Symfony安全性:使用会话或oauth进行身份验证 [英] Symfony Security: Auth with session or oauth

问题描述

我已经开发了REST API，有两种连接方法:会话和oauth. 基本上，我的网站将使用会话模式，而第三方软件将使用oauth模式.

I have developed a REST API, there are two ways to connect to it: session and oauth. Basically, my website will use the session mode and third-party softwares will use the oauth mode.

我设法使会话和oauth模式都可以在symfony中工作，但是我不能使它们同时工作.

I managed to make make both session and oauth modes to work in symfony, but I can't make them work at the same time.

这是我的防火墙安全配置:

Here is my firewalls security config:

firewalls:
    auth_oauth_token:
        pattern:    ^/auth/oauth/v2/token
        security:   false

    api:
        pattern:    ^/api
        anonymous:  false
        fos_oauth:  true
        stateless:  true

    auth:
        pattern:    ^/
        anonymous: ~
        form_login:
            login_path: /auth/session/check
            check_path: /auth/session/login
            always_use_default_target_path: true
            default_target_path: /auth/session/check
            failure_path: /auth/session/check
            failure_forward: false
            use_forward: false
            failure_forward: false
            username_parameter: username
            password_parameter: password
            post_only: true
            remember_me: false
            require_previous_session: false
        logout:
            path: /auth/session/logout
            target: /auth/session/logged_out
            invalidate_session: false

会话处理:/auth/session. OAuth处理:/auth/oauth. api:/api.

Session handling: /auth/session. OAuth handling: /auth/oauth. Api: /api.

因此，使用此配置，首先使用"api"防火墙，我可以使用令牌登录. 但是，即使使用会话登录，如果我不指定令牌，也将无法访问.

So, with this config, with "api" firewall first, I can log in with a token. But even logged in with a session, if I don't specify the token, I won't have access.

首先使用身份验证"防火墙，我可以使用会话表单登录. 但是，即使我指定了令牌，也无法访问.

With "auth" firewall first, I can log in with the session form. But even if I specify a token, I won't have access.

我为此感到疯狂.我在堆栈上发现了一些有关链提供商的信息，我可能需要链防火墙"之类的东西...如果被禁止，请检查另一个防火墙.

I'm getting crazy with this. I found on stack overflow something about chain providers, I would probably need something like "chain firewall"... if forbidden, check another firewall.

谢谢

推荐答案

我通过复制api控制器的路由来解决，因此我有一个依赖于OAuth2的路由/api/method和一个依赖于OAuth2的路由/webapi/method在标准(主)防火墙上:

I solved by duplicating the routes of the api controllers, so that I have a route /api/method which relies on OAuth2, and a /webapi/method route which relies on the standard (main) firewall:

在security.yml中:

In security.yml:

firewalls:
    api:
        pattern:    ^/api
        fos_oauth:  true
        stateless:  true

    oauth_token:
        pattern:    ^/oauth/v2/token
        security:   false

    main:
        pattern: ^/
        form_login:
            provider: fos_userbundle
            csrf_provider: form.csrf_provider
            login_path: /login
            check_path: /login_check
        logout:       true
        anonymous:    true

access_control:        
    - { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }
    - { path: ^/web-api, roles: [ IS_AUTHENTICATED_FULLY ] }

在routing.yml中:

In routing.yml:

acme_api:
    type: rest 
    prefix: /
    resource: "@AcmeBundle/Resources/config/routing_api.yml"

在routing_api.yml中:

In routing_api.yml:

# REST API - OAUTH Access
acme_api_users:
    resource: AcmeBundle\Controller\UsersController
    type:     rest
    defaults: {_format: json}
    prefix:   /api
    name_prefix:  api_

# REST API - Frontend Client Access 
acme_webapi_users:
    resource: AcmeBundle\Controller\UsersController
    type:     rest
    defaults: {_format: json}
    prefix:   /web-api
    name_prefix:  webapi_

这篇关于Symfony安全性:使用会话或oauth进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！