I have this security.yml file. I want to know do i need two firewalls or one is ok.
I have read in docs that one firewall is ok and use ACL for further things.
firewalls:
admin:
pattern: /admin(.*)
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: /admin/login
use_referer: true
default_target_path: /admin/dashboard
logout:
path: /admin/logout
target: /admin/login
anonymous: true
main:
pattern: .*
form-login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
default_target_path: /main
logout: true
anonymous: true
Yes, you will need two. One firewall protects secure pages, the second firewall allows anonymous access to open pages, which you need to open up at least for your login page (see the common pitfalls section of the security documentation).
You will probably want to add paths to the second firewall for home, password recovery, and any other pages you want anyone to be able to access.
You have two entry points: /login and /admin/login. If you can make do with one, then you could merge down to one firewall.
Related
I would like to add facebook login option to my website. I try to follow this tutorial. But if I add the knpu_guard part under the main section, I get this error:
Unrecognized option "knpu_guard" under "security.firewalls.main"
My firewalls section in the security.yml looks like this:
firewalls:
main:
anonymous: ~
#pattern: ^/
provider: our_db_provider
form_login:
login_path: login
check_path: login
logout:
path: /logout
target: /
knpu_guard:
authenticators:
- app.form_login_authenticator
- app.api_token_authenticator
- app.facebook_authenticator
# by default, use the start() function from FormLoginAuthenticator
entry_point: app.form_login_authenticator
I just added the knpu_guard section, nothing else changed under the firewalls section
I think that the tutorial is a little bit obsolete because knpu_guard is no longer accepted.
You can use guard instead as a key in the security.yml file
Discussion
Try to use this
form_login:
login_path: login
check_path: login
provider: user_provider #where is this provider? It shouldn't be fos_userbundle for example?
anonymous: true
I am using symfony2 with FOSUserBundle and i am trying to set up correctly my firewall.
I want the major part of my website to not be available to anonymous users. Home page (the $ in the public pattern) and some others should be available according to a pattern.
With my current configuration, after login I am redirected to the home page but still as anonymous. If i directly type a url of a page not allowed to anonymous directly afterwards, I can access it and I am logged (in the profiler).
My configuration:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
public:
pattern: /(login$|register|resetting|public|$)
anonymous: true
main:
pattern: ^/
anonymous: false
provider: main
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
logout:
path: fos_user_security_logout
target: /
What can I do to make it work properly (logged correctly after login).
EDIT:
I understand better what is happening: after login, I am being redirected to the home page=root address. This falls first into the public firewall and that's whay I'm not seen as connected.
Well you always can hardcode the path that you're redirected after login (in your security.yml file). You can read more here
security:
firewalls:
main:
form_login:
default_target_path: default_security_target
Done! Solution involves the context property of the firewall which is better described here :
Authenticate multiple symfony2 firewalls with one login form
My configuration now becomes:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
guest:
pattern: /(user/login$|user/register|user/resetting|$)
anonymous: true
context: main_auth
main:
pattern: ^/(?!user/login$)
anonymous: false
provider: main
context: main_auth
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
logout:
path: fos_user_security_logout
target: /
remember_me:
key: "%secret%"
lifetime: 86400 # 365 jours en secondes
path: /
domain: ~ # Prend la valeur par défaut du domaine courant depuis $_SERVER
oauth:
remember_me: true
resource_owners:
facebook: "/loginhwi/check-facebook"
github: "/loginhwi/check-github"
google: "/loginhwi/check-google"
twitter: "/loginhwi/check-twitter"
linkedin: "/loginhwi/check-linkedin"
flickr: "/loginhwi/check-flickr"
login_path: fos_user_security_login
check_path: fos_user_security_check
failure_path: fos_user_security_login
success_handler: foodmeup_user.handler_auth
oauth_user_provider:
service: fosubuser.provider
I have a Symfony app which used FOSUserBundle (not sure that matters as it's an issue with the Firewall). It has 2 firewalls, both for different sections of the site. One is the front end and the other an admin area.
The issue I'm having is that when the user logs in to the front end and after their session expires (if they didn't choose to remember login), they are redirected to the admin firewall logout target.
Here's the firewall configuration in my security file:
jms_security_extra:
secure_all_services: false
expressions: true
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_CLIENT: ROLE_USER
ROLE_ACCOUNT_MANAGER: ROLE_CLIENT
ROLE_DESIGNER: ROLE_USER
ROLE_PUBLISHER: ROLE_DESIGNER
ROLE_ADMIN: [ROLE_PUBLISHER, ROLE_ACCOUNT_MANAGER]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
site:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
always_use_default_target_path: true
default_target_path: site_survey_launch
login_path: site_login
check_path: site_login_check
use_referer: true
success_handler: xd_authentication.event.listener
logout:
path: site_logout
target: site_login
success_handler: xd_authentication.event.listener
anonymous: true
portal:
pattern: ^/portal
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
always_use_default_target_path: true
default_target_path: portal_user_surveys_live
login_path: portal_login
check_path: portal_login_check
logout:
path: portal_logout
target: portal_login
anonymous: true
context: shared
acl:
connection: default
The success_handler handler for the site logout configuration returns a redirect response for site_login. Even more reason to be fairly confused about this issue. Unless the success_handler is only used for a manual logout process.
Any help with this would be greatly appreciated. I've been trying to figure out what's going on for a few months now.
I think that order of firewall definitions is important, because site has pattern ^/ and I think that it processing request from ^/portal url. You should define portal firewall before site firewall.
So, i have two differents route on my project :
/memberarea
/mobile
The first is for the web version on my application, and the second is for the mobile version.
Here you can see a part of my security.yml :
firewalls:
main:
pattern: ^/
form_login:
login_path: /
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: /memberarea
logout: true
anonymous: true
mobile:
pattern: /mobile/.*
logout: true
anonymous: true
access_control:
- { path: ^/memberarea, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/mobile, roles: IS_AUTHENTICATED_FULLY }
My problem, when a user login on mobile, i create a session on symfony with the firewall mobile like : $token = new UsernamePasswordToken($user, $request->get('password'), "mobile", $user->getRoles());.....
this user can use all route in /mobile, it's ok. But he can use /memberarea too.
How can i do for login a user just for /mobile, just for /memberarea or for both ?
If I have correctly understood, you want to log into your mobile application with a different session than on your web application.
What I am doing in order to obtain this result is setting up in my security.yml file a different context for each firewall I have.
(If you want to have one session for both you must have the context with the same value for the given firewalls.)
File: app/config/security.yml
firewalls:
main:
pattern: ^/
**context: user**
form_login:
login_path: /
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: /memberarea
logout: true
anonymous: true
mobile:
pattern: /mobile/.*
*context: mobile_user*
logout: true
anonymous: true
Hope this helped.
I have this in my config
firewalls:
login_firewall:
pattern: ^/login$
anonymous: ~
secured_area:
pattern: ^/admin
form_login:
login_path: /login
check_path: /login_check
logout:
path: /logout
My problem is if i use this then i get
Unable to find the controller for path "/login_check" error
Everything works ok if use
pattern: ^/
Symfony decumentation says to put login_check behind firewall and i don't know how can i do that
As you correctly mentioned Symfony decumentation says to put login_check behind firewall and i don't know how can i do that - this means, that you have to define your login_check in this way:
check_path: /admin/login_check
Source - Common Pitfalls section