Currently, any page I go to in my Symfony2 web app well direct the user to log in (if they aren't already logged in). This is okay - except there is one set of pages (my webservices, which will be under /webservice/*) which I don't want to force authentication from. Because it is a JSON webservice that will not be user facing, obviously I don't want it trying to redirect to a log in form.
This is my current security.yml firewall:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/$
security: false
secured_area:
pattern: ^/
form_login:
check_path: my_app_authentication_login
login_path: my_app_authentication_homepage
username_parameter: form[username]
password_parameter: form[password]
default_target_path: my_app_task_homepage
always_use_default_target_path: true
logout:
path: my_app_authentication_logout
target: my_app_authentication_homepage
What do I have to do to make /webservice/* exempt from authentication?
You need to add to your security.yml file (this must be before your secured_area, order matters):
your_whatever_name:
pattern: ^/webservice/
security: false
Check doc for more info
Related
I am developing and application in symfony, with a pulic access where users logs in with a login form and an admin section with another login form and another user provider.
I've created a LoginFormAuthenticator for each area, and two firewalls to select the correct authenticator in each area. This is my security.yaml:
security:
providers:
admin_provider:
entity:
class: App\Entity\AdminUser
property: email
web_provider:
entity:
class: App\Entity\User
property: email
firewalls:
admin:
pattern: '^/admin'
anonymous: true
provider: admin_provider
guard:
authenticators:
- App\Security\AdminLoginFormAuthenticator
logout:
path: /admin/logout
target: /
main:
anonymous: true
provider: web_provider
guard:
authenticators:
- App\Security\LoginFormAuthenticator
logout:
path: /logout
Now I am adding an /api to the project, and both users should be able to access, managing the access rights diferently if the user is a public user or is an admin user.
When developing a controller in the /api area, I am unable to get the user when logged via the admin.
The question is, How in /api I can get the AdminUser if it is logged in or the User (in this order) when accessing $this->getuser() or $this->denyAccessUnlessGranted() ?
I've tried to add the App\Security\AdminLoginFormAuthenticator in main firewall and add a chain_provider in main.provider. But it is not working.
Thank you.
The firewalls should share a "common context", for being able to access the same connected users. I think that wording comes from Symfony 2, where the SecurityContext was the service storing the user & authorization.
You need to modify slightly your configuration, and then $this->getUser() and $this->denyAccessUnlessGranted() will return/use the same User object for both firewalls.
firewalls:
admin:
pattern: '^/admin'
context: my_app_context
anonymous: true
# ...
main:
anonymous: true
context: my_app_context
# ...
No need for a common provider or a custom guard. Though it may be easier to have the same User class everywhere, or at least common role for clarity.
With Symfony 3.2 I want to use CAS to authenticate users. Currently, I'm using fosuserbundle to authenticate users against MySQL, but I want to switch to Guard.
I read all about guard and I understand that I need to implement some methods, like getCredentials, getUser, onAuthenticationFailure, etc, but is there any parameter that I need to update in the security.yml? How can I have Guard to handle the authentications and fosuserbundle just handle the forms?
Here is my security.yml file
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
form_login:
#provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
login_path: /login
check_path: /login_check
I have a class that extending AbstractGuardAuthenticator but nothing seems to ge called.
In summary how can I use Guard with fosuserbundle.?
Thank you all in advance.
I have a question I didn't really find an answer for.
I have to maintain a Symfony application which uses a custom authentication and user provider. The provider works as aspected and the user can login correctly.
However, I need to make a few routes accessible for anonymous users. They should also be accessible when the user is not fully authenticated.
So I tried to adjust the access_control configuration in the security.yml to make these URLs accessible:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ~
anonymous: ~
internal_api:
provider: fos_userbundle
check_path: /api/user/login
logout:
path: /api/user/logout
access_control:
- { path: ^/api/init, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/resources, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
Unfortunately this does not work. The users still can't access these routes, as long as they are not fully authenticated.
So my question is: What is necessary to provide the role IS_AUTHENTICATED_ANONYMOUSLY via a custom authentication provider? Can it be done or do I just have to adjust my security.yml settings?
Best regards
Because the routes you want make accessible by anonymous are behind your main firewall and protected by your path: ^/ access_control, you have to create a specific firewall for them.
Add this in the firewalls of your security.yml :
api_resources:
pattern: ^/api/resources
anonymous: ~
api_init:
pattern: ^/api/init
anonymous: ~
And it should works.
I am using Facebook integration for one of my symfony2 application.
I have used FOSUserBundle and FOSFacebookUserBundle.
I can able to login through form in my application and user session was created.
Same when I am using FB to login my application FB session created. Here I want to create my User session as like we do it via form_login.
Will FOSFacebookBundle providing any authentication or Do we need to write separate authentication provider for the same?
I have done all the setup what is given in FOsUserBUndle and FOSFacebookBundle.
Can anyone help me on this?
Finally, I have fixed the issue.
Yes, FosFacebookBundle will create user session for application.
We no need to write authentication provider.(But we should have Facebook Provider to authenticate on it. like given in FosFacebookBundle basic usage document).
my security.yml firewall config:
firewalls:
main:
pattern: ^/
anonymous: true
form_login:
login_path: /
check_path: _security_check
failure_path: login_failure
success_handler: Projectfolder.authentication.success_handler
fos_facebook:
login_path: /
check_path: _security_check_facebook
provider: fos_facebook_provider
default_target_path: /
logout:
path: /logout
target: /
My routing.yml :
_security_check_facebook:
pattern: /facebook/login_check
defaults: { _controller: ProjectfolderUserBundle:Security:loginFb }
_security_facebook_logout:
pattern: /facebook/logout
Note:
_security_facebook_logout, we won't use in our application. While logout we will remove only application user session not facebook session. We can use this url during development.
I have called login_check instead of /facebook/login_check. So User session is not set in my application. Now it's working fine.
I have successfully configured FOSUserBundle to connect to the admin section of the website, this works great.
We want public users to only be able to login to the website via Facebook so I have also installed FOSFacebookBundle, which works. Sort of. I can login, authenticate, access the user's profile page and logout; all that works as expected.
However, when a user logs in via Facebook, the user isn't added to the database. Am I mistaken that this is what the "Custom User Provider" at the bottom of the docs (https://github.com/FriendsOfSymfony/FOSFacebookBundle) is supposed to do?
Basically, when a Facebook login happens, the user is added (if necessary) and then fetched through FOSUserBundle.
I followed the docs time and time again, read questions here on SO and can't figure out what's (not) happening.
Anyone have ideas as to where in the code something could be causing the login action not to update the database with Facebook data?
In security.yml:
providers:
chain_provider:
chain:
providers: [my_fos_facebook_provider, fos_userbundle]
my_fos_facebook_provider:
id: my.facebook.user
fos_userbundle:
id: fos_user.user_manager
firewalls:
admin:
pattern: /admin(.*)
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
logout:
path: /admin/logout
anonymous: true
public:
# since anonymous is allowed users will not be forced to login
pattern: ^/.*
fos_facebook:
provider: my_fos_facebook_provider
app_url: "http://www.facebook.com/apps/application.php?id=your_app_id"
server_url: "http://localhost/facebookApp/"
login_path: /
check_path: /login_check_fb
default_target_path: /moi
anonymous: true
logout:
handlers: ["fos_facebook.logout_handler"]
The idea is that admin is accessed with a run of the mill username and password and normal users log in via Facebook.
Now, the key part is to define multiple providers (which I had), but perhaps most importantly is to specify the "provider" in each of the firewalls. fos_userbundle for admin and my_fos_facebook_provider for public