Symfony2 firewall Web & API authentication

Question

I am trying to set up a project where I can authenticate users via API and Web interfaces (login forms). So far I can manage to work with only one login form, which is the main Web login form. I need to authenticate them via API and bring up the oauth form customized with a message to notify user about authorization, just a custom message basically. Something like facebook does probably.

On Symfony2 security page I could not find help needed so far nor on blogs. At least not the one that works for me.

So the perfect scenario is

1. http://url.com/ for web
2. http://url.com/api for api

I am using FOS User Bundle for my users and FOS OAuth Bundle for oauth authentication and FOSRestBundle for REST API.

As explained in this oauth tutorial, is the exact scenario I am trying to achieve.

When I ask for url like http://url.com/oauth/v2/token?client_id=24_2qxtvmjv99eso8wg8sowc8c04o488og8gs8wo0osocks0wkcw0&client_secret=33ghqa2w202sooscwogw0kwwwg0gc00k8sgkkw0cgco4cg08s0&grant_type=client_credentials it redirects me to login page. Where as I understand my access_control is wrong.

This is my security.yml file:

security:
encoders:
    FOS\UserBundle\Model\UserInterface: bcrypt

role_hierarchy:
    ROLE_USER:        [ROLE_CUSTOMER_RSS, ROLE_CUSTOMER_ASS]
    ROLE_AGENT:       ROLE_USER
    ROLE_ADMIN:       ROLE_AGENT
    ROLE_SUPER_ADMIN: ROLE_ADMIN

providers:
    fos_userbundle:
        id: fos_user.user_provider.username

firewalls:

    oauth_token:
        pattern:    ^/oauth/v2/token
        security:   false

    oauth_authorize:
        pattern:    ^/oauth/v2/auth
        form_login:
            provider: fos_userbundle
            check_path: /oauth/v2/auth_login_check
            login_path: /oauth/v2/auth_login

    api:
        pattern:    ^/api
        fos_oauth:  true
        stateless:  true
        anonymous:  false # can be omitted as its default value

   ui_login:
            pattern: ^/
            form_login:
                login_path: fos_user_security_login
                check_path: fos_user_security_check
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
                default_target_path: /
            logout:       true
            anonymous:    true

    assets:
        pattern:  ^/(css|images|js)/
        security: false

    dev:
        pattern:  ^/(_(profiler|wdt|configurator|error))/
        security: false

access_control:
    - { path: ^/oauth/v2/auth_login, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }

    - { path: ^/, role: [ROLE_USER] }

I know I am missing a lot of stuff here. Please help.

Answer 1

The order of your firewalls matters. The way you have it configured right now the first "catchall" firewall for urls "^/" is catching all requests, so the other firewalls are not activated. The more specific firewalls should be located first and the less specific firewalls should be located later. Thus, the ui_login firewall should be the last one defined