From 3b08fb146d280341c810d10806ef3b16d25a4b02 Mon Sep 17 00:00:00 2001
From: Christian Flothmann <christian.flothmann@xabbuh.de>
Date: Sun, 5 Jul 2015 10:48:20 +0200
Subject: [PATCH] [WIP] review all Security code blocks

---
 book/security.rst                             | 69 +++++++++-----
 cookbook/security/access_control.rst          | 33 +++----
 cookbook/security/force_https.rst             | 89 ++++++++++++++-----
 cookbook/security/form_login.rst              |  2 +-
 cookbook/security/form_login_setup.rst        | 69 +++++++++-----
 cookbook/security/multiple_user_providers.rst |  1 +
 6 files changed, 173 insertions(+), 90 deletions(-)

diff --git a/book/security.rst b/book/security.rst
index e99e70b6a6b..b52d3bde44a 100644
--- a/book/security.rst
+++ b/book/security.rst
@@ -67,7 +67,7 @@ configuration looks like this:
 
                 <firewall name="dev"
                     pattern="^/(_(profiler|wdt)|css|images|js)/"
-                    security=false />
+                    security="false" />
 
                 <firewall name="default">
                     <anonymous />
@@ -81,7 +81,7 @@ configuration looks like this:
         $container->loadFromExtension('security', array(
             'providers' => array(
                 'in_memory' => array(
-                    'memory' => array(),
+                    'memory' => null,
                 ),
             ),
             'firewalls' => array(
@@ -209,6 +209,8 @@ user to be logged in to access this URL:
             # ...
             firewalls:
                 # ...
+                default:
+                    # ...
 
             access_control:
                 # require ROLE_ADMIN for /admin*
@@ -231,10 +233,8 @@ user to be logged in to access this URL:
                     <!-- ... -->
                 </firewall>
 
-                <access-control>
-                    <!-- require ROLE_ADMIN for /admin* -->
-                    <rule path="^/admin" role="ROLE_ADMIN" />
-                </access-control>
+                <!-- require ROLE_ADMIN for /admin* -->
+                <rule path="^/admin" role="ROLE_ADMIN" />
             </config>
         </srv:container>
 
@@ -541,13 +541,14 @@ like this:
                 http://symfony.com/schema/dic/services/services-1.0.xsd">
 
             <config>
+                <!-- ... -->
+
                 <provider name="in_memory">
                     <memory>
                         <user name="ryan" password="$2a$12$LCY0MefVIEc3TYPHV9SNnuzOfyr2p/AXIGoQJEDs4am4JwhNz/jli" roles="ROLE_USER" />
                         <user name="admin" password="$2a$12$cyTWeE9kpq1PjqKFiWUZFuCRPwVyAZwm4XzMZ1qPUFl7/flCM3V0G" roles="ROLE_ADMIN" />
                     </memory>
                 </provider>
-                <!-- ... -->
             </config>
         </srv:container>
 
@@ -555,6 +556,8 @@ like this:
 
         // app/config/security.php
         $container->loadFromExtension('security', array(
+            // ...
+
             'providers' => array(
                 'in_memory' => array(
                     'memory' => array(
@@ -691,8 +694,11 @@ URL pattern. You saw this earlier, where anything matching the regular expressio
         # app/config/security.yml
         security:
             # ...
+
             firewalls:
                 # ...
+                default:
+                    # ...
 
             access_control:
                 # require ROLE_ADMIN for /admin*
@@ -715,10 +721,8 @@ URL pattern. You saw this earlier, where anything matching the regular expressio
                     <!-- ... -->
                 </firewall>
 
-                <access-control>
-                    <!-- require ROLE_ADMIN for /admin* -->
-                    <rule path="^/admin" role="ROLE_ADMIN" />
-                </access-control>
+                <!-- require ROLE_ADMIN for /admin* -->
+                <rule path="^/admin" role="ROLE_ADMIN" />
             </config>
         </srv:container>
 
@@ -727,6 +731,7 @@ URL pattern. You saw this earlier, where anything matching the regular expressio
         // app/config/security.php
         $container->loadFromExtension('security', array(
             // ...
+
             'firewalls' => array(
                 // ...
                 'default' => array(
@@ -755,6 +760,7 @@ matches the URL.
         # app/config/security.yml
         security:
             # ...
+
             access_control:
                 - { path: ^/admin/users, roles: ROLE_SUPER_ADMIN }
                 - { path: ^/admin, roles: ROLE_ADMIN }
@@ -771,10 +777,9 @@ matches the URL.
 
             <config>
                 <!-- ... -->
-                <access-control>
-                    <rule path="^/admin/users" role="ROLE_SUPER_ADMIN" />
-                    <rule path="^/admin" role="ROLE_ADMIN" />
-                </access-control>
+
+                <rule path="^/admin/users" role="ROLE_SUPER_ADMIN" />
+                <rule path="^/admin" role="ROLE_ADMIN" />
             </config>
         </srv:container>
 
@@ -783,6 +788,7 @@ matches the URL.
         // app/config/security.php
         $container->loadFromExtension('security', array(
             // ...
+
             'access_control' => array(
                 array('path' => '^/admin/users', 'role' => 'ROLE_SUPER_ADMIN'),
                 array('path' => '^/admin', 'role' => 'ROLE_ADMIN'),
@@ -1037,13 +1043,14 @@ the firewall can handle this automatically for you when you activate the
 
         # app/config/security.yml
         security:
+            # ...
+
             firewalls:
                 secured_area:
                     # ...
                     logout:
                         path:   /logout
                         target: /
-            # ...
 
     .. code-block:: xml
 
@@ -1056,11 +1063,12 @@ the firewall can handle this automatically for you when you activate the
                 http://symfony.com/schema/dic/services/services-1.0.xsd">
 
             <config>
-                <firewall name="secured_area" pattern="^/">
+                <!-- ... -->
+
+                <firewall name="secured_area">
                     <!-- ... -->
                     <logout path="/logout" target="/" />
                 </firewall>
-                <!-- ... -->
             </config>
         </srv:container>
 
@@ -1068,13 +1076,14 @@ the firewall can handle this automatically for you when you activate the
 
         // app/config/security.php
         $container->loadFromExtension('security', array(
+            // ...
+
             'firewalls' => array(
                 'secured_area' => array(
                     // ...
-                    'logout' => array('path' => 'logout', 'target' => '/'),
+                    'logout' => array('path' => '/logout', 'target' => '/'),
                 ),
             ),
-            // ...
         ));
 
 Next, you'll need to create a route for this URL (but not a controller):
@@ -1085,7 +1094,7 @@ Next, you'll need to create a route for this URL (but not a controller):
 
         # app/config/routing.yml
         logout:
-            path:   /logout
+            path: /logout
 
     .. code-block:: xml
 
@@ -1106,7 +1115,7 @@ Next, you'll need to create a route for this URL (but not a controller):
         use Symfony\Component\Routing\Route;
 
         $collection = new RouteCollection();
-        $collection->add('logout', new Route('/logout', array()));
+        $collection->add('logout', new Route('/logout'));
 
         return $collection;
 
@@ -1171,6 +1180,8 @@ rules by creating a role hierarchy:
 
         # app/config/security.yml
         security:
+            # ...
+
             role_hierarchy:
                 ROLE_ADMIN:       ROLE_USER
                 ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
@@ -1186,6 +1197,8 @@ rules by creating a role hierarchy:
                 http://symfony.com/schema/dic/services/services-1.0.xsd">
 
             <config>
+                <!-- ... -->
+
                 <role id="ROLE_ADMIN">ROLE_USER</role>
                 <role id="ROLE_SUPER_ADMIN">ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH</role>
             </config>
@@ -1195,6 +1208,8 @@ rules by creating a role hierarchy:
 
         // app/config/security.php
         $container->loadFromExtension('security', array(
+            // ...
+
             'role_hierarchy' => array(
                 'ROLE_ADMIN'       => 'ROLE_USER',
                 'ROLE_SUPER_ADMIN' => array(
@@ -1224,6 +1239,8 @@ cookie will be ever created by Symfony):
 
         # app/config/security.yml
         security:
+            # ...
+
             firewalls:
                 main:
                     http_basic: ~
@@ -1240,7 +1257,9 @@ cookie will be ever created by Symfony):
                 http://symfony.com/schema/dic/services/services-1.0.xsd">
 
             <config>
-                <firewall stateless="true">
+                <!-- ... -->
+
+                <firewall name="main" stateless="true">
                     <http-basic />
                 </firewall>
             </config>
@@ -1250,8 +1269,10 @@ cookie will be ever created by Symfony):
 
         // app/config/security.php
         $container->loadFromExtension('security', array(
+            // ...
+
             'firewalls' => array(
-                'main' => array('http_basic' => array(), 'stateless' => true),
+                'main' => array('http_basic' => null, 'stateless' => true),
             ),
         ));
 
diff --git a/cookbook/security/access_control.rst b/cookbook/security/access_control.rst
index ec09e05d4b9..1977b4ed403 100644
--- a/cookbook/security/access_control.rst
+++ b/cookbook/security/access_control.rst
@@ -54,12 +54,10 @@ Take the following ``access_control`` entries as an example:
 
             <config>
                 <!-- ... -->
-                <access-control>
-                    <rule path="^/admin" role="ROLE_USER_IP" ip="127.0.0.1" />
-                    <rule path="^/admin" role="ROLE_USER_HOST" host="symfony\.com$" />
-                    <rule path="^/admin" role="ROLE_USER_METHOD" method="POST, PUT" />
-                    <rule path="^/admin" role="ROLE_USER" />
-                </access-control>
+                <rule path="^/admin" role="ROLE_USER_IP" ip="127.0.0.1" />
+                <rule path="^/admin" role="ROLE_USER_HOST" host="symfony\.com$" />
+                <rule path="^/admin" role="ROLE_USER_METHOD" methods="POST, PUT" />
+                <rule path="^/admin" role="ROLE_USER" />
             </config>
         </srv:container>
 
@@ -82,7 +80,7 @@ Take the following ``access_control`` entries as an example:
                 array(
                     'path' => '^/admin',
                     'role' => 'ROLE_USER_METHOD',
-                    'method' => 'POST, PUT',
+                    'methods' => 'POST, PUT',
                 ),
                 array(
                     'path' => '^/admin',
@@ -193,11 +191,10 @@ pattern so that it is only accessible by requests from the local server itself:
 
             <config>
                 <!-- ... -->
-                <access-control>
-                    <rule path="^/esi" role="IS_AUTHENTICATED_ANONYMOUSLY"
-                        ips="127.0.0.1, ::1" />
-                    <rule path="^/esi" role="ROLE_NO_ACCESS" />
-                </access-control>
+                <rule path="^/internal"
+                    role="IS_AUTHENTICATED_ANONYMOUSLY"
+                    ips="127.0.0.1, ::1" />
+                <rule path="^/internal" role="ROLE_NO_ACCESS" />
             </config>
         </srv:container>
 
@@ -208,12 +205,12 @@ pattern so that it is only accessible by requests from the local server itself:
             // ...
             'access_control' => array(
                 array(
-                    'path' => '^/esi',
+                    'path' => '^/internal',
                     'role' => 'IS_AUTHENTICATED_ANONYMOUSLY',
                     'ips' => '127.0.0.1, ::1'
                 ),
                 array(
-                    'path' => '^/esi',
+                    'path' => '^/internal',
                     'role' => 'ROLE_NO_ACCESS'
                 ),
             ),
@@ -270,11 +267,9 @@ the user will be redirected to ``https``:
             xsi:schemaLocation="http://symfony.com/schema/dic/services
                 http://symfony.com/schema/dic/services/services-1.0.xsd">
 
-            <access-control>
-                <rule path="^/cart/checkout"
-                    role="IS_AUTHENTICATED_ANONYMOUSLY"
-                    requires-channel="https" />
-            </access-control>
+            <rule path="^/cart/checkout"
+                role="IS_AUTHENTICATED_ANONYMOUSLY"
+                requires-channel="https" />
         </srv:container>
 
     .. code-block:: php
diff --git a/cookbook/security/force_https.rst b/cookbook/security/force_https.rst
index 63bb7b2e2b2..e5d38992edb 100644
--- a/cookbook/security/force_https.rst
+++ b/cookbook/security/force_https.rst
@@ -13,24 +13,44 @@ to use HTTPS then you could use the following configuration:
 
         .. code-block:: yaml
 
-            access_control:
-                - { path: ^/secure, roles: ROLE_ADMIN, requires_channel: https }
+            # app/config/security.yml
+            security:
+                # ...
+
+                access_control:
+                    - { path: ^/secure, roles: ROLE_ADMIN, requires_channel: https }
 
         .. code-block:: xml
 
-            <access-control>
-                <rule path="^/secure" role="ROLE_ADMIN" requires_channel="https" />
-            </access-control>
+            <!-- app/config/security.xml -->
+            <?xml version="1.0" encoding="UTF-8"?>
+            <srv:container xmlns="http://symfony.com/schema/dic/security"
+                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                xmlns:srv="http://symfony.com/schema/dic/services"
+                xsi:schemaLocation="http://symfony.com/schema/dic/services
+                    http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+                <config>
+                    <!-- ... -->
+
+                    <rule path="^/secure" role="ROLE_ADMIN" requires_channel="https" />
+                </config>
+            </srv:container>
 
         .. code-block:: php
 
-            'access_control' => array(
-                array(
-                    'path'             => '^/secure',
-                    'role'             => 'ROLE_ADMIN',
-                    'requires_channel' => 'https',
+            // app/config/security.php
+            $container->loadFromExtension('security', array(
+                // ...
+
+                'access_control' => array(
+                    array(
+                        'path'             => '^/secure',
+                        'role'             => 'ROLE_ADMIN',
+                        'requires_channel' => 'https',
+                    ),
                 ),
-            ),
+            ));
 
 The login form itself needs to allow anonymous access, otherwise users will
 be unable to authenticate. To force it to use HTTPS you can still use
@@ -41,26 +61,47 @@ role:
 
         .. code-block:: yaml
 
-            access_control:
-                - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
+            # app/config/security.yml
+
+            security:
+                # ...
+
+                access_control:
+                    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
 
         .. code-block:: xml
 
-            <access-control>
-                <rule path="^/login"
-                      role="IS_AUTHENTICATED_ANONYMOUSLY"
-                      requires_channel="https" />
-            </access-control>
+            <!-- app/config/security.xml -->
+            <?xml version="1.0" encoding="UTF-8"?>
+            <srv:container xmlns="http://symfony.com/schema/dic/security"
+                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                xmlns:srv="http://symfony.com/schema/dic/services"
+                xsi:schemaLocation="http://symfony.com/schema/dic/services
+                    http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+                <config>
+                    <!-- ... -->
+
+                    <rule path="^/login"
+                        role="IS_AUTHENTICATED_ANONYMOUSLY"
+                        requires_channel="https" />
+                </config>
+            </srv:container>
 
         .. code-block:: php
 
-            'access_control' => array(
-                array(
-                    'path'             => '^/login',
-                    'role'             => 'IS_AUTHENTICATED_ANONYMOUSLY',
-                    'requires_channel' => 'https',
+            // app/config/security.php
+            $container->loadFromExtension('security', array(
+                // ...
+
+                'access_control' => array(
+                    array(
+                        'path'             => '^/login',
+                        'role'             => 'IS_AUTHENTICATED_ANONYMOUSLY',
+                        'requires_channel' => 'https',
+                    ),
                 ),
-            ),
+            ));
 
 It is also possible to specify using HTTPS in the routing configuration,
 see :doc:`/cookbook/routing/scheme` for more details.
diff --git a/cookbook/security/form_login.rst b/cookbook/security/form_login.rst
index 337d02a2fdf..1c45f464564 100644
--- a/cookbook/security/form_login.rst
+++ b/cookbook/security/form_login.rst
@@ -62,7 +62,7 @@ if no previous page was stored in the session). To set it to the
 
         <!-- app/config/security.xml -->
         <config>
-            <firewall>
+            <firewall name="main">
                 <form-login
                     default_target_path="default_security_target"
                 />
diff --git a/cookbook/security/form_login_setup.rst b/cookbook/security/form_login_setup.rst
index 5e20bef050d..d5c4ba9922d 100644
--- a/cookbook/security/form_login_setup.rst
+++ b/cookbook/security/form_login_setup.rst
@@ -45,8 +45,9 @@ First, enable form login under your firewall:
                 http://symfony.com/schema/dic/services/services-1.0.xsd">
 
             <config>
-                <firewall name="main">
+                <firewall name="default">
                     <anonymous />
+                    <http-basic />
                     <form-login login-path="/login" check-path="/login_check" />
                 </firewall>
             </config>
@@ -57,8 +58,9 @@ First, enable form login under your firewall:
         // app/config/security.php
         $container->loadFromExtension('security', array(
             'firewalls' => array(
-                'main' => array(
-                    'anonymous'  => array(),
+                'default' => array(
+                    'anonymous'  => null,
+                    'http_basic' => null,
                     'form_login' => array(
                         'login_path' => '/login',
                         'check_path' => '/login_check',
@@ -160,7 +162,7 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``):
             '_controller' => 'AppBundle:Security:login',
         )));
 
-        $collection->add('login_check', new Route('/login_check', array()));
+        $collection->add('login_check', new Route('/login_check'));
         // no controller is bound to this route
         // as it's handled by the Security system
 
@@ -356,11 +358,18 @@ all URLs (including the ``/login`` URL), will cause a redirect loop:
     .. code-block:: xml
 
         <!-- app/config/security.xml -->
+        <?xml version="1.0" encoding="UTF-8"?>
+        <srv:container xmlns="http://symfony.com/schema/dic/security"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:srv="http://symfony.com/schema/dic/services"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                http://symfony.com/schema/dic/services/services-1.0.xsd">
 
-        <!-- ... -->
-        <access-control>
-            <rule path="^/" role="ROLE_ADMIN" />
-        </access-control>
+            <config>
+                <!-- ... -->
+                <rule path="^/" role="ROLE_ADMIN" />
+            </config>
+        </srv:container>
 
     .. code-block:: php
 
@@ -388,12 +397,19 @@ fixes the problem:
     .. code-block:: xml
 
         <!-- app/config/security.xml -->
+        <?xml version="1.0" encoding="UTF-8"?>
+        <srv:container xmlns="http://symfony.com/schema/dic/security"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:srv="http://symfony.com/schema/dic/services"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                http://symfony.com/schema/dic/services/services-1.0.xsd">
 
-        <!-- ... -->
-        <access-control>
-            <rule path="^/login" role="IS_AUTHENTICATED_ANONYMOUSLY" />
-            <rule path="^/" role="ROLE_ADMIN" />
-        </access-control>
+            <config>
+                <!-- ... -->
+                <rule path="^/login" role="IS_AUTHENTICATED_ANONYMOUSLY" />
+                <rule path="^/" role="ROLE_ADMIN" />
+            </config>
+        </srv:container>
 
     .. code-block:: php
 
@@ -428,14 +444,23 @@ for the login page:
     .. code-block:: xml
 
         <!-- app/config/security.xml -->
+        <?xml version="1.0" encoding="UTF-8"?>
+        <srv:container xmlns="http://symfony.com/schema/dic/security"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:srv="http://symfony.com/schema/dic/services"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                http://symfony.com/schema/dic/services/services-1.0.xsd">
 
-        <!-- ... -->
-        <firewall name="login_firewall" pattern="^/login$">
-            <anonymous />
-        </firewall>
-        <firewall name="secured_area" pattern="^/">
-            <form-login />
-        </firewall>
+            <config>
+                <!-- ... -->
+                <firewall name="login_firewall" pattern="^/login$">
+                    <anonymous />
+                </firewall>
+                <firewall name="secured_area" pattern="^/">
+                    <form-login />
+                </firewall>
+            </config>
+        </srv:container>
 
     .. code-block:: php
 
@@ -445,11 +470,11 @@ for the login page:
         'firewalls' => array(
             'login_firewall' => array(
                 'pattern'   => '^/login$',
-                'anonymous' => array(),
+                'anonymous' => null,
             ),
             'secured_area' => array(
                 'pattern'    => '^/',
-                'form_login' => array(),
+                'form_login' => null,
             ),
         ),
 
diff --git a/cookbook/security/multiple_user_providers.rst b/cookbook/security/multiple_user_providers.rst
index 4766ed92e44..3c2f879b5c5 100644
--- a/cookbook/security/multiple_user_providers.rst
+++ b/cookbook/security/multiple_user_providers.rst
@@ -132,6 +132,7 @@ the first provider is always used:
                     'provider' => 'user_db',
                     'http_basic' => array(
                         // ...
+                        'realm' => 'Secured Demo Area',
                         'provider' => 'in_memory',
                     ),
                     'form_login' => array(),