Skip to content

Use correct file path and complete examples #11244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 31, 2019
Merged

Use correct file path and complete examples #11244

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1bc96e2
fix filepath
OskarStark Mar 28, 2019
c1b8585
complete examples
OskarStark Mar 28, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 27 additions & 14 deletions security/access_control.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,7 +282,7 @@ key:

.. code-block:: xml

<!-- app/config/security.xml -->
<!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Expand All @@ -291,19 +291,24 @@ key:
https://symfony.com/schema/dic/services/services-1.0.xsd">

<config>
<!-- ... -->
<rule path="^/_internal/secure"
allow-if="'127.0.0.1' == request.getClientIp() or is_granted('ROLE_ADMIN')"/>
</config>
</srv:container>

.. code-block:: php

'access_control' => [
[
'path' => '^/_internal/secure',
'allow_if' => '"127.0.0.1" == request.getClientIp() or is_granted("ROLE_ADMIN")',
// config/packages/security.php
$container->loadFromExtension('security', [
// ...
'access_control' => [
[
'path' => '^/_internal/secure',
'allow_if' => '"127.0.0.1" == request.getClientIp() or is_granted("ROLE_ADMIN")',
],
],
],
]);

In this case, when the user tries to access any URL starting with ``/_internal/secure``,
they will only be granted access if the IP address is ``127.0.0.1`` or if
Expand Down Expand Up @@ -349,16 +354,20 @@ access those URLs via a specific port. This could be useful for example for
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd">

<rule path="^/cart/checkout"
role="IS_AUTHENTICATED_ANONYMOUSLY"
port="8080"
/>
<config>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure we should add access_control node here, too

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it looks like something is missing ... the example is not exactly the same as the PHP version.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I double checked and it is ok, see the output from config:dump-reference command:

www-data@97adf7fdeb83:~$ bin/console config:dump-reference security --format=xml 
<!-- strategy: One of "affirmative"; "consensus"; "unanimous" -->
<access-decision-manager
    strategy=""
    service=""
    allow-if-all-abstain="false"
    allow-if-equal-granted-denied="true"
/>

<!-- prototype -->
<!-- hash-algorithm: Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms. -->
<encoder
    class="encoder class"
    algorithm=""
    hash-algorithm="sha512"
    key-length="40"
    ignore-case="false"
    encode-as-base64="true"
    iterations="5000"
    cost="13"
    memory-cost="null"
    time-cost="null"
    threads="null"
    id=""
/>

<!-- prototype -->
<provider
    name="provider name"
    id=""
>

    <chain>

        <!-- prototype -->
        <provider>scalar value</provider>

    </chain>

    <memory>

        <!-- prototype -->
        <user
            name="user name"
            password="null"
        >

            <!-- prototype -->
            <roles>scalar value</roles>

        </user>

    </memory>

    <!-- service: Required -->
    <!-- base-dn: Required -->
    <ldap
        service="ldap"
        base-dn=""
        search-dn=""
        search-password=""
        uid-key="sAMAccountName"
        filter="({uid_key}={username})"
        password-attribute="null"
    >

        <!-- prototype -->
        <default-roles>scalar value</default-roles>

    </ldap>

    <!-- class: Required -->
    <entity
        class=""
        property="null"
        manager-name="null"
    />

    <lexik-jwt class="Lexik\Bundle\JWTAuthenticationBundle\Security\User\JWTUser" />

</provider>

<!-- prototype -->
<!-- user-checker: The UserChecker to use when authenticating users in this firewall. -->
<!--
    logout-on-user-change: When true, it will trigger a logout for the user if something has changed. Note: No-Op option since 4.0. Will always be true.;
                           Deprecated (The "security.firewalls.logout_on_user_change" configuration key has been deprecated in Symfony 4.1.)
-->
<firewall
    name="firewall name"
    pattern=""
    host=""
    security="true"
    user-checker="security.user_checker"
    request-matcher=""
    access-denied-url=""
    access-denied-handler=""
    entry-point=""
    provider=""
    stateless="false"
    context=""
    logout-on-user-change="true"
>

    <!-- prototype -->
    <methods>scalar value</methods>

    <logout
        csrf-parameter="_csrf_token"
        csrf-token-generator=""
        csrf-token-id="logout"
        path="/logout"
        target="/"
        success-handler=""
        invalidate-session="true"
    >

        <!-- prototype -->
        <delete-cookie
            name="delete cookie name"
            path="null"
            domain="null"
        />

        <!-- prototype -->
        <handler>scalar value</handler>

    </logout>

    <anonymous secret="null" />

    <!-- stateless: Deprecated (The "security.firewalls..switch_user.stateless" configuration key has been deprecated in Symfony 4.1.) -->
    <switch-user
        provider=""
        parameter="_switch_user"
        role="ROLE_ALLOWED_TO_SWITCH"
        stateless="false"
    />

    <x509
        provider=""
        user="SSL_CLIENT_S_DN_Email"
        credentials="SSL_CLIENT_S_DN"
    />

    <remote-user
        provider=""
        user="REMOTE_USER"
    />

    <simple-preauth
        provider=""
        authenticator=""
    />

    <!-- provider: A key from the "providers" section of your security config, in case your user provider is different than the firewall -->
    <!-- entry-point: A service id (of one of your authenticators) whose start() method should be called when an anonymous user hits a page that requires authentication -->
    <guard
        provider=""
        entry-point="null"
    >

        <!-- prototype -->
        <!-- An array of service ids for all of your "authenticators" -->
        <authenticator>scalar value</authenticator>

    </guard>

    <lexik-jwt
        throw-exceptions="false"
        create-entry-point="true"
        authentication-provider="lexik_jwt_authentication.security.authentication.provider"
        authentication-listener="lexik_jwt_authentication.security.authentication.listener"
    >

        <authorization-header
            enabled="true"
            prefix="Bearer"
            name="Authorization"
        />

        <cookie
            enabled="false"
            name="BEARER"
        />

        <query-parameter
            enabled="false"
            name="bearer"
        />

    </lexik-jwt>

    <form-login
        provider=""
        remember-me="true"
        success-handler=""
        failure-handler=""
        check-path="/login_check"
        use-forward="false"
        require-previous-session="false"
        username-parameter="_username"
        password-parameter="_password"
        csrf-parameter="_csrf_token"
        csrf-token-id="authenticate"
        post-only="true"
        always-use-default-target-path="false"
        default-target-path="/"
        login-path="/login"
        target-path-parameter="_target_path"
        use-referer="false"
        failure-path="null"
        failure-forward="false"
        failure-path-parameter="_failure_path"
        csrf-token-generator=""
    />

    <form-login-ldap
        provider=""
        remember-me="true"
        success-handler=""
        failure-handler=""
        check-path="/login_check"
        use-forward="false"
        require-previous-session="false"
        username-parameter="_username"
        password-parameter="_password"
        csrf-parameter="_csrf_token"
        csrf-token-id="authenticate"
        post-only="true"
        always-use-default-target-path="false"
        default-target-path="/"
        login-path="/login"
        target-path-parameter="_target_path"
        use-referer="false"
        failure-path="null"
        failure-forward="false"
        failure-path-parameter="_failure_path"
        csrf-token-generator=""
        service="ldap"
        dn-string="{username}"
        query-string=""
    />

    <json-login
        provider=""
        remember-me="true"
        success-handler=""
        failure-handler=""
        check-path="/login_check"
        use-forward="false"
        require-previous-session="false"
        username-path="username"
        password-path="password"
    />

    <json-login-ldap
        provider=""
        remember-me="true"
        success-handler=""
        failure-handler=""
        check-path="/login_check"
        use-forward="false"
        require-previous-session="false"
        username-path="username"
        password-path="password"
        service="ldap"
        dn-string="{username}"
        query-string=""
    />

    <simple-form
        provider=""
        remember-me="true"
        success-handler=""
        failure-handler=""
        check-path="/login_check"
        use-forward="false"
        require-previous-session="false"
        username-parameter="_username"
        password-parameter="_password"
        csrf-parameter="_csrf_token"
        csrf-token-id="authenticate"
        post-only="true"
        authenticator=""
        always-use-default-target-path="false"
        default-target-path="/"
        login-path="/login"
        target-path-parameter="_target_path"
        use-referer="false"
        failure-path="null"
        failure-forward="false"
        failure-path-parameter="_failure_path"
        csrf-token-generator=""
    />

    <http-basic
        provider=""
        realm="Secured Area"
    />

    <http-basic-ldap
        provider=""
        realm="Secured Area"
        service="ldap"
        dn-string="{username}"
        query-string=""
    />

    <!-- login-path: Required -->
    <oauth
        provider=""
        remember-me="true"
        success-handler=""
        failure-handler=""
        check-path="/login_check"
        use-forward="false"
        require-previous-session="false"
        always-use-default-target-path="false"
        default-target-path="/"
        login-path=""
        target-path-parameter="_target_path"
        use-referer="false"
        failure-path="null"
        failure-forward="false"
        failure-path-parameter="_failure_path"
    >

        <oauth-user-provider
            service=""
            oauth=""
        >

            <!-- class: Required -->
            <orm
                class=""
                manager-name="null"
            >

                <!-- prototype -->
                <properties name="properties name">scalar value</properties>

            </orm>

            <fosub>

                <!-- prototype -->
                <properties name="properties name">scalar value</properties>

            </fosub>

        </oauth-user-provider>

        <!-- prototype -->
        <resource-owners name="resource owners name">scalar value</resource-owners>

    </oauth>

    <!-- secret: Required -->
    <!-- secure: One of true; false; "auto" -->
    <!-- samesite: One of null; "lax"; "strict" -->
    <remember-me
        secret=""
        token-provider=""
        catch-exceptions="true"
        name="REMEMBERME"
        lifetime="31536000"
        path="/"
        domain="null"
        secure="false"
        httponly="true"
        samesite="null"
        always-remember-me="false"
        remember-me-parameter="_remember_me"
    >

        <!-- prototype -->
        <user-provider>scalar value</user-provider>

    </remember-me>

</firewall>

<!-- prototype -->
<!--
    path: use the urldecoded format;
          Example: ^/path to resource/
-->
<rule
    requires-channel="null"
    path="null"
    host="null"
    port="null"
    allow-if="null"
>

    <!-- prototype -->
    <ip>scalar value</ip>

    <!-- prototype -->
    <method>scalar value</method>

    <!-- prototype -->
    <role>scalar value</role>

</rule>

<!-- prototype -->
<role id="role id">

    <!-- prototype -->
    <id>scalar value</id>

</role>

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fyi: rule is configured to be the singular version of access_control (like path is the singular element of a paths list in Yaml).

<!-- ... -->
<rule path="^/cart/checkout"
role="IS_AUTHENTICATED_ANONYMOUSLY"
port="8080"
/>
</config>
</srv:container>

.. code-block:: php

// config/packages/security.php
$container->loadFromExtension('security', [
// ...
'access_control' => [
[
'path' => '^/cart/checkout',
Expand Down Expand Up @@ -396,16 +405,20 @@ the user will be redirected to ``https``:
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd">

<rule path="^/cart/checkout"
role="IS_AUTHENTICATED_ANONYMOUSLY"
requires-channel="https"
/>
<config>
<!-- ... -->
<rule path="^/cart/checkout"
role="IS_AUTHENTICATED_ANONYMOUSLY"
requires-channel="https"
/>
</config>
</srv:container>

.. code-block:: php

// config/packages/security.php
$container->loadFromExtension('security', [
// ...
'access_control' => [
[
'path' => '^/cart/checkout',
Expand Down
2 changes: 1 addition & 1 deletion security/form_login_setup.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ a traditional HTML form that submits to ``/login``:

.. code-block:: php

// app/config/security.php
// config/packages/security.php
use App\Security\LoginFormAuthenticator;

$container->loadFromExtension('security', [
Expand Down