Symfony2 Firewall: security / web folder

Question

Symfony2 Firewall: security / web folder

I am developing an SF2 web application that is completely behind a firewall: no one has to see or change anything before logging (other than the login form, of course).

So here is a portion of firewall

my file security.yml

:

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false
    main_login:
        pattern:   ^/login$
        anonymous: true
    main:
        pattern:        ^/
        anonymous:      false
        form_login:
            login_path: fos_user_security_login
            check_path: fos_user_security_check
        logout:
            path:       fos_user_security_logout
            target:     /

This works great: if I type url http://mywebsite.com/app.php/article/show/1

and not unblocked, I am redirected to the login page.

My problem is that I have multiple documents and media located in the Symfony directory web

(for example myapp/web/document/myTextFile.txt

). They are available through my application for registered users, but also for unregistered users !

Anyone who types http://mywebsite.com/app.php/document/myTextFile.txt

can upload the file ...

Why pattern: ^/

doesn't the string interfere with this? Is the web

default folder excluded because it contains app.php

both js/

and the css/

folder?

How can I protect my documents?

Update: displaying protected images

I tried the solution Jerry suggested, it works great to secure the download of my documents.

However, I also have photos in my folder document

and I would like to display these images directly included in the respective pages.

For example, in there http://mywebsite.com/app.php/article/show/1

will be text and an image myapp/app/Resources/document/AAA.jpg

, and in there http://mywebsite.com/app.php/article/show/2

will be text and an image myapp/app/Resources/document/BBB.jpg

, etc.

I tried to do this with Assetic, but it seems like this is done for "static" images (like the top logo or images that are not object dependent).

The solution I see is to convert the image to Base64 and include it like this: <img alt="" src="data:image/png;base64(...)" />

but that seems really ugly ...

+3

php symfony fosuserbundle

Blacksad June 16 15 at 13:48

source to share

2 answers

I don't have a working Symfony installation right now, but try moving your documents off the internet if the firewall continues.

Let me know the answer, please try to find a solution if it doesn't work, or if you can't move these files to production.

0

Michal Takáč June 16 15 at 13:52

source to share

Gerry · Accepted Answer · 2015-06-16T15:43:26+0000

The web directory is your public root directory served by the web server (Apache / Nginx / ...).

By default, any request for an existing file will not let Symfony pass at all, so no firewall settings will prevent you from accessing files located in the website root directory.

A clean solution is to move these files to a different directory outside of the website, for example app/Resources/uploads

. Then you can write a Symfony controller to load those files.

Symfony2 Firewall: security / web folder

More articles: