From 2159bdab993c48e98c1d14099edfd998ba1d03e4 Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Sun, 5 Jul 2015 10:48:20 +0200 Subject: [PATCH] review all Security code blocks --- book/security.rst | 69 ++++++--- cookbook/security/access_control.rst | 33 ++-- cookbook/security/acl.rst | 22 ++- cookbook/security/csrf_in_login_form.rst | 36 +++-- .../custom_authentication_provider.rst | 125 ++++++++++----- cookbook/security/custom_provider.rst | 88 ++++++++--- cookbook/security/entity_provider.rst | 71 +++++---- cookbook/security/force_https.rst | 89 ++++++++--- cookbook/security/form_login.rst | 144 +++++++++++++----- cookbook/security/form_login_setup.rst | 69 ++++++--- cookbook/security/impersonating_user.rst | 25 ++- cookbook/security/multiple_user_providers.rst | 1 + cookbook/security/pre_authenticated.rst | 17 ++- cookbook/security/remember_me.rst | 43 +++--- cookbook/security/securing_services.rst | 58 ++++--- cookbook/security/voters.rst | 65 +++++--- cookbook/security/voters_data_permission.rst | 7 +- 17 files changed, 657 insertions(+), 305 deletions(-) diff --git a/book/security.rst b/book/security.rst index e99e70b6a6b..b52d3bde44a 100644 --- a/book/security.rst +++ b/book/security.rst @@ -67,7 +67,7 @@ configuration looks like this: + security="false" /> @@ -81,7 +81,7 @@ configuration looks like this: $container->loadFromExtension('security', array( 'providers' => array( 'in_memory' => array( - 'memory' => array(), + 'memory' => null, ), ), 'firewalls' => array( @@ -209,6 +209,8 @@ user to be logged in to access this URL: # ... firewalls: # ... + default: + # ... access_control: # require ROLE_ADMIN for /admin* @@ -231,10 +233,8 @@ user to be logged in to access this URL: - - - - + + @@ -541,13 +541,14 @@ like this: http://symfony.com/schema/dic/services/services-1.0.xsd"> + + - @@ -555,6 +556,8 @@ like this: // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'providers' => array( 'in_memory' => array( 'memory' => array( @@ -691,8 +694,11 @@ URL pattern. You saw this earlier, where anything matching the regular expressio # app/config/security.yml security: # ... + firewalls: # ... + default: + # ... access_control: # require ROLE_ADMIN for /admin* @@ -715,10 +721,8 @@ URL pattern. You saw this earlier, where anything matching the regular expressio - - - - + + @@ -727,6 +731,7 @@ URL pattern. You saw this earlier, where anything matching the regular expressio // app/config/security.php $container->loadFromExtension('security', array( // ... + 'firewalls' => array( // ... 'default' => array( @@ -755,6 +760,7 @@ matches the URL. # app/config/security.yml security: # ... + access_control: - { path: ^/admin/users, roles: ROLE_SUPER_ADMIN } - { path: ^/admin, roles: ROLE_ADMIN } @@ -771,10 +777,9 @@ matches the URL. - - - - + + + @@ -783,6 +788,7 @@ matches the URL. // app/config/security.php $container->loadFromExtension('security', array( // ... + 'access_control' => array( array('path' => '^/admin/users', 'role' => 'ROLE_SUPER_ADMIN'), array('path' => '^/admin', 'role' => 'ROLE_ADMIN'), @@ -1037,13 +1043,14 @@ the firewall can handle this automatically for you when you activate the # app/config/security.yml security: + # ... + firewalls: secured_area: # ... logout: path: /logout target: / - # ... .. code-block:: xml @@ -1056,11 +1063,12 @@ the firewall can handle this automatically for you when you activate the http://symfony.com/schema/dic/services/services-1.0.xsd"> - + + + - @@ -1068,13 +1076,14 @@ the firewall can handle this automatically for you when you activate the // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'secured_area' => array( // ... - 'logout' => array('path' => 'logout', 'target' => '/'), + 'logout' => array('path' => '/logout', 'target' => '/'), ), ), - // ... )); Next, you'll need to create a route for this URL (but not a controller): @@ -1085,7 +1094,7 @@ Next, you'll need to create a route for this URL (but not a controller): # app/config/routing.yml logout: - path: /logout + path: /logout .. code-block:: xml @@ -1106,7 +1115,7 @@ Next, you'll need to create a route for this URL (but not a controller): use Symfony\Component\Routing\Route; $collection = new RouteCollection(); - $collection->add('logout', new Route('/logout', array())); + $collection->add('logout', new Route('/logout')); return $collection; @@ -1171,6 +1180,8 @@ rules by creating a role hierarchy: # app/config/security.yml security: + # ... + role_hierarchy: ROLE_ADMIN: ROLE_USER ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH] @@ -1186,6 +1197,8 @@ rules by creating a role hierarchy: http://symfony.com/schema/dic/services/services-1.0.xsd"> + + ROLE_USER ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH @@ -1195,6 +1208,8 @@ rules by creating a role hierarchy: // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'role_hierarchy' => array( 'ROLE_ADMIN' => 'ROLE_USER', 'ROLE_SUPER_ADMIN' => array( @@ -1224,6 +1239,8 @@ cookie will be ever created by Symfony): # app/config/security.yml security: + # ... + firewalls: main: http_basic: ~ @@ -1240,7 +1257,9 @@ cookie will be ever created by Symfony): http://symfony.com/schema/dic/services/services-1.0.xsd"> - + + + @@ -1250,8 +1269,10 @@ cookie will be ever created by Symfony): // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( - 'main' => array('http_basic' => array(), 'stateless' => true), + 'main' => array('http_basic' => null, 'stateless' => true), ), )); diff --git a/cookbook/security/access_control.rst b/cookbook/security/access_control.rst index ec09e05d4b9..1977b4ed403 100644 --- a/cookbook/security/access_control.rst +++ b/cookbook/security/access_control.rst @@ -54,12 +54,10 @@ Take the following ``access_control`` entries as an example: - - - - - - + + + + @@ -82,7 +80,7 @@ Take the following ``access_control`` entries as an example: array( 'path' => '^/admin', 'role' => 'ROLE_USER_METHOD', - 'method' => 'POST, PUT', + 'methods' => 'POST, PUT', ), array( 'path' => '^/admin', @@ -193,11 +191,10 @@ pattern so that it is only accessible by requests from the local server itself: - - - - + + @@ -208,12 +205,12 @@ pattern so that it is only accessible by requests from the local server itself: // ... 'access_control' => array( array( - 'path' => '^/esi', + 'path' => '^/internal', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY', 'ips' => '127.0.0.1, ::1' ), array( - 'path' => '^/esi', + 'path' => '^/internal', 'role' => 'ROLE_NO_ACCESS' ), ), @@ -270,11 +267,9 @@ the user will be redirected to ``https``: xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd"> - - - + .. code-block:: php diff --git a/cookbook/security/acl.rst b/cookbook/security/acl.rst index c6313167c40..67d341a703e 100644 --- a/cookbook/security/acl.rst +++ b/cookbook/security/acl.rst @@ -52,20 +52,36 @@ First, you need to configure the connection the ACL system is supposed to use: # app/config/security.yml security: + # ... + acl: connection: default .. code-block:: xml - - default - + + + + + + + + default + + + .. code-block:: php // app/config/security.php $container->loadFromExtension('security', 'acl', array( + // ... + 'connection' => 'default', )); diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst index d957a2585b5..4db13ced455 100644 --- a/cookbook/security/csrf_in_login_form.rst +++ b/cookbook/security/csrf_in_login_form.rst @@ -26,6 +26,8 @@ provider available in the Form component: # app/config/security.yml security: + # ... + firewalls: secured_area: # ... @@ -35,17 +37,19 @@ provider available in the Form component: .. code-block:: xml - + + xsi:schemaLocation="http://symfony.com/schema/dic/services + http://symfony.com/schema/dic/services/services-1.0.xsd"> + + - @@ -55,15 +59,17 @@ provider available in the Form component: // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'secured_area' => array( // ... 'form_login' => array( // ... 'csrf_provider' => 'form.csrf_provider', - ) - ) - ) + ), + ), + ), )); The Security component can be configured further, but this is all information @@ -124,6 +130,8 @@ After this, you have protected your login form against CSRF attacks. # app/config/security.yml security: + # ... + firewalls: secured_area: # ... @@ -134,17 +142,19 @@ After this, you have protected your login form against CSRF attacks. .. code-block:: xml - + + xsi:schemaLocation="http://symfony.com/schema/dic/services + http://symfony.com/schema/dic/services/services-1.0.xsd"> + + - @@ -155,6 +165,8 @@ After this, you have protected your login form against CSRF attacks. // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'secured_area' => array( // ... @@ -162,9 +174,9 @@ After this, you have protected your login form against CSRF attacks. // ... 'csrf_parameter' => '_csrf_security_token', 'intention' => 'a_private_string', - ) - ) - ) + ), + ), + ), )); .. _`Cross-site request forgery`: http://en.wikipedia.org/wiki/Cross-site_request_forgery diff --git a/cookbook/security/custom_authentication_provider.rst b/cookbook/security/custom_authentication_provider.rst index fb21870acaf..3f0928903c3 100644 --- a/cookbook/security/custom_authentication_provider.rst +++ b/cookbook/security/custom_authentication_provider.rst @@ -399,19 +399,24 @@ to service ids that do not exist yet: ``wsse.security.authentication.provider`` .. code-block:: yaml - # src/AppBundle/Resources/config/services.yml + # app/config/services.yml services: wsse.security.authentication.provider: class: AppBundle\Security\Authentication\Provider\WsseProvider - arguments: ["", "%kernel.cache_dir%/security/nonces"] + arguments: + - "" # User Provider + - "%kernel.cache_dir%/security/nonces" + public: false wsse.security.authentication.listener: class: AppBundle\Security\Firewall\WsseListener arguments: ["@security.context", "@security.authentication.manager"] + public: false .. code-block:: xml - + + @@ -424,8 +429,10 @@ to service ids that do not exist yet: ``wsse.security.authentication.provider`` - + class="AppBundle\Security\Firewall\WsseListener" + public="false"> + + @@ -433,27 +440,33 @@ to service ids that do not exist yet: ``wsse.security.authentication.provider`` .. code-block:: php - // src/AppBundle/Resources/config/services.php + // app/config/services.php use Symfony\Component\DependencyInjection\Definition; use Symfony\Component\DependencyInjection\Reference; - $container->setDefinition('wsse.security.authentication.provider', - new Definition( - 'AppBundle\Security\Authentication\Provider\WsseProvider', array( - '', - '%kernel.cache_dir%/security/nonces', + $container + ->setDefinition('wsse.security.authentication.provider', + new Definition( + 'AppBundle\Security\Authentication\Provider\WsseProvider', array( + '', // User Provider + '%kernel.cache_dir%/security/nonces', + ) ) ) - ); - - $container->setDefinition('wsse.security.authentication.listener', - new Definition( - 'AppBundle\Security\Firewall\WsseListener', array( - new Reference('security.context'), - new Reference('security.authentication.manager'), + ->setPublic(false) + ; + + $container + ->setDefinition('wsse.security.authentication.listener', + new Definition( + 'AppBundle\Security\Firewall\WsseListener', array( + new Reference('security.context'), + new Reference('security.authentication.manager'), + ) ) ) - ); + ->setPublic(false) + ; Now that your services are defined, tell your security context about your factory in your bundle class: @@ -484,30 +497,48 @@ You are finished! You can now define parts of your app as under WSSE protection. .. code-block:: yaml + # app/config/security.yml security: + # ... + firewalls: wsse_secured: - pattern: /api/.* + pattern: ^/api/ stateless: true wsse: true .. code-block:: xml - - - - - - + + + + + + + + + + .. code-block:: php + // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'wsse_secured' => array( - 'pattern' => '/api/.*', - 'stateless' => true, - 'wsse' => true, + 'pattern' => '^/api/', + 'stateless' => true, + 'wsse' => true, ), ), )); @@ -587,32 +618,46 @@ set to any desirable value per firewall. .. code-block:: yaml + # app/config/security.yml security: + # ... + firewalls: wsse_secured: - pattern: /api/.* + pattern: ^/api/ stateless: true wsse: { lifetime: 30 } .. code-block:: xml - - - - - - + + + + + + + + + + + + .. code-block:: php + // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'wsse_secured' => array( - 'pattern' => '/api/.*', + 'pattern' => '^/api/', 'stateless' => true, - 'wsse' => array( + 'wsse' => array( 'lifetime' => 30, ), ), diff --git a/cookbook/security/custom_provider.rst b/cookbook/security/custom_provider.rst index 5ba3ac7c986..0f4e8d4f9e9 100644 --- a/cookbook/security/custom_provider.rst +++ b/cookbook/security/custom_provider.rst @@ -175,21 +175,29 @@ Now you make the user provider available as a service: .. code-block:: yaml - # src/Acme/WebserviceUserBundle/Resources/config/services.yml + # app/config/services.yml services: webservice_user_provider: class: Acme\WebserviceUserBundle\Security\User\WebserviceUserProvider .. code-block:: xml - - - - + + + + + + + + .. code-block:: php - // src/Acme/WebserviceUserBundle/Resources/config/services.php + // app/config/services.php use Symfony\Component\DependencyInjection\Definition; $container->setDefinition( @@ -221,6 +229,8 @@ to the list of providers in the "security" section. Choose a name for the user p # app/config/security.yml security: + # ... + providers: webservice: id: webservice_user_provider @@ -228,14 +238,26 @@ to the list of providers in the "security" section. Choose a name for the user p .. code-block:: xml - - - + + + + + + + + + .. code-block:: php // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'providers' => array( 'webservice' => array( 'id' => 'webservice_user_provider', @@ -253,20 +275,35 @@ users, e.g. by filling in a login form. You can do this by adding a line to the # app/config/security.yml security: + # ... + encoders: Acme\WebserviceUserBundle\Security\User\WebserviceUser: sha512 .. code-block:: xml - - sha512 - + + + + + + + + + .. code-block:: php // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'encoders' => array( 'Acme\WebserviceUserBundle\Security\User\WebserviceUser' => 'sha512', ), @@ -305,6 +342,8 @@ options, the password may be encoded multiple times and encoded to base64. # app/config/security.yml security: + # ... + encoders: Acme\WebserviceUserBundle\Security\User\WebserviceUser: algorithm: sha512 @@ -314,18 +353,29 @@ options, the password may be encoded multiple times and encoded to base64. .. code-block:: xml - - - + + + + + + + + + .. code-block:: php // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'encoders' => array( 'Acme\WebserviceUserBundle\Security\User\WebserviceUser' => array( 'algorithm' => 'sha512', diff --git a/cookbook/security/entity_provider.rst b/cookbook/security/entity_provider.rst index 6c760ef7dbf..347134229a8 100644 --- a/cookbook/security/entity_provider.rst +++ b/cookbook/security/entity_provider.rst @@ -226,23 +226,31 @@ the username and then check the password (more on passwords in a moment): .. code-block:: xml - - + + - + + - - - + - - - + + + + + - - + + + + + + + .. code-block:: php @@ -253,7 +261,9 @@ the username and then check the password (more on passwords in a moment): 'algorithm' => 'bcrypt', ), ), + // ... + 'providers' => array( 'our_db_provider' => array( 'entity' => array( @@ -264,11 +274,12 @@ the username and then check the password (more on passwords in a moment): ), 'firewalls' => array( 'default' => array( - 'pattern' => '^/', + 'pattern' => '^/', 'http_basic' => null, - 'provider' => 'our_db_provider', + 'provider' => 'our_db_provider', ), ), + // ... )); @@ -487,30 +498,37 @@ To finish this, just remove the ``property`` key from the user provider in # app/config/security.yml security: # ... + providers: our_db_provider: entity: class: AppBundle:User - # ... .. code-block:: xml - - - - - - - - - + + + + + + + + + + + .. code-block:: php // app/config/security.php $container->loadFromExtension('security', array( - ..., + // ... + 'providers' => array( 'our_db_provider' => array( 'entity' => array( @@ -518,7 +536,6 @@ To finish this, just remove the ``property`` key from the user provider in ), ), ), - ..., )); This tells Symfony to *not* query automatically for the User. Instead, when diff --git a/cookbook/security/force_https.rst b/cookbook/security/force_https.rst index 63bb7b2e2b2..e5d38992edb 100644 --- a/cookbook/security/force_https.rst +++ b/cookbook/security/force_https.rst @@ -13,24 +13,44 @@ to use HTTPS then you could use the following configuration: .. code-block:: yaml - access_control: - - { path: ^/secure, roles: ROLE_ADMIN, requires_channel: https } + # app/config/security.yml + security: + # ... + + access_control: + - { path: ^/secure, roles: ROLE_ADMIN, requires_channel: https } .. code-block:: xml - - - + + + + + + + + + + .. code-block:: php - 'access_control' => array( - array( - 'path' => '^/secure', - 'role' => 'ROLE_ADMIN', - 'requires_channel' => 'https', + // app/config/security.php + $container->loadFromExtension('security', array( + // ... + + 'access_control' => array( + array( + 'path' => '^/secure', + 'role' => 'ROLE_ADMIN', + 'requires_channel' => 'https', + ), ), - ), + )); The login form itself needs to allow anonymous access, otherwise users will be unable to authenticate. To force it to use HTTPS you can still use @@ -41,26 +61,47 @@ role: .. code-block:: yaml - access_control: - - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https } + # app/config/security.yml + + security: + # ... + + access_control: + - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https } .. code-block:: xml - - - + + + + + + + + + + .. code-block:: php - 'access_control' => array( - array( - 'path' => '^/login', - 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY', - 'requires_channel' => 'https', + // app/config/security.php + $container->loadFromExtension('security', array( + // ... + + 'access_control' => array( + array( + 'path' => '^/login', + 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY', + 'requires_channel' => 'https', + ), ), - ), + )); It is also possible to specify using HTTPS in the routing configuration, see :doc:`/cookbook/routing/scheme` for more details. diff --git a/cookbook/security/form_login.rst b/cookbook/security/form_login.rst index 337d02a2fdf..e05e6067e58 100644 --- a/cookbook/security/form_login.rst +++ b/cookbook/security/form_login.rst @@ -52,6 +52,8 @@ if no previous page was stored in the session). To set it to the # app/config/security.yml security: + # ... + firewalls: main: form_login: @@ -61,18 +63,28 @@ if no previous page was stored in the session). To set it to the .. code-block:: xml - - - - - + + + + + + + + + + + .. code-block:: php // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'main' => array( // ... @@ -101,6 +113,8 @@ of what URL they had requested previously by setting the # app/config/security.yml security: + # ... + firewalls: main: form_login: @@ -110,18 +124,29 @@ of what URL they had requested previously by setting the .. code-block:: xml - - - - - + + + + + + + + + + + + .. code-block:: php // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'main' => array( // ... @@ -147,31 +172,44 @@ this by setting ``use_referer`` to true (it defaults to false): # app/config/security.yml security: + # ... + firewalls: main: + # ... form_login: # ... - use_referer: true + use_referer: true .. code-block:: xml - - - - - + + + + + + + + + + + + .. code-block:: php // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'main' => array( // ... - 'form_login' => array( // ... 'use_referer' => true, @@ -238,30 +276,45 @@ option to another value. # app/config/security.yml security: + # ... + firewalls: main: + # ... form_login: target_path_parameter: redirect_url .. code-block:: xml - - - - - + + + + + + + + + + + + .. code-block:: php // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'main' => array( + // ... 'form_login' => array( - 'target_path_parameter' => redirect_url, + 'target_path_parameter' => 'redirect_url', ), ), ), @@ -282,8 +335,11 @@ back to the login form itself. You can set this to a different route (e.g. # app/config/security.yml security: + # ... + firewalls: main: + # ... form_login: # ... failure_path: login_failure @@ -291,22 +347,32 @@ back to the login form itself. You can set this to a different route (e.g. .. code-block:: xml - - - - - + + + + + + + + + + + + .. code-block:: php // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'main' => array( // ... - 'form_login' => array( // ... 'failure_path' => 'login_failure', diff --git a/cookbook/security/form_login_setup.rst b/cookbook/security/form_login_setup.rst index 5e20bef050d..d5c4ba9922d 100644 --- a/cookbook/security/form_login_setup.rst +++ b/cookbook/security/form_login_setup.rst @@ -45,8 +45,9 @@ First, enable form login under your firewall: http://symfony.com/schema/dic/services/services-1.0.xsd"> - + + @@ -57,8 +58,9 @@ First, enable form login under your firewall: // app/config/security.php $container->loadFromExtension('security', array( 'firewalls' => array( - 'main' => array( - 'anonymous' => array(), + 'default' => array( + 'anonymous' => null, + 'http_basic' => null, 'form_login' => array( 'login_path' => '/login', 'check_path' => '/login_check', @@ -160,7 +162,7 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``): '_controller' => 'AppBundle:Security:login', ))); - $collection->add('login_check', new Route('/login_check', array())); + $collection->add('login_check', new Route('/login_check')); // no controller is bound to this route // as it's handled by the Security system @@ -356,11 +358,18 @@ all URLs (including the ``/login`` URL), will cause a redirect loop: .. code-block:: xml + + - - - - + + + + + .. code-block:: php @@ -388,12 +397,19 @@ fixes the problem: .. code-block:: xml + + - - - - - + + + + + + .. code-block:: php @@ -428,14 +444,23 @@ for the login page: .. code-block:: xml + + - - - - - - - + + + + + + + + + + .. code-block:: php @@ -445,11 +470,11 @@ for the login page: 'firewalls' => array( 'login_firewall' => array( 'pattern' => '^/login$', - 'anonymous' => array(), + 'anonymous' => null, ), 'secured_area' => array( 'pattern' => '^/', - 'form_login' => array(), + 'form_login' => null, ), ), diff --git a/cookbook/security/impersonating_user.rst b/cookbook/security/impersonating_user.rst index dc254f42900..1daba483c36 100644 --- a/cookbook/security/impersonating_user.rst +++ b/cookbook/security/impersonating_user.rst @@ -15,6 +15,8 @@ done by activating the ``switch_user`` firewall listener: # app/config/security.yml security: + # ... + firewalls: main: # ... @@ -29,8 +31,11 @@ done by activating the ``switch_user`` firewall listener: xmlns:srv="http://symfony.com/schema/dic/services" xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd"> + - + + + @@ -41,10 +46,12 @@ done by activating the ``switch_user`` firewall listener: // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'main'=> array( // ... - 'switch_user' => true + 'switch_user' => true, ), ), )); @@ -115,6 +122,8 @@ setting: # app/config/security.yml security: + # ... + firewalls: main: # ... @@ -130,7 +139,9 @@ setting: xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd"> - + + + @@ -141,6 +152,8 @@ setting: // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'main'=> array( // ... @@ -151,7 +164,7 @@ setting: ), ), )); - + Events ------ @@ -200,13 +213,13 @@ how to change the sticky locale: namespace AppBundle\EventListener; use Symfony\Component\Security\Http\Event\SwitchUserEvent; - + class SwitchUserListener { public function onSwitchUser(SwitchUserEvent $event) { $event->getRequest()->getSession()->set( - '_locale', + '_locale', $event->getTargetUser()->getLocale() ); } diff --git a/cookbook/security/multiple_user_providers.rst b/cookbook/security/multiple_user_providers.rst index 4766ed92e44..3c2f879b5c5 100644 --- a/cookbook/security/multiple_user_providers.rst +++ b/cookbook/security/multiple_user_providers.rst @@ -132,6 +132,7 @@ the first provider is always used: 'provider' => 'user_db', 'http_basic' => array( // ... + 'realm' => 'Secured Demo Area', 'provider' => 'in_memory', ), 'form_login' => array(), diff --git a/cookbook/security/pre_authenticated.rst b/cookbook/security/pre_authenticated.rst index 3b2fb7c2e16..3095f450899 100644 --- a/cookbook/security/pre_authenticated.rst +++ b/cookbook/security/pre_authenticated.rst @@ -26,6 +26,8 @@ Enable the x509 authentication for a particular firewall in the security configu # app/config/security.yml security: + # ... + firewalls: secured_area: pattern: ^/ @@ -34,14 +36,19 @@ Enable the x509 authentication for a particular firewall in the security configu .. code-block:: xml - + + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:srv="http://symfony.com/schema/dic/services" + xsi:schemaLocation="http://symfony.com/schema/dic/services + http://symfony.com/schema/dic/services/services-1.0.xsd"> + + - + @@ -50,9 +57,11 @@ Enable the x509 authentication for a particular firewall in the security configu // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'secured_area' => array( - 'pattern' => '^/' + 'pattern' => '^/', 'x509' => array( 'provider' => 'your_user_provider', ), diff --git a/cookbook/security/remember_me.rst b/cookbook/security/remember_me.rst index d405bbf801e..383410653c0 100644 --- a/cookbook/security/remember_me.rst +++ b/cookbook/security/remember_me.rst @@ -15,17 +15,20 @@ the session lasts using a cookie with the ``remember_me`` firewall option: .. code-block:: yaml # app/config/security.yml - firewalls: - default: - # ... - remember_me: - key: "%secret%" - lifetime: 604800 # 1 week in seconds - path: / - # by default, the feature is enabled by checking a - # checkbox in the login form (see below), uncomment the - # below lines to always enable it. - #always_remember_me: true + security: + # ... + + firewalls: + default: + # ... + remember_me: + key: "%secret%" + lifetime: 604800 # 1 week in seconds + path: / + # by default, the feature is enabled by checking a + # checkbox in the login form (see below), uncomment the + # following line to always enable it. + #always_remember_me: true .. code-block:: xml @@ -38,17 +41,19 @@ the session lasts using a cookie with the ``remember_me`` firewall option: http://symfony.com/schema/dic/services/services-1.0.xsd"> + + + + - - path = "/" - /> @@ -57,6 +62,8 @@ the session lasts using a cookie with the ``remember_me`` firewall option: // app/config/security.php $container->loadFromExtension('security', array( + // ... + 'firewalls' => array( 'default' => array( // ... @@ -66,7 +73,7 @@ the session lasts using a cookie with the ``remember_me`` firewall option: 'path' => '/', // by default, the feature is enabled by checking a // checkbox in the login form (see below), uncomment - // the below lines to always enable it. + // the following line to always enable it. //'always_remember_me' => true, ), ), @@ -241,7 +248,7 @@ In the following example, the action is only allowed if the user has the { $isFullyAuthenticated = $this->get('security.context') ->isGranted('IS_AUTHENTICATED_FULLY'); - + if (!$isFullyAuthenticated) { throw new AccessDeniedException(); } diff --git a/cookbook/security/securing_services.rst b/cookbook/security/securing_services.rst index fe92402fb7e..6835ba15f89 100644 --- a/cookbook/security/securing_services.rst +++ b/cookbook/security/securing_services.rst @@ -78,11 +78,18 @@ Then in your service configuration, you can inject the service: .. code-block:: xml - - - - - + + + + + + + + + .. code-block:: php @@ -141,30 +148,32 @@ the :ref:`sidebar ` below): .. code-block:: yaml - # app/services.yml - - # ... + # app/config/services.yml services: newsletter_manager: - # ... + class: AppBundle\Newsletter\NewsletterManager tags: - { name: security.secure_service } .. code-block:: xml - - - - - - - - - + + + + + + + + + + .. code-block:: php - // app/services.php + // app/config/services.php use Symfony\Component\DependencyInjection\Definition; use Symfony\Component\DependencyInjection\Reference; @@ -220,14 +229,14 @@ documentation. .. code-block:: yaml - # app/config/config.yml + # app/config/services.yml jms_security_extra: # ... secure_all_services: true .. code-block:: xml - + - - - + + .. code-block:: php - // app/config/config.php + // app/config/services.php $container->loadFromExtension('jms_security_extra', array( // ... 'secure_all_services' => true, diff --git a/cookbook/security/voters.rst b/cookbook/security/voters.rst index 4bc7df40a3a..33c2e0da9c1 100644 --- a/cookbook/security/voters.rst +++ b/cookbook/security/voters.rst @@ -103,7 +103,7 @@ and tag it as a ``security.voter``: .. code-block:: yaml - # src/Acme/AcmeBundle/Resources/config/services.yml + # app/config/services.yml services: security.access.blacklist_voter: class: AppBundle\Security\Authorization\Voter\ClientIpVoter @@ -114,20 +114,31 @@ and tag it as a ``security.voter``: .. code-block:: xml - - - - - 123.123.123.123 - 171.171.171.171 - - - + + + + + + + + + + 123.123.123.123 + 171.171.171.171 + + + + + .. code-block:: php - // src/Acme/AcmeBundle/Resources/config/services.php + // app/config/services.php use Symfony\Component\DependencyInjection\Definition; use Symfony\Component\DependencyInjection\Reference; @@ -136,7 +147,7 @@ and tag it as a ``security.voter``: array( new Reference('service_container'), array('123.123.123.123', '171.171.171.171'), - ), + ) ); $definition->addTag('security.voter'); $definition->setPublic(false); @@ -173,6 +184,8 @@ application configuration file with the following code. # app/config/security.yml security: + # ... + access_decision_manager: # strategy can be: affirmative, unanimous or consensus strategy: unanimous @@ -180,17 +193,29 @@ application configuration file with the following code. .. code-block:: xml - - - - + + + + + + + + + + .. code-block:: php // app/config/security.xml $container->loadFromExtension('security', array( - // strategy can be: affirmative, unanimous or consensus + // ... + 'access_decision_manager' => array( + // strategy can be: affirmative, unanimous or consensus 'strategy' => 'unanimous', ), )); @@ -198,8 +223,8 @@ application configuration file with the following code. That's it! Now, when deciding whether or not a user should have access, the new voter will deny access to any user in the list of blacklisted IPs. -Note that the voters are only called, if any access is actually checked. So -you need at least something like +Note that the voters are only called, if any access is actually checked. So +you need at least something like .. configuration-block:: diff --git a/cookbook/security/voters_data_permission.rst b/cookbook/security/voters_data_permission.rst index e2c0962672e..9c81f835594 100644 --- a/cookbook/security/voters_data_permission.rst +++ b/cookbook/security/voters_data_permission.rst @@ -153,7 +153,7 @@ and tag it with ``security.voter``: .. code-block:: yaml - # src/AppBundle/Resources/config/services.yml + # app/config/services.yml services: security.access.post_voter: class: AppBundle\Security\Authorization\Voter\PostVoter @@ -163,7 +163,7 @@ and tag it with ``security.voter``: .. code-block:: xml - + + @@ -179,7 +180,7 @@ and tag it with ``security.voter``: .. code-block:: php - // src/AppBundle/Resources/config/services.php + // app/config/services.php $container ->register( 'security.access.post_voter',