Symfony2 Security.yml

Question

I'm trying to take advantage of Symfony's authentication and authorization capabilities however I'm somewhat confused as to what my security.yml file should look like.

I'm looking to accomplish the following objectives:

1) The routes / and /join (are avilable to everyeone - no login required).

2) all other routes require a login/password.

3) the /adimin route should be futher restricted to admin users only.

4) all users should be authenticated against the database.

I have item 4 figured out (I think) - see below. I'm not sure what the administrators: word means though. Does that mean only administrators use the User class? Should that say users: or something else?

security:
    encoders:
        MySite\Bundle\Entity\User:
            algorithm: sha1
            encode_as_base64: false
            iterations: 1

providers:
    administrators: (??? what doest his mean ???)
        entity: { class: MySiteBundle:User }

More Importantly --

For Items 1, 2, and 3 I'm not sure what to put. I have a bunch of entries under the firewalls: section and the access_control: sections however It just doesnt work or make sense. Can someone post what the security.yml should look like just by the goals I'm looking to accomplish in numbers 1 - 3?

Answer 1

For anyone else asking this or a similiar question, I've managed to get this working using the following settings in security.yml.

security:
    encoders:
        MySite\Bundle\Entity\User:
          algorithm: sha1
          encode_as_base64: false
          iterations: 1

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    providers:
        database:
            entity: { class: MySiteBundle:User }

    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false
        prod:
            pattern: ^/
            provider: database
            anonymous: true
            form_login:
                check_path: /login_check
                login_path: /login
                default_target_path: /home
                always_use_default_target_path: true
            logout:
                path:   /logout
                target: /

    access_control:
        - { path: ^/admin, roles: ROLE_ADMIN }
        - { path: ^/build, roles: ROLE_USER }
        - { path: ^/join, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }

Answer 2

Here is a configuration exemple from what I understood from your needs:

security:
    encoders:
        "MySite\Bundle\Entity\User": { algorithm: sha1, encode_as_base64: false, iterations: 1 }

    providers:
        database: { entity: "MySite\Bundle\Entity\User" }

    firewalls:
        dev:
            pattern:    ^/(_profiler|_wdt|css|js)
            security:   false

        main:
            pattern:    ^/
            provider:   database
            anonymous:  true
            # the rest of your firewall's config

    access_control:
      - { path: ^/(join)?$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/, roles: IS_AUTHENTICATED_FULLY }

We configure the password encoder for the user entity and we define a provider for it.

Then we define a dev firewall to deactivate security for the debug/profiler/asset pathes and a main one that will be the real firewall for the application. This last firewall will use the previously defined user provider and allow anomymous users (important!).

Finally in the access control map, we first define a rule for the pathes allowed to anonymous users and then a generic rule that requires the user to be fully authenticated for the rest of the site.