Add "How to Use Multiple Guard Authenticators" cookbook documentation

marek-pietrzak-tg · marek-pietrzak-tg · commit bad8468c8c08 · 2016-02-10T11:59:48.000Z
diff --git a/cookbook/map.rst.inc b/cookbook/map.rst.inc
@@ -176,6 +176,7 @@
   * :doc:`/cookbook/security/csrf_in_login_form`
   * :doc:`/cookbook/security/named_encoders`
   * :doc:`/cookbook/security/multiple_user_providers`
+  * :doc:`/cookbook/security/multiple_guard_authenticators`
   * :doc:`/cookbook/security/firewall_restriction`
   * :doc:`/cookbook/security/host_restriction`
   * :doc:`/cookbook/security/user_checkers`
diff --git a/cookbook/security/index.rst b/cookbook/security/index.rst
@@ -22,6 +22,7 @@ Authentication (Identifying/Logging in the User)
     csrf_in_login_form
     named_encoders
     multiple_user_providers
+    multiple_guard_authenticators
     firewall_restriction
     host_restriction
     user_checkers
diff --git a/cookbook/security/multiple_guard_authenticators.rst b/cookbook/security/multiple_guard_authenticators.rst
@@ -0,0 +1,167 @@
+.. index::
+
+How to Use Multiple Guard Authenticators
+========================================
+
+Guard authentication component allows you to easily use many different authenticators at a time.
+
+An entry point is a service id (of one of your authenticators) whose start()
+method should be called when an anonymous user hits a page that requires authentication.
+
+Multiple authenticators with shared entry point
+-----------------------------------------------
+Let's have an example of two authenticators: one based on login form, another one on facebook login.
+Both authenticators entry points redirect user to the same login page.
+However, in your configuration you have to explicitly say which entry point you want to use.
+
+This is how your security configuration can look in action:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # app/config/security.yml
+        security:
+             # ...
+            firewalls:
+                default:
+                    anonymous: ~
+                    guard:
+                        authenticators:
+                            - app.form_login_authenticator
+                            - app.facebook_connect_authenticator
+                        entry_point: app.form_login_authenticator
+
+    .. code-block:: xml
+
+        <!-- app/config/security.xml -->
+        <?xml version="1.0" encoding="UTF-8"?>
+        <srv:container xmlns="http://symfony.com/schema/dic/security"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:srv="http://symfony.com/schema/dic/services"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+            <config>
+                <!-- ... -->
+                <firewall name="default">
+                    <anonymous />
+                    <guard entry_point="app.form_login_authenticator">
+                        <authenticator>app.form_login_authenticator</authenticator>
+                        <authenticator>app.facebook_connect_authenticator</authenticator>
+                    </guard>
+                </firewall>
+            </config>
+        </srv:container>
+
+    .. code-block:: php
+
+        // app/config/security.php
+        $container->loadFromExtension('security', array(
+            // ...
+            'firewalls' => array(
+                'default' => array(
+                    'anonymous' => null,
+                    'guard' => array(
+                        'entry_point' => 'app.form_login_authenticator',
+                        'authenticators' => array(
+                            'app.form_login_authenticator',
+                            'app.facebook_connect_authenticator'
+                        ),
+                    ),
+                ),
+            ),
+        ));
+
+There is one limitation with this approach - you have to use exactly one entry point.
+
+Multiple authenticators with separate entry points
+--------------------------------------------------
+Let's now have an example of two different authenticators: one based on login form, another one on an API token.
+When user hits secured area he should be redirected to the login page.
+Also when user hits an API endpoint, he should get a relevant API response.
+
+Solution for this use case is to provide guard authenticators in two separate firewalls.
+
+This is an example of your configuration:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # app/config/security.yml
+        security:
+            # ...
+            firewalls:
+                api:
+                    pattern: ^/api/
+                    guard:
+                        authenticators:
+                            - app.api_token_authenticator
+                default:
+                    anonymous: ~
+                    guard:
+                        authenticators:
+                            - app.form_login_authenticator
+            access_control:
+                - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+                - { path: ^/api, roles: ROLE_API_USER }
+                - { path: ^/, roles: ROLE_ADMIN }
+
+    .. code-block:: xml
+
+        <!-- app/config/security.xml -->
+        <?xml version="1.0" encoding="UTF-8"?>
+        <srv:container xmlns="http://symfony.com/schema/dic/security"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:srv="http://symfony.com/schema/dic/services"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+            <config>
+                <!-- ... -->
+                <firewall name="api" pattern="^/api/">
+                    <guard>
+                        <authenticator>app.api_token_authenticator</authenticator>
+                    </guard>
+                </firewall>
+                <firewall name="default">
+                    <anonymous />
+                    <guard>
+                        <authenticator>app.form_login_authenticator</authenticator>
+                    </guard>
+                </firewall>
+                <rule path="^/login" role="IS_AUTHENTICATED_ANONYMOUSLY" />
+                <rule path="^/api" role="ROLE_API_USER" />
+                <rule path="^/" role="ROLE_ADMIN" />
+            </config>
+        </srv:container>
+
+    .. code-block:: php
+
+        // app/config/security.php
+        $container->loadFromExtension('security', array(
+            // ...
+            'firewalls' => array(
+                'api' => array(
+                    'guard' => array(
+                        'authenticators' => array(
+                            'app.api_token_authenticator',
+                        ),
+                    ),
+                ),
+                'default' => array(
+                    'anonymous' => null,
+                    'guard' => array(
+                        'authenticators' => array(
+                            'app.form_login_authenticator',
+                        ),
+                    ),
+                ),
+            ),
+            'access_control' => array(
+                array('path' => '^/login', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY'),
+                array('path' => '^/api', 'role' => 'ROLE_API_USER'),
+                array('path' => '^/', 'role' => 'ROLE_ADMIN'),
+            ),
+        ));
