I'm working on a small app with Symfony 2.5, and I'd like to know what is the best way to handle security, but just for only one user. I could do this with an .htaccess but maybe their exists some light and quickly installable sf2 bundle which could do the job. I don't want role stuff, or profile, just a way to authenticate myself.
Symfony2 let's you easily use http authentication. Together with the in_memory provider, you have a perfect solution for your use case.
From the docs:
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
access_control:
- { path: ^/admin/, roles: ROLE_ADMIN }
# Include the following line to also secure the /admin path itself
# - { path: ^/admin$, roles: ROLE_ADMIN }
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
encoders:
Symfony\Component\Security\Core\User\User: plaintext
Related
I have read the docs and followed this similar question:
Allow anonymous access to specific URL in symfony firewall protected bundle
Using Symfony 4.1.4 I have tried the following:
access_control:
- { path: ^/rpi/service/application/quote/approve, roles: IS_AUTHENTICATED_ANONYMOUSLY}
- { path: ^/rpi, roles: ROLE_USER }
- { path: ^/erp, roles: ROLE_USER }
However when I access the first URI as anonymous I am prompted by the http_basic_ldap login screen. Any ideas?
You need
anonymous: true
in your firewall, as in the default configuration config/packages/security.yml:
security:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
in_memory: { memory: ~ }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: true
Anonymous authentication means that the user is authenticated and has a token, but it is an anonymous token.
If you do not have anonymous: true, the AnonymousAuthenticationListener will never run for your firewall, and never create an anonymous token.
I installed the Aimeos 2016 bundle on Symfony 3.1.2. The /list route works but when I go to /admin and try to log in, I get an error:
Unable to find the controller for path "/admin_check". The route is wrongly configured.
I did not do anything else to the code.
Any help would be appreciated!
Did you've set up Symfony authentication exactly like in the example?
security:
providers:
admin:
memory:
users:
admin: { password: secret, roles: [ 'ROLE_ADMIN' ] }
aimeos_customer:
entity: { class: AimeosShopBundle:User, property: username }
in_memory:
memory: ~
encoders:
Symfony\Component\Security\Core\User\User: plaintext
Aimeos\ShopBundle\Entity\User:
algorithm: sha1
encode_as_base64: false
iterations: 1
firewalls:
aimeos_admin:
pattern: ^/(admin|extadm|jqadm|jsonadm)
anonymous: ~
provider: admin
form_login:
login_path: /admin
check_path: /admin_check
aimeos_myaccount:
pattern: ^/myaccount
provider: aimeos_customer
http_basic:
realm: "MyAccount"
main:
anonymous: ~
access_control:
- { path: ^/(extadm|jqadm|jsonadm), roles: ROLE_ADMIN }
- { path: ^/myaccount, roles: ROLE_USER }
The Symfony security framework is quite picky about the configuration an even minor changes will break it
I'm pretty new to Symfony although I've managed to set up a working site, with role based authentication and firewalls I'm really struggling working out how to build a system that allows users to login and have access to a page that only they and admin has access to.
What I really want is a dynamic security role which enables the user in the current session access to their own private page and blocks everyone else...
Here's my actual config:
security:
encoders: #define the encoders used to encode passwords
Symfony\Component\Security\Core\User\User: plaintext
IntuitByDesign\UserBundle\Entity\User: bcrypt
role_hierarchy:
ROLE_ADMIN: [ROLE_USER]
providers:
chain_provider:
chain:
providers: [in_memory, user_db]
in_memory:
memory:
users:
admin: { password: adminpass, roles: ROLE_ADMIN }
user_db:
entity: {class: IntuitByDesignUserBundle:User, property: username }
firewalls:
main:
logout: true
pattern: /.*
form_login:
login_path: login
check_path: login
default_target_path: /user
logout:
path: /logout
target: /
security: true
anonymous: true
access_control:
- { path: /login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /logout, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /user, roles: ROLE_ADMIN }
- { path: /user-page/, roles: ROLE_USER}
- { path: /.*, roles: IS_AUTHENTICATED_ANONYMOUSLY }
Any hints on how to do this?
Update: After login I would like to redirect page that only the specific logged in user can see.
I thought a way that this might be achieved could be with matching the session username with the user path?
You could check in the redirected action, if the user is logged in. If yes, load the data according to the user. e.g. you load the needed data by his user id.
So every user sees the data which is related with himself.
You can find more information about user authentication handling in this question: How to check if an user is logged in Symfony2 inside a controller?
look FosUserBundle
you can create a system of user easily
Background
According to the Symfony documentation the login form needs to be specified on the security.yml file, also hes login_check path. Until now my app is working fine, users tries to access a secure page (mysite.com/edit/123) next if they are not logged they will be redirected to /login and after they login they will be redericted again to the original intended path (/edit/123).
Similar question: Two separate login pages in Symfony 2
Problem
The problem now is, i need a different login form, lets say /minimal_login, i need to include that on the security.yml but the only way i know is creating a different firewall, and as i saw on the documentation this creates a separate identification scheme, so i suppose users logged by differents firewall can not share the same secured pages, and thats not what i want.
What is need
If the user tries to access any secure page but /popup they will be redirected to /login, BUT if they tries to access /popup (and they are not logged) they will be redirected to /minimal_login. And no matter how the user logs into my app, they will always share the same access, i mean, if they log in using /login or /minimal_login they can access the same pages.
My secuity.yml
jms_security_extra:
secure_all_services: false
expressions: true
security:
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]
providers:
main:
entity: {class: Done\PunctisBundle\Entity\User, property: username}
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
remember_me:
key: %secret%
lifetime: 3600
path: /
domain: ~
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
logout:
path: /logout
target: /
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/signup, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/verification, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/popup/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ajax/track, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ajax/socialbox, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
encoders:
Done\PunctisBundle\Entity\User:
algorithm: md5
iterations: 1
encode_as_base64: false
I faced a similar problem and I solved using the firewall context configuration.
firewalls:
somename:
# ...
context: my_context
othername:
# ...
context: my_context
http://symfony.com/doc/current/reference/configuration/security.html#firewall-context
I am testing Security environnement within Symfony2 and hav problem with log out process
Here is my security.yml file
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
switch_user: true
logout:
path: /logout
target: /
http_basic:
realm: "Secured Demo Area"
access_control:
- { path: ^/item, roles: [ 'ROLE_USER' ] }
providers:
in_memory:
users:
collector: { password: collector, roles: 'ROLE_USER' }
admin: { password: admin, roles: 'ROLE_ADMIN' }
encoders:
Symfony\Component\Security\Core\User\User: plaintext
Problem is that when I go to mysite.site/app_dev.php/logout it does redirect me to "target" but does not log out active user.
Does anyone know where am i wrong ?
Since you are using HTTP authentication, the reason might be that your browser caches your credentials and relogins automatically. Try using HTML form authentication and see if the problem persists.