Symfony2 - 2 firewalls, 1 login
Question: I want to create an admin area on my Symfony2 website that is only accessible to users with ROLE_ADMIN
I don't know if I should create a new firewall or use acces controls. I tried to do both together, but the admin part is still available for all users.
The entire site is currently in a secure zone firewall and the pages I want to be anonymous are freed with access control.
Here is my security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
my_facebook_provider:
id: my_user.facebook_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login$
security: false
context: login
admin:
pattern: /admin/
form_login:
provider: fos_userbundle
check_path: /login_check
login_path: /login
anonymous: ~
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
default_target_path: tk_group_homepage
provider: fos_userbundle
remember_me: true
csrf_provider: form.csrf_provider
remember_me:
key: %secret%
lifetime: 31536000 # 365 days in seconds
fos_facebook:
app_url: "%api_facebook_name%"
server_url: "%api_facebook_server%"
check_path: /login_facebook_check
default_target_path: tk_user_homepage
provider: my_facebook_provider
logout:
path: fos_user_security_logout
target: fos_user_security_login
invalidate_session: false
context: login
access_control:
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/new, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/invitation, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/(subscribe|about|blog|press|contact), role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: IS_AUTHENTICATED_REMEMBERED }
- { path: ^/admin/, role: ROLE_ADMIN }
I am also thinking of checking in the controller that the user has an admin role and throws an exception if not, since my admin part is only one page right now. But I don't know if this is best practice and it could be a problem if I want to extend my admin part.
And I don't want to create a new user as we will only be 2 admins.
Thanks a lot Jules
source to share
You must remove the firewall admin
and rely on access_control
; If you have an admin login form under the URL /admin/
, you of course won't be able to see it before logging in, so you must either use the /login
login form as admin or change your access_control:
- { path: ^/admin/login/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
here is what the official doc says about your situation:
- Multiple firewalls do not share a security context. If you use multiple firewalls and authenticate with one firewall, you will not have to be automatically authenticated against any other firewalls. Different firewalls are similar to different security systems. To do this, you must explicitly specify the same firewall context for different firewalls. But usually, for most applications, one master firewall is sufficient.
http://symfony.com/doc/current/book/security.html#book-security-common-pitfalls
You must read the entire section Common pitfalls
If you really really like using different firewalls , just do as the documentation says and share the same firewall context between them. This is documented as well: http://symfony.com/doc/current/reference/configuration/security.html#reference-security-firewall-context
and here's a simple example:
admin:
(... other options ...)
context: my_security_context
secured_area:
context: my_security_context
(... other options ...)
source to share