CODEWITHSUNDEEP
phpsecuritysymfonyaccess-controlsymfony-2.5
EmaOnTheBlock
EmaOnTheBlock

Reputation: 78

Unable to protect route from anonimous access in Symfony2

I can't understand why anonimous user can access to routes I want to protect "^/nodes$" and "^/destinations$".

Where I'm wrong? I've read with attention this resource http://symfony.com/doc/current/book/security.html but anyway those url can viewed by anonimous!

This is my security.yml:

security:
    encoders:
    Symfony\Component\Security\Core\User\User: plaintext

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

providers:
    in_memory:
        memory:
            users:
                user:  { password: athena_user_2014, roles: [ 'ROLE_USER' ] }
                admin: { password: athenaspa2014, roles: [ 'ROLE_ADMIN' ] }

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false

    secured_area:
        pattern:    ^/backend
        form_login:
            check_path: /backend/login_check
            login_path: /backend/login
            csrf_provider: form.csrf_provider
        logout:
            path:   /backend/logout
            target: /
        #http_basic:
        #    realm: "Secured Demo Area"

access_control:
    - { path: ^/nodes, roles: ROLE_ADMIN }
    - { path: ^/destinations, roles: ROLE_ADMIN }

Upvotes: 0

Views: 538

Answers (1)

dbrumann
dbrumann

Reputation: 17166

Your paths are not part of any of your firewall-patterns. You could make the following changes for it to work:

firewalls:
    secured_area:
        pattern:   ^/
        ...
access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/backend, role: ROLE_ADMIN }
    - { path: ^/node, role: ROLE_ADMIN }
    ...
    - { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }

The last path is pretty much, what anonymous: true does. When no other access-control matched, the user is not required to be logged in. If you want to be more restrictive, you could do it like the first path ^/login$ which specifies which routes require authentication. Be aware, that the first matching route is used, so be careful of how you order them.

Alternatively you could add another firewall. But keep in mind, that each firewall provides a separate login.

You can also test your routes from the console using the php app/console router-commands. If you are not sure how to use them just type php app/console help router:match for instance

Upvotes: 3

Related Questions