My entire webpage has to be private with only authenticated users accepted. I'm using FOSUserBundle and have this as setting:
security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
When I set anonymous as false or get rid of it, I get a "problem loading page" error where the page will just crash. Also, when anonymous is true, when I login with the right credentials it logs me in but does not redirect to the main index page, instead it stays on /login and gives me "Logged in as user | Logout".
So the behavior I need it to be is:
1) On homepage, it will redirect to /login page if user is not authenticated (no anonymous users)
2) After login authenticated, redirects to homepage
It is all done in firewall settings
1) add firewall rule:
access_control:
- { path: ^/$, role: ROLE_USER }
2) add default_target_path:
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: /
Related
I'm working on a custom membership website which is based on the Symfony2. This website has two type of the bundles. FOSuserbundle and SamlBundle.
I integrated SamlBundle with FOSuserbundle. Single Sign-On system is working now, but FOSuserbundle login form is not working.
This is my security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface:
id: app.my_password_encoder
PDias\SamlBundle\Security\User\SamlUser: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
backend_samlservice:
id: saml.backend.fosuser.provider
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
require_previous_session: true
login_path: /login
check_path: /login_check
always_use_default_target_path: false
default_target_path: /
use_forward: true
use_referer: false
saml:
provider: backend_samlservice
direct_entry: false
login_path: /login-saml
check_path: /login-check-saml
default_target_path: /
always_use_default_target_path: true
logout:
path: /logout
target: /login
anonymous: true
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
remember_me:
key: '%secret%'
lifetime: 604800 # 1 week
path: /
domain: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/sendemail, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^, role: ROLE_USER }
acl:
connection: default
Even if I was not using Single Sign-On, backend_samlservice will be executed.
When I use ID & Password to login to the website, I will be redirected to the login page.
Do I have to add something?
Thanks for your anwsers.
I've fixed this problem.
The point was SimpleSAML_Session. I had to clean up the session like this.
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6
$session = SimpleSAML_Session::getSessionFromRequest();
$session->cleanup();
I added this code on the SamlAuth.php(pdias/saml-bundle/PDias/SamlBundle/Saml). Then it started working.
As the title suggests, I'm going to use Facebook,Google and GitHub authentication alongside JWT authenticator (LexikJWT).
Before starting, I want to know how can I use them? is it possible to use both of them to protect APIs?
If yes, what sort of configurations should my security have? Assuming that I'm using the default configurations.
here is the current security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
acl:
connection: default
access_decision_manager:
strategy: affirmative
role_hierarchy:
ROLE_SALES_NOTIFICATIONS: [ ROLE_SALES_NOTIFICATIONS ]
# FULL CONTROL
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
# Disabling the security for the web debug toolbar, the profiler and Assetic.
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# -> custom firewall for the admin area of the URL
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
success_handler: admin_success_handler
logout:
path: /admin/logout
anonymous: true
# Custom firewall for api area
api_login:
pattern: ^/api/auth
stateless: true
anonymous: true
provider: fos_userbundle
form_login:
check_path: /api/auth/check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api:
pattern: ^/api/v\d+\.\d+/
methods: [ POST, PUT ]
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
api_doc:
pattern: ^/api/doc
stateless: true
anonymous: true
# -> end custom configuration
# default login area for standard users
# This firewall is used to handle the public login area
# This part is handled by the FOS User Bundle
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
logout: true
anonymous: true
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be access without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/assets/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/uploads/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/user/, role: [ROLE_USER] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/auth, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/auth/me, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/api/v\d+\.\d+/, roles: IS_AUTHENTICATED_FULLY }
I'm thinking, using both of them as a security provider will lead to errors. is it right?
I don't think using HWIOAuthBundle and LexikJWTBundle on the same project will lead to errors.
You api_login firewall will authenticate your api users while your admin firewall will authenticate your backoffice users.
Since your URL patterns are correctly congigured you should not encounter problems.
Hi i got an problem with my access control in symfony 2.
I want to secure the whole site except of the "/" route cause there is the login. So every route else, for example "/hello" must be secured and redirect to / if there is no user logged in.
In my security config i got this configuration:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /
logout: true
anonymous: ~
access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/.*, roles: ROLE_ADMIN }
What am I doing wrong?
This should work:
access_control:
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_ADMIN }
for more info:
http://symfony.com/doc/master/book/security.html
I am using FOSUserbundle
my security setting is like this so,if you access under /member
without login,you are transferred to Top page.
I want to add another behaivor.
If You access on toppage when you are logging in,you are transffered /member/profile
How can I make it?
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
main:
pattern: ^/
anonymous: ~
form_login:
check_path: /login_check
login_path: /login
provider: fos_userbundle
logout:
path: /logout
target: /
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/member, role: ROLE_USER }
there are many solutions to your problem :
In the toppage controller you can redirect the user if he is logged in.
Or
You can use an event listener on kernel.request which as the responsibility to set the response if the current route is toppage and the user is logged in.
edit:
To redirect in controller: return $this->redirect($this->generateUrl('routename'))
see: http://symfony.com/doc/current/book/controller.html#redirecting
Hope it's helpful.
Best regard.
I have FOS UserBundle installed in my symfony2 project. Login/logout works, only problem is, the system doesn't redirect/close parts that i want closed.
The whole site should only be accessable by loged in users.
Yet i can call any route.
I filled in the data in the access control section of my security yml, yet it doesn't work. I can call mydomain/de_CH/anything/i/want/ and access that content.
This is my security.yml:
security:
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
check_path: fos_user_security_check
csrf_provider: form.csrf_provider
logout:
path: fos_user_security_logout
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/my-admin/, role: ROLE_ADMIN }
- { path: ^/$, role: ROLE_USER }
#- { path: ^/$, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Change
- { path: ^/$, role: ROLE_USER }
to
- { path: ^/.*, role: ROLE_USER }
This is because, first regex tell you allow ROLE_USER to path with that pattern /
So, patterns like /foo /foo/bar and so on aren't catched from your firewall.
Second pattern cover the latter case
Remove the anonymous: true part and put /login to it's own firewall so users can log in.
The anonymous part allowed anonymous user to access that firewall.
firewalls:
login_firewall:
pattern: ^/login$
anonymous: ~
main:
pattern: ^/
form_login:
# ...
logout:
path: fos_user_security_logout
EDIT: Since we denied anonymous users access to the page, we need to create separate firewall for /login otherwise they wouldn't be able to log in.
See section "Avoid Common Pitfalls" in the official documentation:
http://symfony.com/doc/current/book/security.html for more info on the subject.