Can someone explain why I can access login route when I'm already logged in even though I've set in security.yaml for only anonymous users to access the route?
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
How can I prevent from accessing this route when I'm logged in ?
To answer your first question, the user always has the IS_AUTHENTICATED_ANONYMOUSLY role, even when it's authenticated.
https://symfony.com/doc/current/security/access_control.html
Related
I have a route with a response in json to make accessible for logged in users but also anonymous users but in this case with a response with a status code 401.
I tried to add a firewall;
route_name:
pattern: ^/path
anonymous: true
but with this configuration, i get always an anonymous user (in profiler), even if user is logged in.
I tried also adding configuration in access_control instead;
access_control:
- { path: ^/path, role: IS_AUTHENTICATED_ANONYMOUSLY }
but i keep getting the login form instead.
Any idea how to handle this case? Thanks
I have a question I didn't really find an answer for.
I have to maintain a Symfony application which uses a custom authentication and user provider. The provider works as aspected and the user can login correctly.
However, I need to make a few routes accessible for anonymous users. They should also be accessible when the user is not fully authenticated.
So I tried to adjust the access_control configuration in the security.yml to make these URLs accessible:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ~
anonymous: ~
internal_api:
provider: fos_userbundle
check_path: /api/user/login
logout:
path: /api/user/logout
access_control:
- { path: ^/api/init, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/resources, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
Unfortunately this does not work. The users still can't access these routes, as long as they are not fully authenticated.
So my question is: What is necessary to provide the role IS_AUTHENTICATED_ANONYMOUSLY via a custom authentication provider? Can it be done or do I just have to adjust my security.yml settings?
Best regards
Because the routes you want make accessible by anonymous are behind your main firewall and protected by your path: ^/ access_control, you have to create a specific firewall for them.
Add this in the firewalls of your security.yml :
api_resources:
pattern: ^/api/resources
anonymous: ~
api_init:
pattern: ^/api/init
anonymous: ~
And it should works.
Users may have multiple roles, e.g. ROLE_USER, ROLE_SUBSCRIBTION_FOO, ROLE_SUBSCRIBTION_BAR.
Based on their role I define an access control list:
- { path: ^/admin/helpdesk/foo, roles: ROLE_SUBSCRIPTION_FOO }
- { path: ^/admin/helpdesk/index, roles: ROLE_ADMIN }
The role hierarchy
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUBSCRIBTION_FOO: ROLE_ADMIN
ROLE_SUPER_ADMIN: ROLE_ADMIN
The problem now is, when user has the role ROLE_SUBSCRIBTION_FOO and accesses /admin/helpdesk/foo access is denied. The user has both ROLE_ADMIN and ROLE_SUBSCRIBTION_FOO. However when I have
- { path: ^/admin/helpdesk/foo, roles: ROLE_ADMIN }
it works but I need it to be
- { path: ^/admin/helpdesk/foo, roles: ROLE_SUBSCRIPTION_FOO }
which does not work, howeve the user does have the role? This is kinda weired. Any ideas where the problem is?
It looks like a typo to me. You defined ROLE_SUBSCRIBTION_FOO in your hierarchy (with a B) but you're wanting to restrict the path with ROLE_SUBSCRIPTION_FOO (with a P).
Looking at the setup everything seems right.
I want to change user roles dynamically from admin area of my application. So e.g. I give the FOO role to user BOB and expect the changes to take effect immediately.
But this does not work. The currently open session of user BOB is not refreshed. He has to reauthenticate himself. After reauthentication (logout and login again) symfonys security system will compare the role correctly with the given access list.
So I expected the user session to be updated automatically, but this is not possible with the default security system of symfony. I think it needs to be extended with database based session management. This way you could refresh the user session.
This is how my security.yml looks like for access control list:
access_control:
- { path: ^/admin, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/admin, roles: ROLE_ADMIN }
What I want to do is that user must have both roles (ROLE_ADMIN and IS_AUTHENTICATED_FULLY) in order to access the path as defined. But with above rules, if the user has any one of the role, the user can access the path as defined which i dont want. I also tried giving rule as follow with no success:
- { path: ^/admin, roles:[ROLE_ADMIN,IS_AUTHENTICATED_FULLY] }
How can I add rule that requires user to have both roles in order to access the path defined ?
IS_AUTHENTICATED_FULLY
returns true when ever a user is actually authenticated.
Anonymous users are technically authenticated, meaning that the
isAuthenticated() method of an anonymous user object will return true.
To check if your user is actually authenticated, check for the
IS_AUTHENTICATED_FULLY role.
So if a user has a role ROLE_ADMIN and is logged in, he is fully authenticated. As a result there is no need to set this requirement:
- { path: ^/admin, roles: IS_AUTHENTICATED_FULLY }
because you have (see below) which includes beeing fully authenticated
- { path: ^/admin, roles: ROLE_ADMIN }
And
- { path: ^/admin, roles: IS_AUTHENTICATED_FULLY }
will allow any user to see the admin section.
Read: http://symfony.com/doc/current/book/security.html
Looking at the problem itself, not at your specific situation.
If you need user to have all specified roles to access some path, this needs more configuration, as default RoleVoter grants access if current security token has at least one of specified roles.
RoleVoter grants access if token has at least one of passed roles, but Security component passes each of specified roles individually to each of the voters. So to change OR behaviour to AND behaviour all you need to do is to change decition manager strategy:
# app/config/security.yml
security:
access_decision_manager:
# strategy can be: affirmative (default one), unanimous or consensus
strategy: unanimous # if any voter returns ACCESS_DENIED, access is denied
If i didn't get you wrong , i think hierarchical roles
is a better approach http://symfony.com/doc/current/book/security.html#hierarchical-roles) .
#Hierarchical Roles
Instead of associating many roles to users, you can define role inheritance rules by creating a role hierarchy:
YAML
app/config/security.yml
security:
...
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
ROLE_BOTH_ROLE_TOGETHER: [IS_AUTHENTICATED_FULLY,ROLE_ADMIN]
And them oyu can check for the hierarchy.
This is my security setup for my Symfony2 project:
security:
providers:
main:
users:
asa: { pasword: test, roles: ROLE_USER }
firewalls:
application:
pattern: /.*
http_basic: true
security: true
logout: true
Even though I've followed the documentation, setup a user, require authentication for the whole site, it still allows me to access it as an anonymous user. The logs say "Populated SecurityContext with an anonymous Token"
I'm using the latest version of the sandbox where '.config' was removed from 'security.config'
This wasn't working because I was missing
access_control:
- { path: /.*, role: ROLE_USER }
Looking at the logs and some of the vendor code, the firewalls section attempted to find my user, but without access_control it didn't have any need to force me from being an anonymous user.