Symfony2-2个防火墙,1个登录名 [英] Symfony2 - 2 firewalls, 1 login
问题描述
问题:我想在我的Symfony2网站中创建一个管理部分,该部分仅对具有ROLE_ADMIN的用户可用
Question: I want to create an admin part in my Symfony2 website that would be available only to users with a ROLE_ADMIN
我不知道该创建新的防火墙还是使用acces控件.我试图同时做这两个事情,但是管理部分仍然可供所有用户访问.
I don't know if I should create a new firewall or use acces controls. I tried to do both together but the admin part is still accessible to all users.
当前,所有网站都位于安全区域防火墙下,我希望匿名访问的页面已通过访问控制释放.
Currently all the website is under secured area firewall and pages i want available to anonymous are freed with access control.
这是我的安全性.yml
Here is my security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
my_facebook_provider:
id: my_user.facebook_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login$
security: false
context: login
admin:
pattern: /admin/
form_login:
provider: fos_userbundle
check_path: /login_check
login_path: /login
anonymous: ~
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: /login
check_path: /login_check
default_target_path: tk_group_homepage
provider: fos_userbundle
remember_me: true
csrf_provider: form.csrf_provider
remember_me:
key: %secret%
lifetime: 31536000 # 365 days in seconds
fos_facebook:
app_url: "%api_facebook_name%"
server_url: "%api_facebook_server%"
check_path: /login_facebook_check
default_target_path: tk_user_homepage
provider: my_facebook_provider
logout:
path: fos_user_security_logout
target: fos_user_security_login
invalidate_session: false
context: login
access_control:
- { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/new, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/invitation, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/(subscribe|about|blog|press|contact), role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: IS_AUTHENTICATED_REMEMBERED }
- { path: ^/admin/, role: ROLE_ADMIN }
我还考虑在控制器中检查用户是否具有管理员角色,如果没有,则引发异常,因为我的管理部分目前只有一页.但是我不知道这是否是最佳实践,如果我想扩展管理部分,可能会遇到问题.
I am also thinking about checking in the controller is the user has an admin role and throwing an exception if not, as my admin part is only one page currently. But I do not know if it is best practice and it could be a problem if i want to extend my admin part.
我不想创建一个新的用户提供程序,因为我们只有2个管理员.
And I do not want to create a new user provider as we would be only 2 admins.
非常感谢你, 朱尔斯
推荐答案
您应该删除admin
防火墙并依靠access_control
;如果您在/admin/
URL下具有管理员登录表单,那么您当然无法在登录前看到它,因此您应该使用/login
表单以admin身份登录,或者修改您的access_control:>
You should remove the admin
firewall and rely on access_control
; If you have admin login form under the /admin/
URL, you of course will not be able to see it before logging in, so you should either use the /login
form to sign in as admin, or modify your access_control:
- { path: ^/admin/login/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
这是官方文件对您的处境所说的话:
here is what official doc says about your situation:
- 多个防火墙不共享安全上下文如果您使用多个防火墙并针对一个防火墙进行身份验证,则您将 不会自动针对任何其他防火墙进行身份验证. 不同的防火墙就像不同的安全系统.去做这个 您必须为不同的对象明确指定相同的防火墙上下文 防火墙.但通常对于大多数应用程序,只有一个主防火墙 够了.
- Multiple firewalls don't share security context If you're using multiple firewalls and you authenticate against one firewall, you will not be authenticated against any other firewalls automatically. Different firewalls are like different security systems. To do this you have to explicitly specify the same Firewall Context for different firewalls. But usually for most applications, having one main firewall is enough.
http://symfony.com/doc/current/book/security.html#book-security-common-pitfalls
您应该阅读整个Common pitfalls
部分
如果您真的想使用其他防火墙,请按照文档说明进行操作,并在它们之间共享相同的防火墙上下文.文档中也对此进行了描述: http://symfony.com/doc/current /reference/configuration/security.html#reference-security-firewall-context
If you would really really like to use different firewalls, just do as the documentation states, and share the same firewall context beetween them. This is also described in the documentation: http://symfony.com/doc/current/reference/configuration/security.html#reference-security-firewall-context
这是一个简单的示例:
admin:
(... other options ...)
context: my_security_context
secured_area:
context: my_security_context
(... other options ...)
这篇关于Symfony2-2个防火墙,1个登录名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!