin/(.*)".
My app/config/security.yml looks like:
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: ^/admin/(.*)
form_login:
provider: fos_userbundle
login_path: /login
check_path: /login_check
always_use_default_target_path: false
default_target_path: /admin
logout:
path: /logout
target: /login
anonymous: true
main:
anonymous: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
#- { path: ^/login_check, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
I know there's something wrong in the form_login, but I just can't really grasp it...
PS: Similar questions have been asked, but without great answers (or answers that work for me, for that matter).
I think your pattern need to be like that :
admin:
pattern: ^/admin/
I'm trying to create a login form in symfony2
When enter correct information, the redirect enter in loop and a message: "No data received" or "Connect Reset" is showed. if i enter with wrong information, the message: Bad Credencial is showed.
My security.yml
Segue o security.yml que criei
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login_firewall:
pattern: ^/login$
anonymous: ~
secured_area:
pattern: ^/
provider: meu_provider
form_login:
login_path: login
check_path: login_check
logout:
path: logout
target: homepage
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
The user IS ROLE_USER in $user->getRoles()
Thanks!
Sorry by my English!
In cookbook http://symfony.com/doc/current/cookbook/security/form_login_setup.html firewall containing login form and check path (which is the same in example) are defined in firewall which can be accessed by anonymous users.
In your config only /login is accessible (line: pattern: ^/login$).
Try to change anonymous: ~ to security: false in login_firewall section
Your login and login_check routes should be under the firewall you are using.
In other words, you have to remove/comment those 3 lines:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
#login_firewall:
# pattern: ^/login$
# anonymous: ~
secured_area:
pattern: ^/
provider: meu_provider
form_login:
login_path: login
check_path: login_check
logout:
path: logout
target: homepage
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
This line - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } - is enough for users being able to use login form without having a redirection loop.
I am building a Symfony2 project but I have a problem: I configured the security.yml and routing.yml to create an authentication system. I have 2 bundles: one for admin and one for users. When I try to access to the login page I have a redirect loop.
This is my security.yml file :
security:
encoders:
Symfony\Component\Security\Core\User\User:
algorithm: bcrypt
cost: 12
BackOfficeBundle\Entity\Administrateur:
algorithm: bcrypt
BackOfficeBundle\Entity\Collaborateur:
algorithm: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
administrators:
entity: { class: BackOfficeBundle:Administrateur, property: username }
users:
entity: { class: BackOfficeBundle:Collaborateur, property: email }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
front_login:
pattern: ^/login$
anonymous: true
back_login:
pattern: ^/login$
anonymous: true
back:
pattern: ^/platform
anonymous: true
provider: administrators
form_login:
login_path: /platform/login
check_path: /platform/login_check
default_target_path: /platform
logout:
path: /platform/logout
target: /platform/login
front:
pattern: ^/collaborateur
anonymous: false
provider: users
form_login:
login_path: /collaborateur/login
check_path: /collaborateur/login_check
default_target_path: /collaborateur
logout:
path: /collaborateur/logout
target: /collaborateur/clogin
access_control:
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
- { path: ^/platform, roles: ROLE_ADMIN }
- { path: ^/collaborateur, roles: ROLE_USER }
And this is the app/config/routing.yml:
front_office:
resource: "#FrontOfficeBundle/Resources/config/routing.yml"
prefix: /collaborateur
back_office:
resource: "#BackOfficeBundle/Resources/config/routing.yml"
prefix: /platform
and the BackOfficeBundle/Resources/config/routing.yml:
login:
pattern: /login
defaults: { _controller: UserBundle:Security:login }
login_check:
pattern: /login_check
logout:
pattern: /logout
You need to describe in the security.yml that the login route are public as follow:
access_control:
- { path: ^/platform/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/collaborateur/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/platform, roles: ROLE_ADMIN }
- { path: ^/collaborateur, roles: ROLE_USER }
Hope this help
Try this:
firewalls:
...
front_login:
pattern: ^/platform/login$
anonymous: true
back_login:
pattern: ^/collaborateur/login$
anonymous: true
...
Your login form is on /platform/login but your anonymous security exceptions are only for /login (which is wrong) and everything under ^/platform is protected. Symfony detects secured area and try to redirect to login path but /platform/login is again in secured area (and again, again, again).
I developped my first site with symfony, so maybe I'm having a really obvious problem.
I had no problem on my local dev server, but since I send it to my live server and using app.php instead of app_dev.php, I am stuck in a redirect loop...
I looked over the internet and it seems that redirect loop are often caused by security.yml.
I'm using FOSUserBundle, maybe this is related ?!
Edit : Since everyone is pointing out the fact I'm using /admin as route for login may be one of the cause of my problem, I changed it to /admin/login but I still have the problem.
Maybe I should clarify some point. The website is in two part :
- a frontend, which can be accessible for everyone
- a backoffice in which you can find some CMS like page and some other stuff..., only accessible by login.
On every page, even when I'm trying to access the homepage, I'm stuck in that loop. I end up with the requested url followed by a bunch of ///////////////////// at the end.
Anyway, here is my new security.yml :
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
#in_memory:
# memory:
# users:
# user: { password: userpass, roles: [ 'ROLE_USER' ] }
# admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
fos_userbundle:
id: fos_user.user_manager
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/admin/login$
anonymous: true
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /admin/login
always_use_default_target_path: true
default_target_path: /admin/menu
logout: ~
anonymous: true
access_control:
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
routing.yml :
mcr:
resource: "#McrBundle/Controller/"
type: annotation
prefix: /
fos_user_security:
resource: "#FOSUserBundle/Resources/config/routing/security.xml"
fos_user_security_login:
pattern: /admin/login
defaults: { _controller: FOSUserBundle:Security:login }
fos_user_security_check:
pattern: /admin/login_check
defaults: { _controller: FOSUserBundle:Security:check }
Any help will be greatly apreciated :)
Thanks a lot.
It likely has to do with how you have your routes setup;
access_control:
- { path: ^/admin$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
When you try and access /admin internally symfony redirects this to /admin/ and because your AC requires the role admin im guessing you are not logged in and want to be taken to your login page which im also guessing you have on /admin. Thus creating your non ending redirect loop.
I would recommend using /admin/login for your login route. You will need to update you routing.yml and security.yml
I think I found the issue. You need to define a separate firewall for the login path with anonymous access which is not shared with other firewalls:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
website:
pattern: ^/
security: false
anonymous: true
login:
pattern: ^/admin/login$
anonymous: true
main:
pattern: ^/admin
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /admin/login
always_use_default_target_path: true
default_target_path: /admin/menu
logout: ~
anonymous: true
access_control:
- { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }