Populated the TokenStorage with an anonymous Token - SF4

Question

I have a the same problem that this. symfony 4 sets logged in as anonymous

Users are always redirect to the login path. This is my security.yaml code

security:
    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        from_database:
            entity:
                class: App\Entity\User
                property: username
    role_hierarchy: 
        ROLE_ENSEIGNANT_PRIMAIRE:           ROLE_USER
        ROLE_ENSEIGNANT_SECONDAIRE:         ROLE_USER
        ROLE_AFFECTATION:                   ROLE_USER
        ROLE_COMPTABILITE:                  ROLE_USER
        ROLE_ETUDE:                         ROLE_USER
        ROLE_SCOLARITE:                     ROLE_USER
        ROLE_RESPONSABLE_CLASSE:            ROLE_USER
        ROLE_ADMIN:                         ROLE_USER
        ROLE_ENSEIGNANT:                    [ROLE_ENSEIGNANT_PRIMAIRE, ROLE_ENSEIGNANT_SECONDAIRE]
        ROLE_SUPER_ADMIN:                   [ROLE_ADMIN, ROLE_ENSEIGNANT, ROLE_AFFECTATION, ROLE_COMPTABILITE, ROLE_ETUDE, ROLE_SCOLARITE, ROLE_RESPONSABLE_CLASSE, ROLE_ALLOWED_TO_SWITCH]
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main_login:
            pattern:   ^/login$
            stateless: true
            anonymous: true

        main:
            pattern: ^/
            stateless: true
            anonymous: true
            form_login:
                # Le nom de la route de la page de connexion
                check_path: login
                # Le nom de la route où se trouve le formulaire de connexion
                # Si un utilisateur tente d'acceder à une page protégée sans en avoir les droits
                # il sera redirigé sur cette page
                login_path: login
                # Securisation des formulaires
                csrf_token_generator: security.csrf.token_manager
                # La page par defaut apres une connexion reussie
                default_target_path: check_account

            logout:
                # La route où se trouve le process de deconnexion
                path: logout
                # La route sur laquelle doit etre rediriger l'utilisateur apres une deconnexion
                target: login
                handlers: [app.logout.listener]

            # activate different ways to authenticate

            # http_basic: true
            # https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate

            # form_login: true
            # https://symfony.com/doc/current/security/form_login_setup.html

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin, roles: ROLE_ADMIN }
        - { path: ^/profile, roles: ROLE_USER }

    encoders:
        App\Entity\User:
            algorithm: bcrypt
            cost: 12

And this one, login action (in a controller)

/**
     * @Route("/login", name="login")
     */
    public function login(Request $request, AuthenticationUtils $helper): Response
    {
        $current = '';
        $params  = $request->headers->get('fail');
        $referer = $request->headers->get('referer');
        return $this->render('Security/login.html.twig', [
            // dernier username saisi (si il y en a un)
            'last_username' => $helper->getLastUsername(),
            // La derniere erreur de connexion (si il y en a une)
            'error'         => $helper->getLastAuthenticationError(),
            'current'       => $current,
        ]);
    }

and I get this error in my log file

[2019-09-27 14:07:49] request.INFO: Matched route "login". {"route":"login","route_parameters":{"_route":"login","_controller":"App\\Controller\\User\\SecurityController::login"},"request_uri":"http://localhost:8000/login","method":"GET"} []
[2019-09-27 14:07:49] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2019-09-27 14:07:49] request.INFO: Matched route "_wdt". {"route":"_wdt","route_parameters":{"_route":"_wdt","_controller":"web_profiler.controller.profiler::toolbarAction","token":"9fa908"},"request_uri":"http://localhost:8000/_wdt/9fa908","method":"GET"} []

Somebody can tell me what is the wrong ?

Answer 1

The problem is likely your main-firewall's check_path, which is set to login. I assume this matches with the path /login. This path is outside of your firewall, as it is part of the firewall main_login.

Your check path should be inside the firewall it is working on. You could create a route which matches main, but not main_login, e.g. /login_check and then use that route name instead.

Alternatively you can use a config that is close to the one in the documentation, using only a main firewall and then using the access_control to configure permissions:

    access_control:
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin, roles: ROLE_ADMIN }
        - { path: ^/profile, roles: ROLE_USER }
        - { path: ^/, roles: IS_AUTHENTICATED_REMEMBERED }