I've been using FOSUserBundle for a long time now, but this never happened to me. It seems that the firewall is not working, because I can access any page from my site, when I should only be redirected to the login page when accessing as ANONYMOUS.
So, this is my security file:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js|assets)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
invalidate_session: false
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: ROLE_USER }
And this is my config.yml file:
#v1.0
imports:
- { resource: parameters.yml }
- { resource: security.yml }
fos_user:
db_driver: orm
firewall_name: main
user_class: My\Bundle\Entity\User
So, from where I see, everything is configured correctly so It should work as expected. But, this is not happening. So, the questions is: where else should I look for any conflictive configuration file, or conflictive entities, etc? Because I've been debugging for hours before coming to ask the question here (I did not want to ask a silly question), but I cannot figure out what could be happening.
Any ideas?
your problem:
The correct ACL attribute is roles not role.
working examples:
security:
# ...
access_control:
# ...
- { path: ^/, roles: ROLE_USER }
- { path: ^/admin, roles: [ROLE_ADMIN, ROLE_TRANSLATOR] }
explanation:
Because of the wrong attribute name there are effectively no mandatory roles configured.
That's why - as you have anonymous set to true - access will currently be granted without any restrictions.
Please have a look at the documentation chapter Securing specific URL patterns.
Related
I am using Symfony 3.2 and fos user bundle 2.0
I use the classic setup : "Getting Started With FOSUserBundle"
security:
always_authenticate_before_granting: true
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_CLIENT
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager # Use form.csrf_provider instead for Symfony <2.4
logout: true
anonymous: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: ROLE_ADMIN }
- { path: ^/client, role: ROLE_CLIENT }
It work but something is strange :
When I logout and navigate to public page it appears as I am always logged
I need to manually reload the page in my browser to make the logout effective.
( I use the {% if is_granted('ROLE_ADMIN') %} in my template )
Is it a problem with my security configuration or a problem with cache memory?
Some help will bee appreciated
thank
Vincent
Try adding the ROLE_USER to your role hierarchy like this:
role_hierarchy:
ROLE_CLIENT: ROLE_USER
ROLE_ADMIN: ROLE_CLIENT
As stated in the docs: "Make sure every user has at least one role, or your user will look like they're not authenticated. A common convention is to give every user ROLE_USER." http://symfony.com/doc/current/security.html#roles
today I have noticed I can always access the register and reset form regardless if I am authenticated or not.
Here is my security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout:
delete_cookies:
activeGame: {}
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
Regarding http://symfony.com/doc/current/cookbook/security/remember_me.html#forcing-the-user-to-re-authenticate-before-accessing-certain-resources it seems "normal" to be able to access this pages.
But how can I "easily" disable it for authenticated user or did I miss anything?
Thanks in advance!
You may be able to accomplish what you are looking for by using the newly introduced allow_if expression for access controls.
- { path: ^/register, allow_if: "not is_authenticated()" }
Another way may be:
- { path: ^/register, allow_if: "user == 'anon'" }
I havent fully tested this but it should only allow users who are not authenticated fully or authenticated remembered to access that path
Here is a little bit about the security
Here are some of the variable and functions available in expressions
Then here is some info on the Expressions you can use in allow_if
IF however, you do not want to throw a 403 Access Denied Exception when logged in users try and access those pages. Instead you would like to redirect them elsewhere then you can add a check to their respective controller actions. Something like:
public function registerAction()
{
if (true === $this->get('security.context')->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
return $this->redirect($this->generateUrl('some_route_to_send_them_to'));
}
// ...
}
Security config as simple as in FOSUserBundle docs, and login works properly on dev environment, but on prod environment it stuck on login_check and nothing happens. Nothing in dev or prod logs.
Symfony 2.3.7
security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: homepage
always_use_default_target_path: true
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
config.yml
fos_user:
db_driver: orm
firewall_name: main
user_class: Acme\SomeBundle\Entity\User
Based upon your story, i'd like to guess that you "Acme" is included when you're using dev settings but not when using production settings. check your AppKernel.php / composer.json
I found solution for this problem.
Fixed with update PHP from 5.3.3 to 5.4.22 (all Optional recommendations should be OK).
I have FOS UserBundle installed in my symfony2 project. Login/logout works, only problem is, the system doesn't redirect/close parts that i want closed.
The whole site should only be accessable by loged in users.
Yet i can call any route.
I filled in the data in the access control section of my security yml, yet it doesn't work. I can call mydomain/de_CH/anything/i/want/ and access that content.
This is my security.yml:
security:
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
check_path: fos_user_security_check
csrf_provider: form.csrf_provider
logout:
path: fos_user_security_logout
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/my-admin/, role: ROLE_ADMIN }
- { path: ^/$, role: ROLE_USER }
#- { path: ^/$, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Change
- { path: ^/$, role: ROLE_USER }
to
- { path: ^/.*, role: ROLE_USER }
This is because, first regex tell you allow ROLE_USER to path with that pattern /
So, patterns like /foo /foo/bar and so on aren't catched from your firewall.
Second pattern cover the latter case
Remove the anonymous: true part and put /login to it's own firewall so users can log in.
The anonymous part allowed anonymous user to access that firewall.
firewalls:
login_firewall:
pattern: ^/login$
anonymous: ~
main:
pattern: ^/
form_login:
# ...
logout:
path: fos_user_security_logout
EDIT: Since we denied anonymous users access to the page, we need to create separate firewall for /login otherwise they wouldn't be able to log in.
See section "Avoid Common Pitfalls" in the official documentation:
http://symfony.com/doc/current/book/security.html for more info on the subject.
Background
According to the Symfony documentation the login form needs to be specified on the security.yml file, also hes login_check path. Until now my app is working fine, users tries to access a secure page (mysite.com/edit/123) next if they are not logged they will be redirected to /login and after they login they will be redericted again to the original intended path (/edit/123).
Similar question: Two separate login pages in Symfony 2
Problem
The problem now is, i need a different login form, lets say /minimal_login, i need to include that on the security.yml but the only way i know is creating a different firewall, and as i saw on the documentation this creates a separate identification scheme, so i suppose users logged by differents firewall can not share the same secured pages, and thats not what i want.
What is need
If the user tries to access any secure page but /popup they will be redirected to /login, BUT if they tries to access /popup (and they are not logged) they will be redirected to /minimal_login. And no matter how the user logs into my app, they will always share the same access, i mean, if they log in using /login or /minimal_login they can access the same pages.
My secuity.yml
jms_security_extra:
secure_all_services: false
expressions: true
security:
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]
providers:
main:
entity: {class: Done\PunctisBundle\Entity\User, property: username}
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
remember_me:
key: %secret%
lifetime: 3600
path: /
domain: ~
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
logout:
path: /logout
target: /
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/signup, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/verification, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/popup/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ajax/track, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/ajax/socialbox, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
encoders:
Done\PunctisBundle\Entity\User:
algorithm: md5
iterations: 1
encode_as_base64: false
I faced a similar problem and I solved using the firewall context configuration.
firewalls:
somename:
# ...
context: my_context
othername:
# ...
context: my_context
http://symfony.com/doc/current/reference/configuration/security.html#firewall-context