Reputation: 133
How to allow/deny routes according the "dev/prod" environment in Symfony 4?
I am using Symfony 4.1. I am trying to allow/deny a route according the "dev"/"prod" environment.
I tried to define distinct security configuration files per environment but I am not allow. The following message is displayed loading the Symfony cache :
Configuration path "security.access_control" cannot be overwritten. You have to define all options for this path, and any of its sub-paths in one configuration section.
Here my security section :
security:
access_control:
- { path: '^/$' , roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: '^/ping$' , roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: '^/docs\.json$' , roles: IS_AUTHENTICATED_ANONYMOUSLY }
I want to allow (without authentication) the docs.json route in dev environment and restrict (with authentication) the docs.json route in prod environment.
Any ideas on how to do that?
Upvotes: 2
Views: 2664
Answers (3)
Reputation: 124
With the Symfony ExpressionLanguage component, you can try to add condition: "'%kernel.environment%' === 'dev'" In annotations or whatever you are using to define your route.
Upvotes: 3
Reputation: 1898
The security.firewalls.dev: configuration is used in every Symfony environment (dev,test,prod)!
In Symfony 4, to achieve making some routes available in just some environments, you could do something like this:
Setup:
config/packages/security.yaml:
parameters:
# Adds a fallback SECURITY_DEV_PATTERN if the env var is not set.
env(SECURITY_DEV_PATTERN): '^/(_(profiler|wdt)|css|images|js)/'
security:
firewalls:
dev:
pattern: '%env(SECURITY_DEV_PATTERN)%'
security: false
Override per Symfony environment:
create a new file config/packages/dev/parameters.yaml:
parameters:
env(SECURITY_DEV_PATTERN): '^/(_(profiler|wdt)|css|images|js)/|^/docs'
Now /docs is only available without firewall in the Symfony dev environment
Override using environment variables:
You could also override SECURITY_DEV_PATTERN in the .env file:
SECURITY_DEV_PATTERN=^/(_(profiler|wdt)|css|images|js)/|^/docs
This only works if you don't include the .env in your production environment, or if you specifically override the SECURITY_DEV_PATTERN environment variable there as well.
Upvotes: 0
Reputation: 133
So I solve the issue by setting-up the dev firewall and updating the pattern to bypass the security.
security:
access_control:
- { path: '^/$' , roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: '^/ping$' , roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: '^/docs\.json$' , roles: IS_AUTHENTICATED_ANONYMOUSLY }
firewalls:
dev:
pattern: '^/(_(profiler|wdt)|css|images|js|docs)/'
security: false
Upvotes: -1
Related Questions
- Restrict Symfony 4 route to the "dev" environment
- Symfony2: app_dev.php allow access only to IP?
- Symfony, allow access to all routes, except one (or two)
- Prevent route access
- Symfony2: How to restrict / deny access to certain routes by IP address?
- Symfony2: access same route in production as development
- How to prevent access to specific routes in Symfony 2
- Symfony2 access control with routes
- Access control forces me to have fixed routes
- Symfony security - control which routes are accesible