如何使用 FOSUserBundle 创建 "two"(聊天和管理)或更多安全区域
How to create "two" (chat and admin) or more secured areas with FOSUserBundle
我在 Symfony 2.8.x 应用程序中工作,我需要设置两个安全区域:chat 和 admin。这意味着 chat 和 admin 将使用相同的登录模板(如果可能的话,我不需要为此设置不同的模板)。我在谷歌之前在这里问过一些相关的事情,我读了很多关于这个主题的post:1, 2, 3, 4作为一个例子他们,但我做错了什么,因为我无法正常工作。这是 /app/config/security.yml 的样子(只是防火墙和 access_control 一段代码):
security:
....
firewalls:
admin:
pattern: /admin/(.*)
anonymous: ~
form_login:
provider: fos_userbundle
csrf_provider: security.csrf.token_manager
login_path: fos_user_security_login
check_path: fos_user_security_check
use_forward: true
always_use_default_target_path: true
default_target_path: /admin
target_path_parameter: _target_path
use_referer: true
remember_me: true
logout:
target: /admin
remember_me:
secret: '%secret%'
lifetime: 604800 # 1 week in seconds
path: /
chat:
pattern: ^/chat/(.*)
anonymous: ~
form_login:
provider: fos_userbundle
csrf_provider: security.csrf.token_manager
login_path: fos_user_security_login
check_path: fos_user_security_check
use_forward: true
always_use_default_target_path: true
default_target_path: /chat
target_path_parameter: _target_path
use_referer: true
remember_me: true
logout: ~
remember_me:
secret: '%secret%'
lifetime: 604800 # 1 week in seconds
path: /
access_control:
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/resetting$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/resetting$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/, role: ROLE_CHATTER }
- { path: ^/admin/, role: ROLE_ADMIN }
现在这是我的包的配置 app/config/routing.yml:
platform_chat:
resource: "@PlatformChatBundle/Controller/"
type: annotation
prefix: /chat/
options:
expose: true
platform_admin:
resource: "@PlatformAdminBundle/Controller/"
type: annotation
prefix: /admin/
options:
expose: true
而对于 FOSUserBundle 我已经尝试了这两个(都没有成功并且一次都成功):
#FOSUser
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
#FOSUser
# this second causes doubts to me since I think I will need
# to repeat the same routes for chat prefix but I'm not sure at all
fos_user_security:
resource: "@FOSUserBundle/Resources/config/routing/security.xml"
prefix: /admin
fos_user_profile:
resource: "@FOSUserBundle/Resources/config/routing/profile.xml"
prefix: /admin/profile
fos_user_register:
resource: "@FOSUserBundle/Resources/config/routing/registration.xml"
prefix: /admin/register
fos_user_resetting:
resource: "@FOSUserBundle/Resources/config/routing/resetting.xml"
prefix: /admin/resetting
fos_user_change_password:
resource: "@FOSUserBundle/Resources/config/routing/change_password.xml"
prefix: /admin/profile
我已经覆盖了 app/Resources/FOSUserBundle/views/Security/login.html.twig 的登录模板。 (如果需要源代码,我可以提供 ommit,不要让 post 比现在长)。
当我调用 URL: http://domain.tld/app_dev.php/admin 并尝试登录时,我得到了这个错误:
Translation not found.
Context: { "id":
"Symfony\Component\Security\Core\Exception\BadCredentialsException:
Bad credentials. in
/var/www/html/platform-cm/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php:90\nStack
trace:\n#0
(如果需要,我可以提供完整的堆栈跟踪)
这对我来说很奇怪,但可能是配置错误造成的,因为我已经仔细检查了凭据。
当我调用 URL: http://domain.tld/app_dev.php/chat 并尝试登录时,我得到 Access Denied 但这是正确的,因为我被重定向到 http://domain.tld/app_dev.php/admin/。任何人都可以给我一些关于这个配置的帮助吗?我因此卡住了无法前进
第二种方法
这是基于@heah 建议使用侦听器的第二种方法,但也不起作用我仍然收到相同的 "Bad credentials" 消息并且根本无法登录。我已将 routing.yml 改回此:
#FOSUser
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
我已将 security.yml 改回为:
安全:
...
防火墙:
行政:
模式:^/
匿名:~
form_login:
提供商:fos_userbundle
csrf_provider: security.csrf.token_manager
login_path: fos_user_security_login
check_path: fos_user_security_check
# if true, forward the user to the login form instead of redirecting
use_forward: true
# login success redirecting options (read further below)
always_use_default_target_path: true
default_target_path: /admin
target_path_parameter: _target_path
use_referer: true
remember_me: true
logout:
target: /admin
remember_me:
secret: '%secret%'
lifetime: 604800 # 1 week in seconds
path: /
access_control:
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/resetting$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/resetting$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/, role: ROLE_CHATTER }
- { path: ^/admin/, role: ROLE_ADMIN }
然后我按照 app/config/config.yml:
中的建议为事件 security.interactive_login 定义了一个侦听器
parameters:
account.security_listener.class: PlatformAdminBundle\Listener\SecurityListener
然后在 app/config/services.yml:
services:
account.security_listener:
class: %account.security_listener.class%
arguments: ['@security.context', '@session']
tags:
- { name: kernel.event_listener, event: security.interactive_login, method: onSecurityInteractiveLogin }
最后是 src/PlatformAdminBundle/Listener/SecurityListener.php 处的 class 定义:
namespace PlatformAdminBundle\Listener;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
class SecurityListener
{
public function __construct(SecurityContextInterface $security, Session $session)
{
$this->security = $security;
$this->session = $session;
}
public function onSecurityInteractiveLogin(InteractiveLoginEvent $event)
{
$user = $this->security->getToken()->getUser();
var_export($user);
}
}
我也是运行同样的问题,也许我做错了什么,我没有看到,但我接受任何想法。这里可能有什么问题?
第三种方法
我已经对我的代码进行了审查,并主要根据@heah 的建议对其进行了轻微更改。所以,现在 security.yml 如下:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/, role: ROLE_CHATTER }
- { path: ^/admin/, role: ROLE_ADMIN }
services.yml 的变化基本上修复了参数,因为 security.context 在 Symfony 2.6+ 中被拆分了,尽管我根本没有使用它:
services:
...
account.security_listener:
class: %account.security_listener.class%
arguments: ['@security.authorization_checker']
tags:
- { name: kernel.event_listener, event: security.interactive_login, method: onSecurityInteractiveLogin }
最后 class PlatformAdminBundle/Listener/SecurityListener.php 的变化:
namespace Clanmovil\PlatformAdminBundle\Listener;
use Symfony\Component\Finder\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
class SecurityListener
{
public function __construct(AuthorizationCheckerInterface $authorizationChecker)
{
$this->security = $authorizationChecker;
}
public function onSecurityInteractiveLogin(InteractiveLoginEvent $event)
{
if ($this->security->isGranted('ROLE_ADMIN')) {
// this is something for testing
throw new AccessDeniedException(
'Access Denied. You are ADMIN'
);
} elseif ($this->security->isGranted('ROLE_CHATTER')) {
// this is something for testing
throw new AccessDeniedException(
'Access Denied. You are CHATTER'
);
}
}
}
当我以 ROLE_CHATTER 用户身份登录时,一切似乎都正常,因为我遇到了 AccessDenied 异常,但是当我尝试以 ROLE_ADMIN 用户身份登录时,它停止工作,我回到初始错误:Bad credentials,这是为什么?我快疯了!!
您需要启用翻译:
# config.yml
framework:
translator: ~
...
fos_user:
db_driver: orm # or mongodb|couchdb|propel
firewall_name: global
user_class: AppBundle\Entity\User
见https://symfony.com/doc/master/bundles/FOSUserBundle/index.html
#security.yml
security:
firewalls:
# ...
global:
pattern: ^/
anonymous: true
provider: fos_userbundle
form_login:
csrf_token_generator: security.csrf.token_manager
remember_me: true
default_target_path: root
logout:
path: fos_user_security_logout
target: root
remember_me:
secret: '%secret%'
lifetime: 604800 # 1 week in seconds
access_control:
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/, role: ROLE_CHATTER }
- { path: ^/admin/, role: ROLE_ADMIN }
见http://symfony.com/doc/current/components/security/authentication.html
您还应该使用相同的防火墙,因为它们共享相同的配置,并且您已经根据用户角色定义了访问控制。
您只需要为“/”创建一个核心控制器:
# routing.yml
root:
path: /
defaults: { _controller: Your\Namespace\Controller\RootController::rootAction }
和
namespace Your\Namespace\Controller;
use Symfony\Bundle\FrameworkBundle\Controller;
class RootControler extends Controller
{
public function rootAction()
{
$security = $this->get('security.authorization_checker');
if ($security->isGranted('ROLE_ADMIN')) {
return $this->redirectToRoute('your_admin_root');
}
if ($security->isGranted('ROLE_CHATTER')) {
return $this->redirectToRoute('your_chatter_route');
}
return $this->redirectToRoute('fos_user_security_login');
}
}
问题可能出在路由中。由于在这两种情况下您都只使用 FOSUserBundle 中的一个来进行身份验证,因此您应该尝试为每个防火墙创建两个不同的路由,例如:
#FOSUser
fos_user_security:
resource: "@FOSUserBundle/Resources/config/routing/security.xml"
prefix: /admin
#FOSUser
fos_user_security:
resource: "@FOSUserBundle/Resources/config/routing/security.xml"
prefix: /chat
我在 Symfony 2.8.x 应用程序中工作,我需要设置两个安全区域:chat 和 admin。这意味着 chat 和 admin 将使用相同的登录模板(如果可能的话,我不需要为此设置不同的模板)。我在谷歌之前在这里问过一些相关的事情,我读了很多关于这个主题的post:1, 2, 3, 4作为一个例子他们,但我做错了什么,因为我无法正常工作。这是 /app/config/security.yml 的样子(只是防火墙和 access_control 一段代码):
security:
....
firewalls:
admin:
pattern: /admin/(.*)
anonymous: ~
form_login:
provider: fos_userbundle
csrf_provider: security.csrf.token_manager
login_path: fos_user_security_login
check_path: fos_user_security_check
use_forward: true
always_use_default_target_path: true
default_target_path: /admin
target_path_parameter: _target_path
use_referer: true
remember_me: true
logout:
target: /admin
remember_me:
secret: '%secret%'
lifetime: 604800 # 1 week in seconds
path: /
chat:
pattern: ^/chat/(.*)
anonymous: ~
form_login:
provider: fos_userbundle
csrf_provider: security.csrf.token_manager
login_path: fos_user_security_login
check_path: fos_user_security_check
use_forward: true
always_use_default_target_path: true
default_target_path: /chat
target_path_parameter: _target_path
use_referer: true
remember_me: true
logout: ~
remember_me:
secret: '%secret%'
lifetime: 604800 # 1 week in seconds
path: /
access_control:
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/resetting$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/resetting$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/, role: ROLE_CHATTER }
- { path: ^/admin/, role: ROLE_ADMIN }
现在这是我的包的配置 app/config/routing.yml:
platform_chat:
resource: "@PlatformChatBundle/Controller/"
type: annotation
prefix: /chat/
options:
expose: true
platform_admin:
resource: "@PlatformAdminBundle/Controller/"
type: annotation
prefix: /admin/
options:
expose: true
而对于 FOSUserBundle 我已经尝试了这两个(都没有成功并且一次都成功):
#FOSUser
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
#FOSUser
# this second causes doubts to me since I think I will need
# to repeat the same routes for chat prefix but I'm not sure at all
fos_user_security:
resource: "@FOSUserBundle/Resources/config/routing/security.xml"
prefix: /admin
fos_user_profile:
resource: "@FOSUserBundle/Resources/config/routing/profile.xml"
prefix: /admin/profile
fos_user_register:
resource: "@FOSUserBundle/Resources/config/routing/registration.xml"
prefix: /admin/register
fos_user_resetting:
resource: "@FOSUserBundle/Resources/config/routing/resetting.xml"
prefix: /admin/resetting
fos_user_change_password:
resource: "@FOSUserBundle/Resources/config/routing/change_password.xml"
prefix: /admin/profile
我已经覆盖了 app/Resources/FOSUserBundle/views/Security/login.html.twig 的登录模板。 (如果需要源代码,我可以提供 ommit,不要让 post 比现在长)。
当我调用 URL: http://domain.tld/app_dev.php/admin 并尝试登录时,我得到了这个错误:
Translation not found. Context: { "id": "Symfony\Component\Security\Core\Exception\BadCredentialsException: Bad credentials. in /var/www/html/platform-cm/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php:90\nStack trace:\n#0
(如果需要,我可以提供完整的堆栈跟踪)
这对我来说很奇怪,但可能是配置错误造成的,因为我已经仔细检查了凭据。
当我调用 URL: http://domain.tld/app_dev.php/chat 并尝试登录时,我得到 Access Denied 但这是正确的,因为我被重定向到 http://domain.tld/app_dev.php/admin/。任何人都可以给我一些关于这个配置的帮助吗?我因此卡住了无法前进
第二种方法
这是基于@heah 建议使用侦听器的第二种方法,但也不起作用我仍然收到相同的 "Bad credentials" 消息并且根本无法登录。我已将 routing.yml 改回此:
#FOSUser
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
我已将 security.yml 改回为:
安全: ... 防火墙: 行政: 模式:^/ 匿名:~ form_login: 提供商:fos_userbundle csrf_provider: security.csrf.token_manager login_path: fos_user_security_login check_path: fos_user_security_check
# if true, forward the user to the login form instead of redirecting
use_forward: true
# login success redirecting options (read further below)
always_use_default_target_path: true
default_target_path: /admin
target_path_parameter: _target_path
use_referer: true
remember_me: true
logout:
target: /admin
remember_me:
secret: '%secret%'
lifetime: 604800 # 1 week in seconds
path: /
access_control:
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/resetting$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/resetting$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/, role: ROLE_CHATTER }
- { path: ^/admin/, role: ROLE_ADMIN }
然后我按照 app/config/config.yml:
security.interactive_login 定义了一个侦听器
parameters:
account.security_listener.class: PlatformAdminBundle\Listener\SecurityListener
然后在 app/config/services.yml:
services:
account.security_listener:
class: %account.security_listener.class%
arguments: ['@security.context', '@session']
tags:
- { name: kernel.event_listener, event: security.interactive_login, method: onSecurityInteractiveLogin }
最后是 src/PlatformAdminBundle/Listener/SecurityListener.php 处的 class 定义:
namespace PlatformAdminBundle\Listener;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
class SecurityListener
{
public function __construct(SecurityContextInterface $security, Session $session)
{
$this->security = $security;
$this->session = $session;
}
public function onSecurityInteractiveLogin(InteractiveLoginEvent $event)
{
$user = $this->security->getToken()->getUser();
var_export($user);
}
}
我也是运行同样的问题,也许我做错了什么,我没有看到,但我接受任何想法。这里可能有什么问题?
第三种方法
我已经对我的代码进行了审查,并主要根据@heah 的建议对其进行了轻微更改。所以,现在 security.yml 如下:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/, role: ROLE_CHATTER }
- { path: ^/admin/, role: ROLE_ADMIN }
services.yml 的变化基本上修复了参数,因为 security.context 在 Symfony 2.6+ 中被拆分了,尽管我根本没有使用它:
services:
...
account.security_listener:
class: %account.security_listener.class%
arguments: ['@security.authorization_checker']
tags:
- { name: kernel.event_listener, event: security.interactive_login, method: onSecurityInteractiveLogin }
最后 class PlatformAdminBundle/Listener/SecurityListener.php 的变化:
namespace Clanmovil\PlatformAdminBundle\Listener;
use Symfony\Component\Finder\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
class SecurityListener
{
public function __construct(AuthorizationCheckerInterface $authorizationChecker)
{
$this->security = $authorizationChecker;
}
public function onSecurityInteractiveLogin(InteractiveLoginEvent $event)
{
if ($this->security->isGranted('ROLE_ADMIN')) {
// this is something for testing
throw new AccessDeniedException(
'Access Denied. You are ADMIN'
);
} elseif ($this->security->isGranted('ROLE_CHATTER')) {
// this is something for testing
throw new AccessDeniedException(
'Access Denied. You are CHATTER'
);
}
}
}
当我以 ROLE_CHATTER 用户身份登录时,一切似乎都正常,因为我遇到了 AccessDenied 异常,但是当我尝试以 ROLE_ADMIN 用户身份登录时,它停止工作,我回到初始错误:Bad credentials,这是为什么?我快疯了!!
您需要启用翻译:
# config.yml
framework:
translator: ~
...
fos_user:
db_driver: orm # or mongodb|couchdb|propel
firewall_name: global
user_class: AppBundle\Entity\User
见https://symfony.com/doc/master/bundles/FOSUserBundle/index.html
#security.yml
security:
firewalls:
# ...
global:
pattern: ^/
anonymous: true
provider: fos_userbundle
form_login:
csrf_token_generator: security.csrf.token_manager
remember_me: true
default_target_path: root
logout:
path: fos_user_security_logout
target: root
remember_me:
secret: '%secret%'
lifetime: 604800 # 1 week in seconds
access_control:
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/chat/, role: ROLE_CHATTER }
- { path: ^/admin/, role: ROLE_ADMIN }
见http://symfony.com/doc/current/components/security/authentication.html
您还应该使用相同的防火墙,因为它们共享相同的配置,并且您已经根据用户角色定义了访问控制。
您只需要为“/”创建一个核心控制器:
# routing.yml
root:
path: /
defaults: { _controller: Your\Namespace\Controller\RootController::rootAction }
和
namespace Your\Namespace\Controller;
use Symfony\Bundle\FrameworkBundle\Controller;
class RootControler extends Controller
{
public function rootAction()
{
$security = $this->get('security.authorization_checker');
if ($security->isGranted('ROLE_ADMIN')) {
return $this->redirectToRoute('your_admin_root');
}
if ($security->isGranted('ROLE_CHATTER')) {
return $this->redirectToRoute('your_chatter_route');
}
return $this->redirectToRoute('fos_user_security_login');
}
}
问题可能出在路由中。由于在这两种情况下您都只使用 FOSUserBundle 中的一个来进行身份验证,因此您应该尝试为每个防火墙创建两个不同的路由,例如:
#FOSUser
fos_user_security:
resource: "@FOSUserBundle/Resources/config/routing/security.xml"
prefix: /admin
#FOSUser
fos_user_security:
resource: "@FOSUserBundle/Resources/config/routing/security.xml"
prefix: /chat