CODEWITHSUNDEEP
symfonyhttps
HMR
HMR

Reputation: 39290

security.yml requires_channel seems to be ignored

The basic symfony installation with the Acme application, I have changed the /app/config/security.yml to force https for the login form:

access_control:
    - { path: ^/demo/secured/hello/admin/, roles: ROLE_ADMIN }
    - { path: ^/demo/secured/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }

Then when I request the login form: http://localhost/app_dev.php/demo/secured/login I don't get redirected to https. Would expect it to redirect to https according to the following documentation: http://symfony.com/doc/current/cookbook/security/force_https.html

Maybe I need to remove cache but requestion http://localhost/app_dev.php/demo/secured/login?refresh=123 doesn't forward me to https either.

Upvotes: 3

Views: 1024

Answers (3)

MgFrobozz
MgFrobozz

Reputation: 146

If the question above doesn't show all of the access_control declarations, here's another possible explanation:

If the access_control declarations appear in this order ...

access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }

... and the url is http://foo.com/login, then RequestMatcher.matches() will stop searching for declarations after "^/", since preg_match reports that "^/" matches "^/login". The protocol used will then be http.

But if the declarations are reversed ...

access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }

... then RequestMatcher.matches() will stop searching for declarations after "^/login", and the protocol used will then be https.

Upvotes: 2

Zac Ball
Zac Ball

Reputation: 198

You can also do this via annotations (ie):

@Route("/checkout", name="cart_checkout", schemes={"https"})

Upvotes: 1

Jovan Perovic
Jovan Perovic

Reputation: 20201

I had a similar need few days ago and I had to alter routing.yml file. This is how I resolved it:

routing.yml

fos_user_security:
    resource: "@FOSUserBundle/Resources/config/routing/security.xml"
    schemes: [https]

Although, I did use FOSUserBundle, this should be applicable to any routing configuration....

Upvotes: 2

Related Questions