Im having some trouble getting the Neo4j OGM/Symfony bundle to work with the Symfony Guard. I have added users to the database successfully. unfortunately it doesn't want to sign in and I get the following error:
Symfony\Component\Security\Core\Exception\AuthenticationServiceException: Class "App\Entity\Generic\User" is not a valid entity or mapped super class. in /home/vagrant/Code/support4neo/vendor/symfony/security/Core/Authentication/Provider/DaoAuthenticationProvider.php:85 Stack trace:
#0 /home/vagrant/Code/support4neo/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php(142): session_start()
#1 /home/vagrant/Code/support4neo/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php(299): Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage->start()
#2 /home/vagrant/Code/support4neo/vendor/symfony/http-foundation/Session/Session.php(249): Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage->getBag('attributes')
#3 /home/vagrant/Code/support4neo/vendor/symfony/http-foundation/Session/Session.php(271): Symfony\Component\HttpFoundation\Session\Session->getBag('attributes')
#4 /home/vagrant/Code/support4neo/vendor/symfony/http-foundation/Session/Session.php(73): Symfony\Component\HttpFoundation\Session\Session->getAttributeBag()
#5 /home/vagrant/Code/support4neo/vendor/symfony/security/Http/Firewall/ContextListener.php(88): Symfony\Component\HttpFoundation\Session\Session->get('_security_main')
#6 /home/vagrant/Code/support4neo/vendor/symfony/security-bundle/Debug/WrappedListener.php(46): Symfony\Component\Security\Http\Firewall\ContextListener->handle(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent))
#7 /home/vagrant/Code/support4neo/vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php(35): Symfony\Bundle\SecurityBundle\Debug\WrappedListener->handle(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent))
#8 /home/vagrant/Code/support4neo/vendor/symfony/security/Http/Firewall.php(56): Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->handleRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), Object(Symfony\Component\DependencyInjection\Argument\RewindableGenerator))
#9 /home/vagrant/Code/support4neo/vendor/symfony/security-bundle/EventListener/FirewallListener.php(48): Symfony\Component\Security\Http\Firewall->onKernelRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent))
#10 [internal function]: Symfony\Bundle\SecurityBundle\EventListener\FirewallListener->onKernelRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), 'kernel.request', Object(Symfony\Component\HttpKernel\Debug\TraceableEventDispatcher))
#11 /home/vagrant/Code/support4neo/vendor/symfony/event-dispatcher/Debug/WrappedListener.php(104): call_user_func(Array, Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), 'kernel.request', Object(Symfony\Component\HttpKernel\Debug\TraceableEventDispatcher))
#12 /home/vagrant/Code/support4neo/vendor/symfony/event-dispatcher/EventDispatcher.php(212): Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), 'kernel.request', Object(Symfony\Component\EventDispatcher\EventDispatcher))
#13 /home/vagrant/Code/support4neo/vendor/symfony/event-dispatcher/EventDispatcher.php(44): Symfony\Component\EventDispatcher\EventDispatcher->doDispatch(Array, 'kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent))
#14 /home/vagrant/Code/support4neo/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php(139): Symfony\Component\EventDispatcher\EventDispatcher->dispatch('kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent))
#15 /home/vagrant/Code/support4neo/vendor/symfony/http-kernel/HttpKernel.php(125): Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch('kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent))
#16 /home/vagrant/Code/support4neo/vendor/symfony/http-kernel/HttpKernel.php(66): Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1)
#17 /home/vagrant/Code/support4neo/vendor/symfony/http-kernel/Kernel.php(190): Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#18 /home/vagrant/Code/support4neo/public/index.php(37): Symfony\Component\HttpKernel\Kernel->handle(Object(Symfony\Component\HttpFoundation\Request))
#19 {main}
What could i be doing wrong?
Thanks in advance!
User Class:
<?php
/**
* Created by PhpStorm.
* User: kevin.oosterhout
* Date: 24/04/2018
* Time: 20:58
*/
namespace App\Entity\Generic;
use GraphAware\Neo4j\Client\Client;
use GraphAware\Neo4j\OGM\Annotations as OGM;
use Symfony\Component\Security\Core\User\UserInterface;
/**
*
* #OGM\Node(label="User")
*/
class User implements UserInterface
{
/**
* #OGM\GraphId()
*/
protected $id;
/**
* #OGM\Property(type="string")
*/
protected $firstname;
/**
* #OGM\Property(type="string")
*/
protected $lastname;
/**
* #OGM\Property(type="string")
*/
protected $email;
/**
* #OGM\Property(type="string")
*/
protected $password;
/**
* #return mixed
*/
public function getFirstname()
{
return $this->firstname;
}
/**
* #return mixed
*/
public function getLastname()
{
return $this->lastname;
}
/**
* #return mixed
*/
public function getEmail()
{
return $this->email;
}
/**
* #return mixed
*/
public function getPassword()
{
return $this->password;
}
/**
* #param mixed $firstname
*/
public function setFirstname($firstname): void
{
$this->firstname = $firstname;
}
/**
* #param mixed $lastname
*/
public function setLastname($lastname): void
{
$this->lastname = $lastname;
}
/**
* #param mixed $email
*/
public function setEmail($email): void
{
$this->email = $email;
}
/**
* #param mixed $password
*/
public function setPassword($password): void
{
$this->password = $password;
}
/**
* Returns the roles granted to the user.
*
* <code>
* public function getRoles()
* {
* return array('ROLE_USER');
* }
* </code>
*
* Alternatively, the roles might be stored on a ``roles`` property,
* and populated in any number of different ways when the user object
* is created.
*
* #return (Role|string)[] The user roles
*/
public function getRoles()
{
return array('ROLE_USER');
}
/**
* Returns the salt that was originally used to encode the password.
*
* This can return null if the password was not encoded using a salt.
*
* #return string|null The salt
*/
public function getSalt()
{
return null;
}
/**
* Returns the username used to authenticate the user.
*
* #return string The username
*/
public function getUsername()
{
return $this->email;
}
/**
* Removes sensitive data from the user.
*
* This is important if, at any given point, sensitive information like
* the plain-text password is stored on this object.
*/
public function eraseCredentials()
{
// TODO: Implement eraseCredentials() method.
}
}
Authenticator class:
<?php
/**
* Created by PhpStorm.
* User: kevin.oosterhout
* Date: 03/05/2018
* Time: 17:37
*/
namespace App\Security;
use App\Entity\Generic\User;
use App\Forms\LoginForm;
use GraphAware\Neo4j\OGM\EntityManager;
use Symfony\Component\Form\FormFactoryInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\RouterInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator;
class LoginFormAuthenticator extends AbstractFormLoginAuthenticator
{
public function getCredentials(Request $request)
{
return array(
'username' => $request->request->get('_username'),
'password' => $request->request->get('_password'),
);
}
public function getUser($credentials, UserProviderInterface $userProvider)
{
if($credentials['username'] === null){
return null;
}
$user = $userProvider->loadUserByUsername($credentials['username']);
return $user;
}
public function checkCredentials($credentials, UserInterface $user)
{
return true;
}
protected function getLoginUrl()
{
// TODO: Implement getLoginUrl() method.
}
public function supports(Request $request)
{
return false;
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
// TODO: Implement onAuthenticationSuccess() method.
}
}
Security.Yaml
security:
encoders:
App\Entity\Generic\User:
algorithm: bcrypt
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
UserProvider:
id: 'App\Security\UserProvider'
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
form_login:
login_path: login
check_path: login
guard:
authenticators:
- 'App\Security\LoginFormAuthenticator'
# activate different ways to authenticate
# http_basic: true
# https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate
# form_login: true
# https://symfony.com/doc/current/security/form_login_setup.html
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
# - { path: ^/admin, roles: ROLE_ADMIN }
# - { path: ^/profile, roles: ROLE_USER }
User Provider:
<?php
/**
* Created by PhpStorm.
* User: kevin.oosterhout
* Date: 04/05/2018
* Time: 07:38
*/
namespace App\Security;
use App\Entity\Generic\User;
use GraphAware\Neo4j\OGM\EntityManager;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
class UserProvider implements UserProviderInterface
{
protected $userRepository;
public function __construct(EntityManager $entityManager)
{
$this->userRepository = $entityManager->getRepository(User::class);
}
/**
* #param string $username
* #return null|User
*/
public function loadUserByUsername($username)
{
return $this->userRepository->findOneBy(['email' => $username]);
}
public function refreshUser(UserInterface $user)
{
if (!$user instanceof User) {
throw new UnsupportedUserException(
sprintf('Instance of %s is not support', get_class($user))
);
}
return $this->loadUserByUsername($user->getUsername());
}
public function supportsClass($class)
{
return User::class === $class;
}
}
Edit:
Currently it doesn't sign me in, and it doesn't give me an error. I have followed the steps explained by #dbrumann and #Christophe Willemsen
I think the problem might be with your security.yaml:
providers:
UserProvider:
entity:
class: 'App\Entity\Generic\User'
property: email
This provider tries to use Doctrine ORM to load users from. Since your User-entity is not a Doctrine-Entity, i.e. is missing the doctrine annotations, it fails. Even though the bundle registers entity managers, they don't seem to be used by the user provider.
You could create a custom user provider that is inspired by the EntityUserProvider.
I am not sure if the ogm entity managers adhere to doctrine's interfaces, but if they do, you might be able to configure the default doctrine user provider to use the neo4j entity manager by adjusting the service configuration, but it's a real pain because you have to overwrite the UserProvider-service and then inject a new ManagerRegistry with your entity manager in it. So, writing a custom UserProvider really seems to be the preferred way.
The answer from #dbrumman is correct, you will need a custom UserProvider.
I have a demo example on Github, check here : https://github.com/ikwattro/neo4j-ogm-symfony-security
There is also a PullRequest that shows how to add roles based on the Neo4j content :
https://github.com/ikwattro/neo4j-ogm-symfony-security/pull/1/files
Related
I've been having trouble implementing Symfony's Security features in my project. I have configured my Security.yaml and created a securityController , my Userclass implements userInterface , and from what I can see on the docs I haven't missed anything out. My form renders fine, and I can input my username and password, but when I submit valid credentials it just refreshes the page. Profiler showed that no SQL queries had been made, and despite me configuring authenticationUtils to display errors (as per the tutorial on the docs) nothing is displayed.
Security.yaml
security:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
encoders:
App\Entity\User: sha256
providers:
in_memory: { memory: ~ }
main_db_provider:
entity:
class: App\Entity\User
property: username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
# anonymous: true
pattern: ^/$ #test
form_login:
login_path: login
check_path: login
csrf_token_generator: security.csrf.token_manager
provider: main_db_provider
# activate different ways to authenticate
# http_basic: true
# https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate
# form_login: true
# https://symfony.com/doc/current/security/form_login_setup.html
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
# - { path: ^/admin, roles: ROLE_ADMIN }
# - { path: ^/$, roles: ROLE_USER }
Security Controller
<?php
// src/Controller/SecurityController.php
namespace App\Controller;
use App\Entity\User;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
class SecurityController extends Controller
{
/**
* #Route("/login", name="login")
*/
public function login(Request $request, AuthenticationUtils $authenticationUtils)
{
// get the login error if there is one
$error = $authenticationUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authenticationUtils->getLastUsername();
return $this->render('ad-lotto-theme/login.html.twig', array(
'last_username' => $lastUsername,
'error' => $error,
));
}
}
User class
<?php
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* #ORM\Entity(repositoryClass="App\Repository\UserRepository")
* #UniqueEntity("email", message="This email is already in use.")
* #UniqueEntity("username", message="This username is already in use")
*/
class User implements UserInterface, \Serializable
{
/**
* #ORM\Column(name="roles",type="string", length=255)
*/
private $roles;
/**
* #ORM\Column(name="salt",type="string", length=255)
*/
private $salt = "saltyboye";
/**
* #ORM\Id()
* #ORM\GeneratedValue()
* #ORM\Column(type="integer")
*/
private $id;
/**
* #ORM\Column(name="username",type="string", length=255, unique=true)
*/
private $username;
/**
* #ORM\Column(name = "password", type="string", length=255)
*/
private $password;
/**
* #ORM\Column(name="email", type="string", length=255, unique=true)
*/
private $email;
/**
* #ORM\Column(type="datetime")
*/
private $registeredOn;
/**
* #ORM\Column(type="integer", nullable=true)
*/
private $referrer;
/**
* #ORM\Column(type="smallint")
*/
private $entries;
/**
* #ORM\Column(type="string", length=3)
*/
private $currency;
/** #see \Serializable::serialize() */
public function serialize()
{
return serialize(array(
$this->registeredOn,
$this->id,
$this->email,
$this->username,
$this->password,
$this->roles,
$this->referrer,
$this->currency,
$this->entries,
$this->salt));
// see section on salt below
// ,
}
public function unserialize($serialized)
{
list (
$this->id,
$this->username,
$this->password,
// see section on salt below
// $this->salt
) = unserialize($serialized, array('allowed_classes' => false));
}
public function eraseCredentials()
{
}
public function getRoles()
{
return array("ROLE_USER");
}
public function getSalt()
{
return $this->salt;
}
public function getId()
{
return $this->id;
}
public function getUsername(): ?string
{
return $this->username;
}
public function setUsername(string $username): self
{
$this->username = $username;
return $this;
}
public function getPassword(): ?string
{
return $this->password;
}
public function setPassword(string $password): self
{
$this->password = $password;
return $this;
}
public function getEmail(): ?string
{
return $this->email;
}
public function setEmail(string $email): self
{
$this->email = $email;
return $this;
}
public function getRegisteredOn(): ?\DateTimeInterface
{
return $this->registeredOn;
}
public function setRegisteredOn(\DateTimeInterface $registeredOn): self
{
$this->registeredOn = $registeredOn;
return $this;
}
public function getReferrer(): ?interedThisWeek
{
return $this->referrer;
}
public function setReferrer(?int $referrer): self
{
$this->referrer = $referrer;
return $this;
}
public function getEntries(): ?bool
{
return $this->entries;
}
public function setEntries(bool $entries): self
{
$this->entries = $entries;
return $this;
}
public function setCurrency(bool $currency): self
{
$this->currency = $currency;
return $this;
}
public function getCurrency(): ?bool
{
return $this->currency;
}
}
that salt is temporary, don't worry :) I haven't figured out how to implement SHA256 yet, but I needed to fill the field in the db :)
I'm assuming you follow this official tutorial: How to Build a Traditional Login Form
First of all your firewall configured to only 1 URI - / because of regex ^/$, so login form and other routes are not under the firewall.
Try to follow the tutorial from start to end just as it says there, make sure everything works and only then make changes.
I want to use ConstraintValidator in my custom login authentication (using SimpleForm) to validate google Recaptcha of this bundle EWZRecaptchaBundle I have not an idea
security.yaml main firewall section:
providers:
default:
entity:
class: App:User
property: phone
main:
pattern: ^/
anonymous: ~
provider: default
simple_form:
authenticator: App\Security\Authenticator\UserAuthenticator
check_path: login
login_path: login
username_parameter: phone
password_parameter: password
use_referer: true
logout:
path: logout
I need to use Validaitor in App\Security\Authenticator\UserAuthenticator
This is my Custom Authenticator (App\Security\Authenticator\UserAuthenticator):
//...
class UserAuthenticator implements SimpleFormAuthenticatorInterface
{
private $encoder;
public function __construct(UserPasswordEncoderInterface $encoder)
{
$this->encoder = $encoder;
}
public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
{
try {
$user = $userProvider->loadUserByUsername($token->getUsername());
}
catch (UsernameNotFoundException $exception) {
throw new CustomUserMessageAuthenticationException("invalid");
}
$isPasswordValid = $this->encoder->isPasswordValid($user, $token->getCredentials());
if ($isPasswordValid) {
return new UsernamePasswordToken($user, $user->getPassword(), $providerKey, $user->getRoles());
}
throw new CustomUserMessageAuthenticationException("invalid");
}
public function supportsToken(TokenInterface $token, $providerKey)
{
return $token instanceof UsernamePasswordToken && $token->getProviderKey() === $providerKey;
}
public function createToken(Request $request, $username, $password, $providerKey)
{
return new UsernamePasswordToken($username, $password, $providerKey);
}
}
Check out How to Create a Custom Authentication System with Guard for a simpler and more flexible way to accomplish custom authentication tasks like this.
Especially the getCredentials method of the GuardAuthenticator class that you will create.
getCredentials(Request $request)
This will be called on every request and your job is to read the token (or whatever your "authentication" information is) from the request and return it. These credentials are later passed as the first argument of getUser().
or whatever your "authentication" information is so you will be able to handle the value passed within the recaptcha.
<?php
namespace App\Security\Authenticator;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator;
use Symfony\Component\Validator\Validator\Validator\ValidatorInterface;
class FormLoginAuthenticator extends AbstractFormLoginAuthenticator
{
/**
* #var UserPasswordEncoderInterface
*/
private $encoder;
/**
* #var ValidatorInterface
*/
private $validator;
/**
* FormLoginAuthenticator constructor.
* #param UserPasswordEncoderInterface $encoder
* #param IsTrueValidator $isTrueValidator
*/
public function __construct(UserPasswordEncoderInterface $encoder, ValidatorInterface $validator)
{
$this->encoder = $encoder;
$this->validator = $validator;
}
/**
* Return the URL to the login page.
*
* #return string
*/
protected function getLoginUrl()
{
return '/login';
}
/**
* Does the authenticator support the given Request?
*
* If this returns false, the authenticator will be skipped.
*
* #param Request $request
*
* #return bool
*/
public function supports(Request $request)
{
return true;
}
/**
*
* #param Request $request
*
* #return mixed Any non-null value
*
* #throws \UnexpectedValueException If null is returned
*/
public function getCredentials(Request $request)
{
$violations = $this->validator->validate($request->request->get('g-recaptcha-response'), new IsTrue());
if($violations->count() > 0){
throw new AuthenticationException(self::INVALID_RECAPTCHA);
}
return array(
'username' => $request->request->get('_username'),
'password' => $request->request->get('_password'),
);
}
/**
* Return a UserInterface object based on the credentials.
*
* The *credentials* are the return value from getCredentials()
*
* You may throw an AuthenticationException if you wish. If you return
* null, then a UsernameNotFoundException is thrown for you.
*
* #param mixed $credentials
* #param UserProviderInterface $userProvider
*
* #throws AuthenticationException
*
* #return UserInterface|null
*/
public function getUser($credentials, UserProviderInterface $userProvider)
{
return $userProvider->loadUserByUsername($credentials['username']);
}
/**
* Returns true if the credentials are valid.
*
* If any value other than true is returned, authentication will
* fail. You may also throw an AuthenticationException if you wish
* to cause authentication to fail.
*
* The *credentials* are the return value from getCredentials()
*
* #param mixed $credentials
* #param UserInterface $user
*
* #return bool
*
* #throws AuthenticationException
*/
public function checkCredentials($credentials, UserInterface $user)
{
$plainPassword = $credentials['password'];
if (!empty($plainPassword) && !$this->encoder->isPasswordValid($user, $plainPassword)) {
throw new BadCredentialsException();
}
return true;
}
/**
* Called when authentication executed and was successful!
*
* If you return null, the current request will continue, and the user
* will be authenticated. This makes sense, for example, with an API.
*
* #param Request $request
* #param TokenInterface $token
* #param string $providerKey The provider (i.e. firewall) key
*
* #return Response|null
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
return null;
}
}
Make sure your authenticator is registered as a service. If you're using the default services.yaml configuration, that happens automatically. So you will be able also to pass the EWZRecaptchaBundle validator in the constructor of the GuardAuthenticator, then you can use it to validate the recaptcha value before sending the username and the password in getCredentials
and change security.yaml like this:
providers:
default:
entity:
class: App:User
property: phone
main:
pattern: ^/
anonymous: ~
provider: default
guard:
authenticators:
- App\Security\FormLoginAuthenticator
logout: ~
I am learning Symfony 4, and I am lost with user roles and I don't know where to start.
Because it will be an intranet like website Users will not register themselves, the admin will register them and set the role. The admin can also create new roles dynamically.
I would like to store user roles in database. I have 2 entities User and Role. (Relations are not defined yet, that´s normal)
Here is my User entity :
<?php
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Validator\Constraints as Assert;
use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* #ORM\Entity(repositoryClass="App\Repository\UserRepository")
* #UniqueEntity(fields="email", message="Email already taken")
* #UniqueEntity(fields="username", message="Username already taken")
*/
class User implements UserInterface, \Serializable
{
/**
* #ORM\Id
* #ORM\GeneratedValue(strategy="AUTO")
* #ORM\Column(type="integer", unique=true)
*/
private $id;
/**
* #ORM\Column(type="string", length=255)
*/
private $firstname;
/**
* #ORM\Column(type="string", length=255)
*/
private $lastname;
/**
* #ORM\Column(type="string", length=255)
*/
private $email;
/**
* #ORM\Column(type="date")
*/
private $birthdate;
/**
* #ORM\Column(type="integer", nullable=true)
*/
private $roleId;
/**
* #ORM\Column(type="string", length=255, nullable=false)
*/
private $username;
/**
* #Assert\NotBlank()
* #Assert\Length(max=4096)
*/
private $plainPassword;
/**
* #ORM\Column(type="string", length=255, nullable=false)
*/
private $password;
/**
* #ORM\Column(name="is_active", type="boolean", nullable=true)
*/
private $isActive;
// GETTERS
public function getId()
{
return $this->id;
}
public function getFirstname()
{
return $this->firstname;
}
public function getLastname()
{
return $this->lastname;
}
public function getBirthdate()
{
return $this->birthdate;
}
public function getEmail()
{
return $this->email;
}
public function getRoleId()
{
return $this->roleId;
}
public function getRoles()
{
return array('ROLE_USER');
}
public function getUsername()
{
return $this->username;
}
public function getPlainPassword()
{
return $this->plainPassword;
}
public function getPassword()
{
return $this->password;
}
public function getSalt()
{
return null;
}
// SETTERS
public function setFirstname($firstname)
{
$this->firstname = $firstname;
}
public function setLastname($lastname)
{
$this->lastname = $lastname;
}
public function setEmail($email)
{
$this->email = $email;
}
public function setBirthdate($birthdate)
{
$this->birthdate = $birthdate;
}
public function setRoleId($roleId)
{
$this->roleId = $roleId;
}
public function setUsername($username)
{
$this->username = $username;
}
public function setPlainPassword($password)
{
$this->plainPassword = $password;
}
public function setPassword($password)
{
$this->password = $password;
}
// FUNCTIONS
public function serialize()
{
return serialize(array(
$this->id,
$this->username,
$this->password,
// see section on salt below
// $this->salt,
));
}
/** #see \Serializable::unserialize() */
public function unserialize($serialized)
{
list (
$this->id,
$this->username,
$this->password,
// see section on salt below
// $this->salt
) = unserialize($serialized);
}
public function eraseCredentials()
{
}
}
Here is my Role entity :
<?php
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
/**
* #ORM\Entity(repositoryClass="App\Repository\RoleRepository")
*/
class Role
{
/**
* #ORM\Id
* #ORM\GeneratedValue
* #ORM\Column(type="integer", unique=true)
*/
private $id;
/**
* #ORM\Column(type="string", length=255, nullable=false)
*/
private $type;
// GETTERS
public function getId()
{
return $this->id;
}
public function getType()
{
return $this->type;
}
// SETTERS
public function setType($type): void
{
$this->type = $type;
}
}
Is it a good practice to do so ??
On the Symfony documentation, we can read everywhere the "macros" ROLE_USER, ROLE_ADMIN... Where are they defined ? Can we customize this ?
Symfony used to support role entities with a RoleInterface, much like with your user implementing the UserInterface. It was decided that this is unnecessary as the roles-table will usually only contain 2 fields (id, name) which means we might just as well store the roles directly in the users table.
So, if you want to follow Symfony best practices you would just have your roles in the user, for example like this:
class User implements UserInterface
{
/** #Column(type="json") */
private $roles = [];
public function getRoles(): array
{
return array_unique(array_merge(['ROLE_USER'], $this->roles));
}
public function setRoles(array $roles)
{
$this->roles = $roles;
}
public function resetRoles()
{
$this->roles = [];
}
}
If you don't want to store the roles as JSON-encoded string you can also use #Column(type="array") */ or write a custom DBAL type, e.g some kind of EnumType. You might also want to secure the setter against invalid data or add validation.
Regarding the second question about the roles used in the documentation: Symfony has some predefined roles and pseudo-roles for certain features:
IS_AUTHENTICATED_ANONYMOUSLY
IS_AUTHENTICATED_REMEMBERED
IS_AUTHENTICATED_FULLY
ROLE_ALLOWED_TO_SWITCH (for user switching)
The other roles like ROLE_USER and ROLE_ADMIN are purely exemplary and you may use them as you see fit. You do not even have to start your own roles with a ROLE_ (although some security features rely on this convention and things will not work as expected for those roles unless you do some manual changes).
Recommended Reading from current Symfony Documentation (version 4 at the time of this answer):
https://symfony.com/doc/current/security.html#hierarchical-roles
Symfony recommends defining role inheritance, please see if it helps; from the link just above,
"
Instead of giving many roles to each user, you can define role inheritance rules by creating a role hierarchy:
# config/packages/security.yaml
security:
# ...
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
Users with the ROLE_ADMIN role will also have the ROLE_USER role. And users with ROLE_SUPER_ADMIN, will automatically have ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH and ROLE_USER (inherited from ROLE_ADMIN).
For role hierarchy to work, do not try to call $user->getRoles() manually. For example, in a controller extending from the base controller:
// BAD - $user->getRoles() will not know about the role hierarchy
$hasAccess = in_array('ROLE_ADMIN', $user->getRoles());
// GOOD - use of the normal security methods
$hasAccess = $this->isGranted('ROLE_ADMIN');
$this->denyAccessUnlessGranted('ROLE_ADMIN');
" end of copying
I think storing the role as a string is enough if inheritance fits your needs.
I'm stack heeeere in security, help me please!!
I got this error 2 days ago and couldn't solve it : "The token storage contains no authentication token. One possible reason may be that there is no firewall configured for this URL." My login in the index page, and the login and login_check are in the same function (indexAction).This is my security.yml file, my controller, and my entity "user" :
# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
#Symfony\Component\Security\Core\User\User: plaintext
CNAM\CMSBundle\Entity\user: bcrypt
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
in_memory:
memory:
users:
user: { password: userpass, roles: [ 'ROLE_USER' ] }
admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
database:
entity:
class: CNAM\CMSBundle\Entity\user
property: username
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin_area:
pattern: ^/admin
form_login:
check_path: _default_index
login_path: _default_index
access_control:
#- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY}
- { path: ^/admin, roles: ROLE_ADMIN}
<?php
namespace CNAM\CMSBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
use Symfony\Component\HttpFoundation\Request;
use CNAM\CMSBundle\Entity\user;
use CNAM\CMSBundle\Entity\userprof;
use CNAM\CMSBundle\Entity\profil;
use CNAM\CMSBundle\Entity\privilege;
use Symfony\Component\BrowserKit\Response;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Method;
use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\FormBuilder;
use Symfony\Component\Security\Core\Security;
class DefaultController extends Controller
{
/**
* #Route("/")
* #Template()
*/
public function indexAction(Request $request)
{
$user = new user();
$form = $this->createFormBuilder($user)
->add('id', 'text',array('attr'=>array('name'=>'login_user','required'=>'required',
'maxlength'=>'255','placeholder'=>'Votre matricule','id'=>'login_user')))
->add('password', 'password',array('attr'=>array('name'=>'login_password','required'=>'required',
'maxlength'=>'20','placeholder'=>'Mot de passe','id'=>'login_password')))
->add('Connexion', 'submit',array('attr'=>array('class'=>'btn btn-primary btn-block rounded_btn','id'=>'login_btn',
'style'=>"width:8vw;height:5vh;padding:0px 0px; position:relative;left:5vmin;top:1vmin;font-size:2vmin;")))
->getForm();
$form->handleRequest($request);
//$b_search=$this->get('session')->get('search');
$id = $request->request->get('id');
$session = $request->getSession();
if ($form->isValid()) {
$data = $form->getData();
$repository = $this
->getDoctrine()
->getManager()
->getRepository("CNAMCMSBundle:user");
$rep = $this
->getDoctrine()
->getManager()
->getRepository("CNAMCMSBundle:userprof");
$search = $repository->find($data);
$p_search=$rep->find($data);
$helper = $this->get('security.authentication_utils');
if (!$search) {
//throw $this->createNotFoundException('Utilisateur introuvable!');
}
else {
//$session=$this->get("session");
//$session->start();
// $session->set('search', $search);
$user->setEtat(1);
$em = $this->getDoctrine()->getManager();
$user=$em->merge($user);
$em->flush();
$id_prof=$p_search->getIdProfil();
switch ($id_prof)
{
case 1: return $this->redirect($this->generateUrl('cnam_cms_default_webmaster'),301);break;
case 2: $user->setRole("ROLE_ADMIN");$em = $this->getDoctrine()->getManager();$user=$em->merge($user);
$em->flush();return $this->redirect($this->generateUrl('cnam_cms_default_admin'),301);break;
case 3: return $this->redirect($this->generateUrl('cnam_cms_default_sup_med'),301);break;
case 4: return $this->redirect($this->generateUrl('cnam_cms_default_med'),301);break;
case 5: return $this->redirect($this->generateUrl('cnam_cms_default_gest_mp'),301);break;
}
}
//return $this->render('CNAMCMSBundle:Default:profile.html.twig', array(
//'search' => $search,
//'b_search'=>$b_search
// ));
}
return array('form'=>$form->createView());
}
/**
* #Route("/admin")
* #Template()
*/
public function adminAction()
{
return $this->render('CNAMCMSBundle:Default:admin.html.twig', array());
}
/**
* #Route("/admin/gestEtat",name="gestEtat")
* #Template()
*/
public function gestEtatAction()
{
return $this->render('CNAMCMSBundle:Default:gestEtat.html.twig', array());
}
}
<?php
namespace CNAM\CMSBundle\Entity;
use Doctrine\ORM\Mapping as ORM;
use Doctrine\Common\Collections\ArrayCollection;
use Symfony\Component\Validator\Constraints as Assert;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* user
*
* #ORM\Table(name="user")
* #ORM\Entity
*/
class user implements UserInterface
{
/**
* #var integer
*#Assert\NotBlank()
* #ORM\Column(name="id", type="integer")
* #ORM\Id
*/
private $id;
/**
* #var string
*#Assert\NotBlank()
* #ORM\Column(name="password", type="string", length=40)
*/
private $password;
/*
* #ORM\ManyToOne(targetEntity="profil" , inversedBy="users")
* #ORM\JoinColumn(name="id_profil", referencedColumnName="id_profil")
*/
private $profil;
public function __construct()
{
$this->profil = new ArrayCollection();
}
/**
* #var boolean
*
* #ORM\Column(name="etat", type="boolean")
*/
private $etat;
/**
* Get id
*
* #return integer
*/
public function getId()
{
return $this->id;
}
/**
* Set id
*
* #param integer $id
* #return user
*/
public function setId($id)
{
$this->id = $id;
return $this;
}
/**
* Set password
*
* #param string $password
* #return user
*/
public function setPassword($password)
{
$this->password = $password;
return $this;
}
/**
* Get password
*
* #return string
*/
public function getPassword()
{
return $this->password;
}
/**
* Set etat
*
* #param boolean $etat
* #return user
*/
public function setEtat($etat)
{
$this->etat = $etat;
return $this;
}
/**
* Get etat
*
* #return boolean
*/
public function getEtat()
{
return $this->etat;
}
/**
* Get profil
*
* #return \Doctrine\Common\Collections\Collection
*/
public function getProfil()
{
return $this->profil;
}
/**
* Add profil
*
* #param \CNAM\CMSBundle\Entity\user $profil
* #return user
*/
public function addProfil(\CNAM\CMSBundle\Entity\profil $profil)
{
$this->profil[] = $profil;
return $this;
}
/**
* Remove profil
*
* #param \CNAM\CMSBundle\Entity\profil $profil
*/
public function removeProfil(\CNAM\CMSBundle\Entity\profil $profil)
{
$this->profil->removeElement($profil);
}
public function getUsername()
{
return $this->id;
}
public function getRoles()
{
return array('ROLE_USER');
}
public function getSalt()
{
return null;
}
public function eraseCredentials()
{
}
public function equals(UserInterface $user)
{
return $user->getId() == $this->getId();
}
}
I have a symfony app which serve a RESTful API(for mobile app) and have backend administration.
I can succesfuly login to the backend via facebook, but how should I allow loggin via the RESTful API?
Wooh.. after almost 12 hours(!) here is the solution for anyone who looking for too:
We need to create new custom firewall
This factory should connect to the FOSFacebook and validate the token
If it using our new firewall it should manually disable any session or cookie.
To use the firewall we need to send our token in every request
The code
First define our firewall listener
GoDisco/UserBundle/Security/Firewall/ApiFacebookListener.php
<?php
/**
* Authored by AlmogBaku
* almog.baku#gmail.com
* http://www.almogbaku.com/
*
* 9/6/13 2:17 PM
*/
namespace Godisco\UserBundle\Security\Firewall;
use FOS\FacebookBundle\Security\Authentication\Token\FacebookUserToken;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Http\Firewall\ListenerInterface;
use Symfony\Component\HttpFoundation\Session\Session;
/**
* API gateway through Facebook oAuth token: Firewall
*
* Class ApiFacebookListener
* #package Godisco\UserBundle\Security\Firewall
*/
class ApiFacebookListener implements ListenerInterface
{
/**
* #var \Symfony\Component\Security\Core\SecurityContextInterface
*/
protected $securityContext;
/**
* #var \Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface
*/
protected $authenticationManager;
/**
* #var Session
*/
protected $session;
/**
* #var string
*/
protected $providerKey;
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, Session $session, $providerKey)
{
if (empty($providerKey)) {
throw new \InvalidArgumentException('$providerKey must not be empty.');
}
$this->securityContext = $securityContext;
$this->authenticationManager = $authenticationManager;
$this->session = $session;
$this->providerKey=$providerKey;
}
/**
* #param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event The event.
*/
public function handle(GetResponseEvent $event)
{
$accessToken = $event->getRequest()->get('access_token');
$token = new FacebookUserToken($this->providerKey, '', array(), $accessToken);
/**
* force always sending token
*/
$_COOKIE=array();
$this->session->clear();
try {
if($accessToken)
$returnValue = $this->authenticationManager->authenticate($token);
$this->securityContext->setToken($returnValue);
}
} catch(AuthenticationException $exception) {
if(!empty($accessToken))
$event->setResponse(new Response(array("error"=>$exception->getMessage()),401));
}
}
}
Than create a new security factory which calling our listener, and will connect the authentication to the FOSFacebookBundle.
GoDisco/UserBundle/DependencyInjection/Security/Factory/ApiFacebookFactory.php
<?php
/**
* Authored by AlmogBaku
* almog.baku#gmail.com
* http://www.almogbaku.com/
*
* 9/6/13 2:31 PM
*/
namespace GoDisco\UserBundle\DependencyInjection\Security\Factory;
use FOS\FacebookBundle\DependencyInjection\Security\Factory\FacebookFactory;
use Symfony\Component\Config\Definition\Builder\NodeDefinition;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\DefinitionDecorator;
/**
* API gateway through Facebook oAuth token: Factory
*
* Class ApiFacebookFactory
* #package GoDisco\UserBundle\DependencyInjection\Security\Factory
*/
class ApiFacebookFactory extends FacebookFactory
{
/**
* {#inheritdoc}
*/
public function getKey()
{
return 'api_facebook';
}
/**
* {#inheritdoc}
*/
public function addConfiguration(NodeDefinition $node)
{
$builder = $node->children();
$builder
->scalarNode('provider')->end()
->booleanNode('remember_me')->defaultFalse()->end()
;
foreach ($this->options as $name => $default) {
if (is_bool($default)) {
$builder->booleanNode($name)->defaultValue($default);
} else {
$builder->scalarNode($name)->defaultValue($default);
}
}
}
/**
* {#inheritdoc}
*/
protected function createEntryPoint($container, $id, $config, $defaultEntryPointId)
{
return null;
}
/**
* {#inheritdoc}
*/
protected function createListener($container, $id, $config, $userProvider)
{
$listenerId = "api_facebook.security.authentication.listener";
$listener = new DefinitionDecorator($listenerId);
$listener->replaceArgument(3, $id);
$listenerId .= '.'.$id;
$container->setDefinition($listenerId, $listener);
return $listenerId;
}
}
Defining the listener service, so we can inject the arguments
GoDisco/UserBundle/Resources/config/services.yml
services:
api_facebook.security.authentication.listener:
class: GoDisco\UserBundle\Security\Firewall\ApiFacebookListener
arguments: ['#security.context', '#security.authentication.manager', '#session', '']
Defining our new firewall!
app/config/security.yml
security:
api:
pattern: ^/api
api_facebook:
provider: godisco_facebook_provider
stateless: true
anonymous: true
main:
...
You need to implement oAuth authentication from your client app.
This was answered before:
How to restfully login, Symfony2 Security, FOSUserBundle, FOSRestBundle?