I want to check whether a user is logged before calling most of the methods in my web application. I don't know how to do that. I want something like before_filter in Ruby On Rails. I have checked the before filter in the symfony2 documentation but it does not help me. I need a real life example for the login.
This is the link I have checked. http://symfony.com/doc/current/cookbook/event_dispatcher/before_after_filters.html
There are a number of ways to handle access control in Symfony. The most basic is with URL matching, which is handy when you want to restrict access to a URL like /admin and anything that follows. This is configured in security.yml.
# app/config/security.yml
security:
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
This page shows the different ways to secure your application:
http://symfony.com/doc/current/book/security.html#access-control
There is even a way to secure any service even if it's not a controller:
http://symfony.com/doc/current/cookbook/security/securing_services.html
Related
I have a route with a response in json to make accessible for logged in users but also anonymous users but in this case with a response with a status code 401.
I tried to add a firewall;
route_name:
pattern: ^/path
anonymous: true
but with this configuration, i get always an anonymous user (in profiler), even if user is logged in.
I tried also adding configuration in access_control instead;
access_control:
- { path: ^/path, role: IS_AUTHENTICATED_ANONYMOUSLY }
but i keep getting the login form instead.
Any idea how to handle this case? Thanks
I'm beginning to use Symfony2 and I'm really enjoying it!
I have some questions for sure that you will help me easily!
When we use the security layer, the file security.yml we set the property access_control, usually something like this:
{Path: ^ / admin roles: ROLE_ADMIN}
Traditionally using php, my rule of access to the system I use 3 tables:
User - Users Table
Role - Roles Table
Resource - Resource Table
Permission - Grant Tables
Where, User has a role, and a permission is related to a role and a resource. To check whether the user has access to a resource, check the table permission.
Bringing Symfony2, the property "path" would be a resource and ROLE_ADMIN would be the role of the user.
How to do that security.yml, load the settings from the database. I searched the official documentation and found nothing.
For now, thanks
Actually, the way to "read" the path (in the security.yml file) is:
- { path: ^/this/(path|regex|here)$, roles: {CAN_BE_ACCESED_ONLY, BY_THESE_ROLES} }
now, from where do you know which user has which role?
From wherever you load your users.
e.g.:
public function getRoles()
{
return array('ROLE_USER');
}
Maybe you will find your answers here. It descripes how to load users from Database:
How to Load Security Users from the Database (the Entity Provider)
I would recommend to use FOSUserBundle. It is very easy to handle and helps you managing your Security in Symfony2
FOSUserBundle
Regards!
I am having trouble figuring out how to structure my application.
It is currently a web application built using normal controllers, twig views etc. and using FOS user bundle for authentication. In this application it is possible to create entities that should be seen as a "mobile user"
Now I need an API for a mobile app where the "mobile users" should log in, but I cannot figure out how this authentication should be constructed.
Should I create a user in the user table along with the web app users? Is it possible to require a user to have a specific role to log in on the normal login page?
Or should I add a username and password column to the "mobile user" entity, and make a custom login for the api. But how is this accomplish? I am thinking of using angularjs in the mobile app if this has any impact on how to solve this issue.
One of possible solutions would be using FOSOAuthServerBundle
In this scenario you can have the same place you keep your users for both web app and mobile app. Users can authenticate using the same credentials in web and mobile app - but authentication for mobile app can be done through ajax call.
Thanks to oAuth you don't keep login/password stored at your mobile app.
Bundle itself is written in a way that integrates with Symfony in perfect way.
To access different resources using different security you just configure different firewalls:
security.yml
security:
firewalls:
oauth_token:
pattern: ^/oauth/v2/token
security: false
api:
pattern: ^/api
fos_oauth: true
stateless: true
web_secured:
pattern: ^/
stateless: true
your_security_factory: true
Check these resources for more info:
FOSOAuthServerBundle documentation
step-by-step tutorial
You dont have to use a different user provider but you will need to configure a different firewall in security.yml:
firewalls:
api_firewall:
pattern: "^/api/"
form_login:
check_path: /api/login_check
login_path: /api/login
Then you can still show your users a login form. Using angular, have it post to the check_path. Symfony uses cookies to store authentication information so you may have to configure angular to accept and pass those on subsequent request.
If you dont want to do that you could use an API key and write a custom authenticator implementing SimplePreAuthenticatorInterface
I'm using FOS/Userbundle for login process of my application.
This application is the back-end part of my work. The front end one can be on another server.
Login works correctly when user is authenticated. My problem is when user is not recognized. In this case, Symfony redirects response to an url of my back-end when I want it to go back to my front-end url. I have not found neither in Symfony doc nor various forums elements for progress on this issue.
Thank you for your help.
Caplande
Normally you can configure, in security.yml , the firewall which is used by fosUserBundle, and tell it to redirect in case of success but also in case of error.
The idea is, in case of error to redirect the user to an action on your app which is not under your fosuserbundle firewall rules.
This action should finally redirect the non authenticated user to your frontend url.
here is an example :
in your security.yml,
security:
firewalls:
main:
form_login:
failure_path: YOUR_REDIRECTING_PATH
failure_forward: true
you needto finish, to make a route readable anonimously in you app to redirect to your frontend app.
for more information : https://symfony2-document.readthedocs.org/en/latest/cookbook/security/form_login.html
Hope this helps
I know we can set the failure path for form_login;
form_login:
provider: fos_userbundle
failure_path: /register
default_target_path: /home
how can i set the same structure for profile edit and password change. (profile/edit)
AFAIK, No its not possible.
form_login is handled by symfony2 not by fos_userbundle
By specifying form_login, you have told the Symfony2 framework that
any time a request is made to this firewall that leads to the user
needing to authenticate himself, the user will be redirected to a form
where he will be able to enter his credentials. It should come as no
surprise then that you have specified the user provider service we
declared earlier as the provider for the firewall to use as part of
the authentication process.
Since symfony2 take care of security context token population, if has given way to others to set failure path.
But for your case, its completely in your control, then why you need
that setting?
I suggest you to read more about security