为什么使用 FOSOAuthServerBundle 如果 FOSUserBundle 足够安全 RESTful API?
why using FOSOAuthServerBundle if FOSUserBundle enough for the security of a RESTful API?
我有一个 RESTful API(基于 FOSRestBundle) consuming an angularJS application that I want to secure. For that I simply used FOSUserBundle,它按我的预期工作。事实上,对 RESTful API 的调用得到如果我通过 /login.
连接
那么,当API是我的,应用程序也是我的时候,如果一个API会被应用程序或客户端消耗,为什么还要使用FOSOAuthServerBundle呢?
甚至,在通过 FOSOAuthServerBundle 连接后,您将被重定向到一个页面,您将在该页面上 Allow 或 Deny应用程序 (这是我的应用程序) 对我的 RESTful API 的访问。这根本不符合逻辑!!!
请给我你的评论。
注意: 我在下面添加了我的 security.yml 和我的 angularjs 应用程序
security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_USER : ROLE_API
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api_doc:
pattern: ^/api/doc
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
logout: true
anonymous: true
access_control:
- { path: ^/oauth/v2/auth$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }
app.js
angular.module('ads', ['ngRoute', 'restangular'])
.config(function ($interpolateProvider) {
$interpolateProvider.startSymbol('{[{').endSymbol('}]}');
})
// .config(['RestangularProvider', function(RestangularProvider) {
// RestangularProvider.setDefaultHeaders({'Authorization': 'Basic YW1pbmU6c3RpZ21hdGFn'}); //cmVzdGFwaTpzZWNyZXRwdw==
// }])
.config(['RestangularProvider', function (RestangularProvider) {
RestangularProvider.setBaseUrl('/minnapi/web/app_dev.php/api/v1/');
RestangularProvider.setResponseExtractor(function (response, operation, what, url) {
if (operation == 'getList') {
return _.toArray(response);
} else {
return response;
}
});
RestangularProvider.addRequestInterceptor(function (element, operation, what, url) {
var newRequest = {};
if (operation == 'post' || operation == 'put') {
what = what.split('');
what.pop();
what = what.join('');
}
if (operation == 'put') {
delete element._links;
}
newRequest[what] = element;
return newRequest;
});
RestangularProvider.setRestangularFields({
selfLink: '_links.self.href'
});
RestangularProvider.setDefaultRequestParams('get', {limit: 100});
}]);
应用-controller.js
angular.module('ads')
.controller('BrandController', ['$scope', '$routeParams', '$filter', 'Restangular', '$q',
function ($scope, $routeParams, $filter, Restangular, $q) {
'use strict';
$scope.brands = [];
$scope.newBrand = {name: '', published: true};
Restangular.all('brands').getList().then(function (brands) {
$scope.brands = brands;
});
$scope.addBrand = function () {
$scope.brands.post($scope.newBrand).then(function (brand) {});
$scope.brands.push($scope.newBrand);
$scope.newBrand = {name: '', published: true};
};
}]);
简单,如果您不将 API 暴露给第 3 方,那么您不需要 FOSOAuthServerBundle。
我有一个 RESTful API(基于 FOSRestBundle) consuming an angularJS application that I want to secure. For that I simply used FOSUserBundle,它按我的预期工作。事实上,对 RESTful API 的调用得到如果我通过 /login.
那么,当API是我的,应用程序也是我的时候,如果一个API会被应用程序或客户端消耗,为什么还要使用FOSOAuthServerBundle呢?
甚至,在通过 FOSOAuthServerBundle 连接后,您将被重定向到一个页面,您将在该页面上 Allow 或 Deny应用程序 (这是我的应用程序) 对我的 RESTful API 的访问。这根本不符合逻辑!!!
请给我你的评论。
注意: 我在下面添加了我的 security.yml 和我的 angularjs 应用程序
security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_USER : ROLE_API
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api_doc:
pattern: ^/api/doc
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
logout: true
anonymous: true
access_control:
- { path: ^/oauth/v2/auth$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }
app.js
angular.module('ads', ['ngRoute', 'restangular'])
.config(function ($interpolateProvider) {
$interpolateProvider.startSymbol('{[{').endSymbol('}]}');
})
// .config(['RestangularProvider', function(RestangularProvider) {
// RestangularProvider.setDefaultHeaders({'Authorization': 'Basic YW1pbmU6c3RpZ21hdGFn'}); //cmVzdGFwaTpzZWNyZXRwdw==
// }])
.config(['RestangularProvider', function (RestangularProvider) {
RestangularProvider.setBaseUrl('/minnapi/web/app_dev.php/api/v1/');
RestangularProvider.setResponseExtractor(function (response, operation, what, url) {
if (operation == 'getList') {
return _.toArray(response);
} else {
return response;
}
});
RestangularProvider.addRequestInterceptor(function (element, operation, what, url) {
var newRequest = {};
if (operation == 'post' || operation == 'put') {
what = what.split('');
what.pop();
what = what.join('');
}
if (operation == 'put') {
delete element._links;
}
newRequest[what] = element;
return newRequest;
});
RestangularProvider.setRestangularFields({
selfLink: '_links.self.href'
});
RestangularProvider.setDefaultRequestParams('get', {limit: 100});
}]);
应用-controller.js
angular.module('ads')
.controller('BrandController', ['$scope', '$routeParams', '$filter', 'Restangular', '$q',
function ($scope, $routeParams, $filter, Restangular, $q) {
'use strict';
$scope.brands = [];
$scope.newBrand = {name: '', published: true};
Restangular.all('brands').getList().then(function (brands) {
$scope.brands = brands;
});
$scope.addBrand = function () {
$scope.brands.post($scope.newBrand).then(function (brand) {});
$scope.brands.push($scope.newBrand);
$scope.newBrand = {name: '', published: true};
};
}]);
简单,如果您不将 API 暴露给第 3 方,那么您不需要 FOSOAuthServerBundle。