Symfony2-2个防火墙，1个登录名 [英] Symfony2 - 2 firewalls, 1 login

问题描述

问题:我想在我的Symfony2网站中创建一个管理部分，该部分仅对具有ROLE_ADMIN的用户可用

Question: I want to create an admin part in my Symfony2 website that would be available only to users with a ROLE_ADMIN

我不知道该创建新的防火墙还是使用acces控件.我试图同时做这两个事情，但是管理部分仍然可供所有用户访问.

I don't know if I should create a new firewall or use acces controls. I tried to do both together but the admin part is still accessible to all users.

当前，所有网站都位于安全区域防火墙下，我希望匿名访问的页面已通过访问控制释放.

Currently all the website is under secured area firewall and pages i want available to anonymous are freed with access control.

这是我的安全性.yml

Here is my security.yml

security:
    encoders:
        Symfony\Component\Security\Core\User\User: plaintext
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email
        my_facebook_provider:
            id: my_user.facebook_provider 

    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

        login:
            pattern:  ^/login$
            security: false
            context: login

        admin:
            pattern: /admin/
            form_login:
                provider: fos_userbundle
                check_path: /login_check
                login_path: /login
            anonymous: ~

        secured_area:
             pattern: ^/
            anonymous: ~
            form_login:
                 login_path: /login
                check_path: /login_check
                default_target_path: tk_group_homepage
                provider: fos_userbundle
                remember_me: true
                csrf_provider: form.csrf_provider
            remember_me:
                key: %secret%
                lifetime: 31536000 # 365 days in seconds
            fos_facebook:
                app_url: "%api_facebook_name%"
                server_url: "%api_facebook_server%"
                check_path: /login_facebook_check   
                default_target_path: tk_user_homepage
                provider: my_facebook_provider
            logout:
                path:   fos_user_security_logout
                target: fos_user_security_login
                invalidate_session: false
            context: login

    access_control:
        - { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/new, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/invitation, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/(subscribe|about|blog|press|contact), role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/, role: IS_AUTHENTICATED_REMEMBERED }
        - { path: ^/admin/, role: ROLE_ADMIN }

我还考虑在控制器中检查用户是否具有管理员角色，如果没有，则引发异常，因为我的管理部分目前只有一页.但是我不知道这是否是最佳实践，如果我想扩展管理部分，可能会遇到问题.

I am also thinking about checking in the controller is the user has an admin role and throwing an exception if not, as my admin part is only one page currently. But I do not know if it is best practice and it could be a problem if i want to extend my admin part.

我不想创建一个新的用户提供程序，因为我们只有2个管理员.

And I do not want to create a new user provider as we would be only 2 admins.

非常感谢你， 朱尔斯

推荐答案

您应该删除admin防火墙并依靠access_control；如果您在/admin/ URL下具有管理员登录表单，那么您当然无法在登录前看到它，因此您应该使用/login表单以admin身份登录，或者修改您的access_control:

You should remove the admin firewall and rely on access_control; If you have admin login form under the /admin/ URL, you of course will not be able to see it before logging in, so you should either use the /login form to sign in as admin, or modify your access_control:

   - { path: ^/admin/login/, role: IS_AUTHENTICATED_ANONYMOUSLY }
   - { path: ^/admin/, role: ROLE_ADMIN }

这是官方文件对您的处境所说的话:

here is what official doc says about your situation:

1. 多个防火墙不共享安全上下文如果您使用多个防火墙并针对一个防火墙进行身份验证，则您将 不会自动针对任何其他防火墙进行身份验证. 不同的防火墙就像不同的安全系统.去做这个 您必须为不同的对象明确指定相同的防火墙上下文 防火墙.但通常对于大多数应用程序，只有一个主防火墙 够了.

1. Multiple firewalls don't share security context If you're using multiple firewalls and you authenticate against one firewall, you will not be authenticated against any other firewalls automatically. Different firewalls are like different security systems. To do this you have to explicitly specify the same Firewall Context for different firewalls. But usually for most applications, having one main firewall is enough.

http://symfony.com/doc/current/book/security.html#book-security-common-pitfalls

您应该阅读整个Common pitfalls部分

如果您真的想使用其他防火墙，请按照文档说明进行操作，并在它们之间共享相同的防火墙上下文.文档中也对此进行了描述: http://symfony.com/doc/current /reference/configuration/security.html#reference-security-firewall-context

If you would really really like to use different firewalls, just do as the documentation states, and share the same firewall context beetween them. This is also described in the documentation: http://symfony.com/doc/current/reference/configuration/security.html#reference-security-firewall-context

这是一个简单的示例:

    admin:
        (... other options ...)
        context: my_security_context

    secured_area:
        context: my_security_context
        (... other options ...)

这篇关于Symfony2-2个防火墙，1个登录名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！