在 Symfony2 中为每个 URI 使用多个安全提供程序
Using multiple security providers for each URI in Symfony2
直截了当地提问,如何在 security.yml 中为不同的 URI 模式使用不同的安全提供程序?,这里是场景:
routing.yml中有一些URI如下:
/ 没有安全保障,所有人都可以使用/admin 仅供注册用户访问并使用 fos_userbundle 作为安全提供程序/api 仅授予在实体中具有 apiKey 属性 的用户。
数据库中有两个不同的用户实体,User 和 ApiUser。这是我的 security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
acl:
connection: default
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
api_domain:
entity:
class: AdministrationUserBundle:ApiUser
property: apiKey
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
# Disabling the security for the web debug toolbar, the profiler and Assetic.
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# -> custom firewall for the admin area of the URL
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
success_handler: admin_success_handler
logout:
path: /admin/logout
anonymous: true
# Custom firewall for api area
api_login:
pattern: ^/api/login
stateless: true
anonymous: true
form_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api_doc:
pattern: ^/api/doc
stateless: true
anonymous: true
api:
pattern: ^/api
guard:
provider: api_domain
entry_point: app.token_authenticator
authenticators:
- app.token_authenticator
lexik_jwt: ~
# -> end custom configuration
# default login area for standard users
# This firewall is used to handle the public login area
# This part is handled by the FOS User Bundle
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
logout: true
anonymous: true
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be access without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/assets/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/uploads/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/user/, role: [ROLE_USER] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/card/, role: ROLE_USER }
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
提前致谢
经过一些搜索和错误修复,我发现实现它的最简单方法是使用正则表达式,所以我更改了 security.yml:
api:
pattern: ^/api/v\d+\.\d+/
provider: api_domain
anonymous: false
guard:
authenticators:
- app.token_authenticator
lexik_jwt: ~
api_login:
pattern: ^/api/login
stateless: true
anonymous: true
provider: fos_userbundle
form_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api_doc:
pattern: ^/api/doc
stateless: true
anonymous: true
并在 routers.yml 在 api uri 的末尾添加了一个版本:
rest:
type : rest
resource : "routers/rest_api.yml"
prefix : /api/v1.2
直截了当地提问,如何在 security.yml 中为不同的 URI 模式使用不同的安全提供程序?,这里是场景:
routing.yml中有一些URI如下:
/没有安全保障,所有人都可以使用/admin仅供注册用户访问并使用fos_userbundle作为安全提供程序/api仅授予在实体中具有apiKey属性 的用户。
数据库中有两个不同的用户实体,User 和 ApiUser。这是我的 security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
acl:
connection: default
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
api_domain:
entity:
class: AdministrationUserBundle:ApiUser
property: apiKey
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
# Disabling the security for the web debug toolbar, the profiler and Assetic.
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# -> custom firewall for the admin area of the URL
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
success_handler: admin_success_handler
logout:
path: /admin/logout
anonymous: true
# Custom firewall for api area
api_login:
pattern: ^/api/login
stateless: true
anonymous: true
form_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api_doc:
pattern: ^/api/doc
stateless: true
anonymous: true
api:
pattern: ^/api
guard:
provider: api_domain
entry_point: app.token_authenticator
authenticators:
- app.token_authenticator
lexik_jwt: ~
# -> end custom configuration
# default login area for standard users
# This firewall is used to handle the public login area
# This part is handled by the FOS User Bundle
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
logout: true
anonymous: true
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be access without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/assets/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/uploads/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/user/, role: [ROLE_USER] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/card/, role: ROLE_USER }
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
提前致谢
经过一些搜索和错误修复,我发现实现它的最简单方法是使用正则表达式,所以我更改了 security.yml:
api:
pattern: ^/api/v\d+\.\d+/
provider: api_domain
anonymous: false
guard:
authenticators:
- app.token_authenticator
lexik_jwt: ~
api_login:
pattern: ^/api/login
stateless: true
anonymous: true
provider: fos_userbundle
form_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api_doc:
pattern: ^/api/doc
stateless: true
anonymous: true
并在 routers.yml 在 api uri 的末尾添加了一个版本:
rest:
type : rest
resource : "routers/rest_api.yml"
prefix : /api/v1.2