Skip to content

Commit

Permalink
[WIP] review all Security code blocks
Browse files Browse the repository at this point in the history
  • Loading branch information
@xabbuh
xabbuh committed Jul 5, 2015
1 parent c1dac43 commit 3b08fb1
Show file tree
Hide file tree
Showing 6 changed files with 173 additions and 90 deletions.
69 changes: 45 additions & 24 deletions book/security.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ configuration looks like this:
<firewall name="dev"
pattern="^/(_(profiler|wdt)|css|images|js)/"
security=false />
security="false" />
<firewall name="default">
<anonymous />
Expand All @@ -81,7 +81,7 @@ configuration looks like this:
$container->loadFromExtension('security', array(
'providers' => array(
'in_memory' => array(
'memory' => array(),
'memory' => null,
),
),
'firewalls' => array(
Expand Down Expand Up @@ -209,6 +209,8 @@ user to be logged in to access this URL:
# ...
firewalls:
# ...
default:
# ...
access_control:
# require ROLE_ADMIN for /admin*
Expand All @@ -231,10 +233,8 @@ user to be logged in to access this URL:
<!-- ... -->
</firewall>
<access-control>
<!-- require ROLE_ADMIN for /admin* -->
<rule path="^/admin" role="ROLE_ADMIN" />
</access-control>
<!-- require ROLE_ADMIN for /admin* -->
<rule path="^/admin" role="ROLE_ADMIN" />
</config>
</srv:container>
Expand Down Expand Up @@ -541,20 +541,23 @@ like this:
http://symfony.com/schema/dic/services/services-1.0.xsd">
<config>
<!-- ... -->
<provider name="in_memory">
<memory>
<user name="ryan" password="$2a$12$LCY0MefVIEc3TYPHV9SNnuzOfyr2p/AXIGoQJEDs4am4JwhNz/jli" roles="ROLE_USER" />
<user name="admin" password="$2a$12$cyTWeE9kpq1PjqKFiWUZFuCRPwVyAZwm4XzMZ1qPUFl7/flCM3V0G" roles="ROLE_ADMIN" />
</memory>
</provider>
<!-- ... -->
</config>
</srv:container>
.. code-block:: php
// app/config/security.php
$container->loadFromExtension('security', array(
// ...
'providers' => array(
'in_memory' => array(
'memory' => array(
Expand Down Expand Up @@ -691,8 +694,11 @@ URL pattern. You saw this earlier, where anything matching the regular expressio
# app/config/security.yml
security:
# ...
firewalls:
# ...
default:
# ...
access_control:
# require ROLE_ADMIN for /admin*
Expand All @@ -715,10 +721,8 @@ URL pattern. You saw this earlier, where anything matching the regular expressio
<!-- ... -->
</firewall>
<access-control>
<!-- require ROLE_ADMIN for /admin* -->
<rule path="^/admin" role="ROLE_ADMIN" />
</access-control>
<!-- require ROLE_ADMIN for /admin* -->
<rule path="^/admin" role="ROLE_ADMIN" />
</config>
</srv:container>
Expand All @@ -727,6 +731,7 @@ URL pattern. You saw this earlier, where anything matching the regular expressio
// app/config/security.php
$container->loadFromExtension('security', array(
// ...
'firewalls' => array(
// ...
'default' => array(
Expand Down Expand Up @@ -755,6 +760,7 @@ matches the URL.
# app/config/security.yml
security:
# ...
access_control:
- { path: ^/admin/users, roles: ROLE_SUPER_ADMIN }
- { path: ^/admin, roles: ROLE_ADMIN }
Expand All @@ -771,10 +777,9 @@ matches the URL.
<config>
<!-- ... -->
<access-control>
<rule path="^/admin/users" role="ROLE_SUPER_ADMIN" />
<rule path="^/admin" role="ROLE_ADMIN" />
</access-control>
<rule path="^/admin/users" role="ROLE_SUPER_ADMIN" />
<rule path="^/admin" role="ROLE_ADMIN" />
</config>
</srv:container>
Expand All @@ -783,6 +788,7 @@ matches the URL.
// app/config/security.php
$container->loadFromExtension('security', array(
// ...
'access_control' => array(
array('path' => '^/admin/users', 'role' => 'ROLE_SUPER_ADMIN'),
array('path' => '^/admin', 'role' => 'ROLE_ADMIN'),
Expand Down Expand Up @@ -1037,13 +1043,14 @@ the firewall can handle this automatically for you when you activate the
# app/config/security.yml
security:
# ...
firewalls:
secured_area:
# ...
logout:
path: /logout
target: /
# ...
.. code-block:: xml
Expand All @@ -1056,25 +1063,27 @@ the firewall can handle this automatically for you when you activate the
http://symfony.com/schema/dic/services/services-1.0.xsd">
<config>
<firewall name="secured_area" pattern="^/">
<!-- ... -->
<firewall name="secured_area">
<!-- ... -->
<logout path="/logout" target="/" />
</firewall>
<!-- ... -->
</config>
</srv:container>
.. code-block:: php
// app/config/security.php
$container->loadFromExtension('security', array(
// ...
'firewalls' => array(
'secured_area' => array(
// ...
'logout' => array('path' => 'logout', 'target' => '/'),
'logout' => array('path' => '/logout', 'target' => '/'),
),
),
// ...
));
Next, you'll need to create a route for this URL (but not a controller):
Expand All @@ -1085,7 +1094,7 @@ Next, you'll need to create a route for this URL (but not a controller):
# app/config/routing.yml
logout:
path: /logout
path: /logout
.. code-block:: xml
Expand All @@ -1106,7 +1115,7 @@ Next, you'll need to create a route for this URL (but not a controller):
use Symfony\Component\Routing\Route;
$collection = new RouteCollection();
$collection->add('logout', new Route('/logout', array()));
$collection->add('logout', new Route('/logout'));
return $collection;
Expand Down Expand Up @@ -1171,6 +1180,8 @@ rules by creating a role hierarchy:
# app/config/security.yml
security:
# ...
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
Expand All @@ -1186,6 +1197,8 @@ rules by creating a role hierarchy:
http://symfony.com/schema/dic/services/services-1.0.xsd">
<config>
<!-- ... -->
<role id="ROLE_ADMIN">ROLE_USER</role>
<role id="ROLE_SUPER_ADMIN">ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH</role>
</config>
Expand All @@ -1195,6 +1208,8 @@ rules by creating a role hierarchy:
// app/config/security.php
$container->loadFromExtension('security', array(
// ...
'role_hierarchy' => array(
'ROLE_ADMIN' => 'ROLE_USER',
'ROLE_SUPER_ADMIN' => array(
Expand Down Expand Up @@ -1224,6 +1239,8 @@ cookie will be ever created by Symfony):
# app/config/security.yml
security:
# ...
firewalls:
main:
http_basic: ~
Expand All @@ -1240,7 +1257,9 @@ cookie will be ever created by Symfony):
http://symfony.com/schema/dic/services/services-1.0.xsd">
<config>
<firewall stateless="true">
<!-- ... -->
<firewall name="main" stateless="true">
<http-basic />
</firewall>
</config>
Expand All @@ -1250,8 +1269,10 @@ cookie will be ever created by Symfony):
// app/config/security.php
$container->loadFromExtension('security', array(
// ...
'firewalls' => array(
'main' => array('http_basic' => array(), 'stateless' => true),
'main' => array('http_basic' => null, 'stateless' => true),
),
));
Expand Down
33 changes: 14 additions & 19 deletions cookbook/security/access_control.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,12 +54,10 @@ Take the following ``access_control`` entries as an example:
<config>
<!-- ... -->
<access-control>
<rule path="^/admin" role="ROLE_USER_IP" ip="127.0.0.1" />
<rule path="^/admin" role="ROLE_USER_HOST" host="symfony\.com$" />
<rule path="^/admin" role="ROLE_USER_METHOD" method="POST, PUT" />
<rule path="^/admin" role="ROLE_USER" />
</access-control>
<rule path="^/admin" role="ROLE_USER_IP" ip="127.0.0.1" />
<rule path="^/admin" role="ROLE_USER_HOST" host="symfony\.com$" />
<rule path="^/admin" role="ROLE_USER_METHOD" methods="POST, PUT" />
<rule path="^/admin" role="ROLE_USER" />
</config>
</srv:container>
Expand All @@ -82,7 +80,7 @@ Take the following ``access_control`` entries as an example:
array(
'path' => '^/admin',
'role' => 'ROLE_USER_METHOD',
'method' => 'POST, PUT',
'methods' => 'POST, PUT',
),
array(
'path' => '^/admin',
Expand Down Expand Up @@ -193,11 +191,10 @@ pattern so that it is only accessible by requests from the local server itself:
<config>
<!-- ... -->
<access-control>
<rule path="^/esi" role="IS_AUTHENTICATED_ANONYMOUSLY"
ips="127.0.0.1, ::1" />
<rule path="^/esi" role="ROLE_NO_ACCESS" />
</access-control>
<rule path="^/internal"
role="IS_AUTHENTICATED_ANONYMOUSLY"
ips="127.0.0.1, ::1" />
<rule path="^/internal" role="ROLE_NO_ACCESS" />
</config>
</srv:container>
Expand All @@ -208,12 +205,12 @@ pattern so that it is only accessible by requests from the local server itself:
// ...
'access_control' => array(
array(
'path' => '^/esi',
'path' => '^/internal',
'role' => 'IS_AUTHENTICATED_ANONYMOUSLY',
'ips' => '127.0.0.1, ::1'
),
array(
'path' => '^/esi',
'path' => '^/internal',
'role' => 'ROLE_NO_ACCESS'
),
),
Expand Down Expand Up @@ -270,11 +267,9 @@ the user will be redirected to ``https``:
xsi:schemaLocation="http://symfony.com/schema/dic/services
http://symfony.com/schema/dic/services/services-1.0.xsd">
<access-control>
<rule path="^/cart/checkout"
role="IS_AUTHENTICATED_ANONYMOUSLY"
requires-channel="https" />
</access-control>
<rule path="^/cart/checkout"
role="IS_AUTHENTICATED_ANONYMOUSLY"
requires-channel="https" />
</srv:container>
.. code-block:: php
Expand Down
Loading

0 comments on commit 3b08fb1

Please sign in to comment.