All geek questions in one place

Symfony: multiple firewall contexts - user is redirected to the wrong context

I have a login for the interface (which is optional) and another login for the admin panel, which is required.

When the user goes to fe_login , he can enter the frontend context. This is normal!

When they go to admin_login , they must enter the admin context. It's not ok

The problem is that when I go to /admin , I redirect to fe_login , when I need to redirect to admin_login

Here is my security.yml :

 security: encoders: App\FrontendBundle\Controller\UserController: algorithm: bcrypt App\AdminBundle\Controller\UserController: algorithm: bcrypt App\Entity\User: algorithm: bcrypt providers: administrators: entity: { class: AppEntity:User, property: username } firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false admin: pattern: ^/admin form_login: login_path: admin_login check_path: admin_auth csrf_provider: form.csrf_provider logout: path: admin_logout target: admin_login frontend: anonymous: ~ form_login: login_path: fe_login check_path: fe_auth csrf_provider: form.csrf_provider always_use_default_target_path: true default_target_path: fe_landing logout: path: fe_logout target: fe_landing login: pattern: ^/admin/login anonymous: ~ default: anonymous: ~ access_control: - { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/admin, roles: [ROLE_ADMIN,ROLE_MANAGER,ROLE_DRIVER,ROLE_PARTNER] }

Any idea what I'm doing wrong?

+6
source share
3 answers

I am not entirely sure of the reason, but you should now have security.yml really sharp, to avoid missing configurations (which could lead to security issues)

So, regarding your file:

  • it skips the pattern key in the interface section: I would add pattern: ^/
  • the interface for entering the interface can be specified in the same way as for the backend server
  • the order of your rules makes me think that something is wrong.

This is the version you should check:

 security: encoders: App\FrontendBundle\Controller\UserController: algorithm: bcrypt App\AdminBundle\Controller\UserController: algorithm: bcrypt App\Entity\User: algorithm: bcrypt providers: administrators: entity: { class: AppEntity:User, property: username } firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false login_admin: pattern: ^/admin/login anonymous: ~ admin: pattern: ^/admin form_login: login_path: admin_login check_path: admin_auth csrf_provider: form.csrf_provider logout: path: admin_logout target: admin_login login_frontend: pattern: ^/login # you should adapt this to your app anonymous: ~ frontend: pattern: ^/ anonymous: ~ form_login: login_path: fe_login check_path: fe_auth csrf_provider: form.csrf_provider always_use_default_target_path: true default_target_path: fe_landing logout: path: fe_logout target: fe_landing access_control: - { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/admin, roles: [ROLE_ADMIN,ROLE_MANAGER,ROLE_DRIVER,ROLE_PARTNER] }
+2
source

Here is my security.yml , but as I said, this is for Symfony2.0, maybe you will find a hint.

 security: encoders: ### ... role_hierarchy: ROLE_ADMIN: ROLE_USER ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH] providers: fos_userbundle: id: fos_user.user_manager admin_adminbundle: id: custom_admin_manager_id firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false admin: pattern: ^/admin/ form_login: check_path: /admin/check-login login_path: /admin/login provider: admin_adminbundle csrf_provider: form.csrf_provider post_only: true success_handler: login_success_handler failure_handler: admin_login_failure_handler username_parameter: login_username password_parameter: login_password remember_me: false logout: path: /admin/logout target: /admin/login anonymous: true frontend: pattern: ^/ form_login: check_path: /frontend/check-login login_path: /frontend/login provider: fos_userbundle csrf_provider: form.csrf_provider post_only: true success_handler: login_success_handler failure_handler: login_failure_handler username_parameter: login_username password_parameter: login_password logout: path: /frontend/logout success_handler: logout_success_handler anonymous: true access_control: - { path: ^/frontend/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
+3
source

You have several firewalls that seem unnecessary. Let simplify your firewall configuration:

 firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false admin: pattern: ^/admin form_login: login_path: admin_login check_path: admin_auth csrf_provider: form.csrf_provider logout: path: admin_logout target: admin_login anonymous: ~ frontend: pattern: ^/ anonymous: ~ form_login: login_path: fe_login check_path: fe_auth csrf_provider: form.csrf_provider always_use_default_target_path: true default_target_path: fe_landing logout: path: fe_logout target: fe_landing access_control: # allow unauthenticated to access admin login - { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } # restrict admin access - { path: ^/admin, roles: [ROLE_ADMIN,ROLE_MANAGER,ROLE_DRIVER,ROLE_PARTNER] } # allow unauthenticated to access front end login - { path: ^/fe/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } # restrict front end access - { path: ^/fe, roles: ROLE_USER } # or whatever the role is of your frontend user # allow all other pages to be viewed by unauthenticated users - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }

This configuration makes it so that all pages under /fe require authorization on the front side, and all pages under /admin /fe require administrator authorization. And all other pages are not protected at all. You can customize it as you wish.

The access_control order is important. Once the rule is agreed, it will not try to match any other entries. This configuration should work so that the correct login is displayed. However, it looks like you are using a different service provider for each firewall. Therefore, when you log in, the application will use the same provider for both logins. It may or may not be what you intend, but I thought I wanted to point it out. If you need a different custom provider for each login, just add provider: ProviderName to each firewall.

+1
source

Source: https://habr.com/ru/post/975967/

More articles:


All Articles