CODEWITHSUNDEEP
symfony
Vorname Nachname
Vorname Nachname

Reputation: 11

Symfony2 firewall security.yml

i am new to symfony so i need your help. I got a problem with my my security. yml. I tried to make a little application which stores some data in my database and shows them on my homepage. It works really fine but changing the route from routing.yml:

addlink:
    path:     /addlink
    defaults: { _controller: ExerciseLinkBundle:Exercise:addLink }

to

addlink:
     path:     /secured_area/addlink
     defaults: { _controller: ExerciseLinkBundle:Exercise:addLink }

causes a redirect to my login site. As you see below i obviously really dont know what i am doing in the security.yml. Please tell me how to redirect to my 'addlink' route. As I mentioned it works fine using the first route so the controller/template has to be ok.

login_firewall: 
        pattern: ^/secured_area/login$
        anonymous:   ~
exercise:
        pattern: ^/secured_area
        form_login:
            csrf_provider: form.csrf_provider
            login_path: /secured_area/login
            check_path: /secured_area/login_check
            always_use_default_target_path: true
            default_target_path:            /secured_area/addlink
        logout: 
            path:   /secured_area/logout
            target: /

And Please dont tell me about FOSUserBundle meanwhile i'ld use this but this one has to be finished first :). So please help me out of there.

Upvotes: 0

Views: 253

Answers (1)

Sehael
Sehael

Reputation: 3736

Your firewall in security.yml is configured to protect every URL that begins with ^/secured_area. That means that if someone tries to access a URL like http://yoursite.dev/secured_area/addlink, the firewall would intercept this and make sure that the user is authorized to view that page. The reason it redirects to your login is because a user must be authenticated before the firewall can determine if the user is authorized to view the page. Once you sign in with an authorized user, you will be redirected to the initial page (/secured_area/addlink). And it looks like you are securing the /login_check URL, which means you will never be able to login.

I think there is a less confusing way to create your firewall. Try something like this:

firewalls:

    exercise:
        pattern: ^/
        form_login:
            csrf_provider: form.csrf_provider
            login_path: /login  
            check_path: /login_check  ### there is not reason to secure this URL
            always_use_default_target_path: true
            default_target_path: /secured_area/addlink
        logout: 
            path:   /secured_area/logout
            target: /
        anonymous: true

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/secured_area, role: IS_AUTHENTICATED_REMEMBERED }
    - { path: ^/, role: IS_AUTHENTICATED_ANONYMOUSLY }

This will have a similar effect, but is cleaner and easier to see what is happening. First, with this approach you can still have some public pages if you wish. Second, your 'login_check' doesn't require authentication (which I think is part of the main problem you are seeing). Finally, with this configuration your whole site will go through this firewall. That doesn't mean your whole site will be password protected, it just means that you can specify (in the access_control part of security.yml) exactly which pages are viewable by unauthenticated users and which are viewable by authenticated users.

For more information on protecting your site, read the Authorization section of the Symfony security docs It has lots of good information.

Upvotes: 1

Related Questions