Develop Reference

Symfony 4 : How to have multi providers for user/admin in firewall?

I can not have two different providers for user and admin with two different forms
I want to have two firewalls, for users and for admins. I created two different providers linking two different entities. I can log in as a user, but never as Admin .. I do not understand what I need to add more.
Another thing, I know that there is app.user. But is there also app.admin? In order to have two completely separate accounts on two different firewalls?
security:
providers:
user_provider:
entity:
class: App\Entity\User
property: username
admin_provider:
entity:
class: App\Entity\Admin
property: username
chain_provider:
chain:
providers: [user_provider, admin_provider]
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
provider: user_provider
anonymous: true
logout:
path: /logout
target: /login
remember_me:
secret: '%kernel.secret%'
lifetime: 604800 # 1 week in seconds
path: /
form_login:
login_path: /login
check_path: /login
backoffice:
pattern: ^/backoffice
provider: admin_provider
logout:
path: /backoffice/logout
target: /backoffice/login
form_login:
login_path: /backoffice/login
check_path: /backoffice/login
access_control:
- { path: ^/backoffice/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backoffice, roles: ROLE_ADMIN }
- { path: ^/mon-compte, roles: ROLE_USER }
encoders:
App\Entity\User:
algorithm: bcrypt
cost: 12
App\Entity\Admin:
algorithm: bcrypt
cost: 12
I have null error when I call $authenticationUtils->getLastAuthenticationError()

Switch firewalls order, so the main firewall is the last one.
Symfony uses only one firewall per request and it's the first matched with the pattern. So in your case it's using main firewall for ^/backoffice urls too because /backoffice matches ^/ pattern.
I'm not sure if it will solve all your issues here, but you need to do this in order to really use backoffice firewall.
Regarding app.user and app.admin - no, there's no app.admin. Admin is a user too, so when you'll be logged in as admin, you'll get its entity with app.user

Here is my updated security.yaml :
security:
providers:
admin_provider:
entity:
class: App\Entity\Admin
property: username
user_provider:
entity:
class: App\Entity\User
property: username
chain_provider:
chain:
providers: [user_provider, admin_provider]
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
backoffice:
pattern: ^/backoffice
provider: admin_provider
anonymous: true
logout:
path: admin.logout
target: admin.login
form_login:
login_path: admin.login
check_path: admin.login
default_target_path: admin.index
main:
pattern: ^/
provider: user_provider
anonymous: true
logout:
path: logout
target: login
remember_me:
secret: '%kernel.secret%'
lifetime: 604800 # 1 week in seconds
path: /
form_login:
login_path: login
check_path: login
access_control:
- { path: ^/backoffice/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/backoffice, roles: ROLE_ADMIN }
- { path: ^/mon-compte, roles: ROLE_USER }
encoders:
App\Entity\User:
algorithm: bcrypt
cost: 12
App\Entity\Admin:
algorithm: bcrypt
cost: 12

Return access denied with access control

I'm using Symfony 4.1.7 in my security.yaml have this access control:
access_control:
# master:
- { path: ^/master, roles: ROLE_MASTER }
# manager:
- { path: ^/.*/manager, roles: ROLE_MANAGER }
# main:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
when i open the second one url (/foo/manager) and not authorized i will redirected to login path i need to return access denaid not redirect to login.
my last goal is call event listener for append role to authorize user from event listener.
Update:
Here is my security firewall section:
main:
pattern: ^/
user_checker: App\Security\Checker\UserChecker
anonymous: ~
provider: default
context: primary
simple_form:
authenticator: App\Security\Authenticator\UserAuthenticator
check_path: login
login_path: login
username_parameter: phone
password_parameter: password
use_referer: true
logout:
path: logout
remember_me:
secret: '%kernel.secret%'
lifetime: 604800
path: /
remember_me_parameter: remember_me

Yo need to configure the login_path en the security.yml
Example:
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
in_memory: { memory: ~ }
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
Symfony Doc.

You have to allow users to access this path and instead use your controller to check the user role.
$this->denyAccessUnlessGranted('ROLE_MANAGER ', null, 'Unable to access this page!');
or
$this->isGranted('ROLE_MANAGER');
Depending on what you want to do.

symfony Full authentication is required to access this resource

I can not access the admin page from my symfony project.
If I visit XXX.XXX.XXX.XXX/admin I get:
Full authentication is required to access this resource
However going to XXX.XXX.XXX.XXX/security/login gives me the login page.
What am I doing wrong?
security:
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
in_memory:
memory:
users:
admin:
password: XXX
roles: 'ROLE_ADMIN'
encoders:
Symfony\Component\Security\Core\User\User:
algorithm: bcrypt
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
pattern: ^/admin
anonymous: ~
main:
anonymous: ~
# activate different ways to authenticate
# http_basic: ~
# http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate
# form_login: ~
# http://symfony.com/doc/current/cookbook/security/form_login_setup.html
form_login:
login_path: security_login
check_path: security_login
csrf_token_generator: security.csrf.token_manager
default_target_path: userRedirectAction
logout:
path: /logout
target: /blog
access_control:
# require ROLE_ADMIN for /admin*
- { path: ^/admin, roles: ROLE_ADMIN }

I think under your secured area firewall you need to specify an authentication type such as http_basic: ~

secured area should be:
secured_area:
pattern: ^/blog/admin
It's working now

If you want just test if it does work, you may change your user's role in the path, an delete the anonymous option
- { path: ^/admin, roles: IS_AUTHENTICATED_ANONYMOUSLY }
It should be work

FOSUserBundle: Why I get exception on login_check?

I try to configure FOSUserBundle in Symfony 2.7 but I still get "You must configure the check path to be handled by the firewall using form_login in your security firewall configuration." exception.
I searched vendor folder for Security Controller and I found that checkAction throws such exception.
I would like to allow
admin to log into /admin section,
and editors to /editor section.
I use two ways of logging: one is in_memory, and second fos_userbundle. This is my security.yml
encoders:
Symfony\Component\Security\Core\User\User: plaintext
Inpero\PageBundle\Entity\User: bcrypt
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_EDITOR: ROLE_USER
ROLE_ADMIN: [ROLE_EDITOR, ROLE_USER]
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
in_memory:
memory:
users:
admin: { password: pass1, roles: [ 'ROLE_ADMIN' ] }
fos_userbundle:
id: fos_user.user_provider.username
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# the login page has to be accessible for everybody
page_login:
pattern: ^/admin/login$
security: false
page_admin:
pattern: ^/admin
form_login:
check_path: my_page_check
login_path: my_page_login
logout:
path: my_page_logout
target: /
editor_login:
pattern: ^/editor/login
security: false
editors:
pattern: ^/editor
form_login:
provider: fos_userbundle
check_path: /editor/login_check
login_path: /editor/login
failure_path: /editor/login
default_target_path: /editor/
always_use_default_target_path: true
#csrf_token_generator: security.csrf.token_manager
# if you are using Symfony < 2.8, use the following config instead:
csrf_provider: form.csrf_provider
logout:
path: fos_user_security_logout
target: /
anonymous: ~
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/book/security.html#security-book-access-control-matching-options
access_control:
- { path: ^/efconnect, role: IS_AUTHENTICATED_REMEMBERED }
- { path: ^/elfinder, role: IS_AUTHENTICATED_REMEMBERED }
- { path: ^/admin, role: ROLE_ADMIN }
- { path: ^/editor, role: ROLE_EDITOR }
What am I doing wrong?

Symfony: Firewalls, multiple login forms

I am not new to symfony by any means, but I've always used FOSUserBundle which by default prevents one from having 2 different login forms for authenticating two different user types..
I have two entities, one is Admins and the other is Users. Admins will only be able to login in the administration area and likewise users will only be able to login via the front end.
I've followed: http://symfony.com/doc/2.1/book/security.html which also lead me to http://symfony.com/doc/2.1/cookbook/security/entity_provider.html
My security.yml is:
jms_security_extra:
secure_all_services: false
expressions: true
security:
encoders:
Symfony\Component\Security\Core\User\User: sha512
Fm\AdminBundle\Entity\Admins: sha512
Fm\MainBundle\Entity\Users: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
chain_provider:
chain:
providers: [in_memory, admin]
in_memory:
memory:
users:
user: { password: userpass, roles: [ 'ROLE_USER' ] }
admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
admin:
entity: { class: Fm\AdminBundle\Entity\Admins, property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
anonymous: true
alogin:
pattern: ^/admin/login
security: false
login:
pattern: ^/login
security: false
secured_area:
pattern: ^/admin
anonymous: false
provider: chain_provider
switch_user: true
form_login:
check_path: /admin/login_check
login_path: /admin/login
logout:
path: /admin/logout
target: /admin
members_area:
pattern: ^/
anonymous: false
form_login: ~
logout:
path: /logout
target: /
#anonymous: ~
#http_basic:
# realm: "Secured Demo Area"
access_control:
- { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, roles: ROLE_ADMIN }
In my routes I have defined the routes as in the docs: (defaults to /admin/login and /admin/login_check because of my main routing include where /admin is set)
_admin_login:
pattern: /login
defaults: { _controller: FmAdminBundle:Security:login }
_admin_login_check:
pattern: /login_check
The error that I am getting in the browser is:
Unable to find the controller for path "/admin/login_check". Maybe you forgot to add the matching route in your routing configuration?
The stack trace is telling me: WARNING - Unable to look for the controller as the "_controller" parameter is missing
AND
ERROR - Symfony\Component\HttpKernel\Exception\NotFoundHttpException: Unable to find the controller for path "/admin/login_check". Maybe you forgot to add the matching route in your routing configuration? (uncaught exception) at /var/www/mysite.dev/symfony/app/bootstrap.php.cache line 1419

For implementing multiple login in symfony 2XX, try the following code
Security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
Company\AngularBundle\Entity\User: plaintext
Company\AngularBundle\Entity\Admin: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
users:
entity: { class: CompanyAngularBundle:User, property: username }
admin:
entity: { class: CompanyAngularBundle:Admin, property: username }
firewalls:
admin_secured_area:
pattern: ^/admin
anonymous: ~
provider: admin
form_login:
login_path: /admin/login
check_path: /admin/login_check
default_target_path: /admin
user_secured_area:
pattern: ^/
anonymous: ~
provider: users
form_login:
login_path: login
check_path: login_check
default_target_path: /home
routing.yml
login_check:
path: /login_check
admin_login_check:
path: /admin/login_check
Twig file
Action of login form should be like this
<form action="{{ path('login_check') }}" method="post">
Action of admin/login form should be like this
<form action="{{ path('admin_login_check') }}" method="post">

The problem is that after logging into the "secured_area" firewall you get redirect to "/" which is behind the "members_area" firewall. You can't access "members_area" with your credentials from "secured_area" (at least not by default). Read the details on http://symfony.com/doc/current/reference/configuration/security.html#reference-security-firewall-context .
If you have a look at the security configuration (http://symfony.com/doc/current/reference/configuration/security.html) you can see that the default_target_path for form_login is "/". Just change this to /admin:
security:
...
firewalls:
...
secured_area:
pattern: ^/admin
...
form_login:
check_path: /admin/login_check
login_path: /admin/login
default_target_path: /admin
logout:
...
The alternative is to share the context as described in the first link (http://symfony.com/doc/current/reference/configuration/security.html#reference-security-firewall-context).