I am using Symfony 2 for building a website.
The work is in progress (therefore I don't want users or search engines to access it) but my client wants to see my progress. I was thinking an easy solution was to protect the whole website with HTTP authentication using the mechanism provided by the Symfony 2 security functionality.
I am using FOSUserBundle as the website will have users that need to register and login.
This is my security.yml, which works great:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Therefore I was trying to add something else on top of it, to allow the website to be protected by HTTP Authentication.
I changed the file to:
security:
providers:
fos_userbundle:
id: fos_user.user_manager
whole_website_provider:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
whole_website:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/account, role: IS_AUTHENTICATED_FULLY }
- { path: ^/, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Basically I added the whole_website_provider provider, the whole_website firewall and an extra access_control.
But that didn't work: when I access the website, I get redirected to the login form, that's it.
Have you got any idea whether I can do it and how?
N.B.: I would prefer not to use any Apache feature for it.
On my opinion, what you need is not to manage users with HTTP authentication but to restrict access to your site with HTTP authentication. Don't use Symfony2 security for that.
Leave your symfony2 app security as it will be in production mode and use apache .htaccess to restrict access to the site.
Documentation is here http://httpd.apache.org/docs/2.2/howto/auth.html. You just have to add some directives in web/.htaccess, and create a user/password file as explained in the doc...
my solution in Symfony2, using the basic firewall of symfony (without FOSUserBundle):
# app/config/security.yml
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
form_login:
login_path: login
check_path: login_check
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
providers:
in_memory:
memory:
users:
redattore: { password: 'somePasswordHere', roles: 'ROLE_USER' }
admin: { password: 'somePasswordHere', roles: 'ROLE_ADMIN' }
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
It works perfectly for me. It's a very basic configuration - without hashing passwords, without data base provider ("providers:" section), without https connection (everything goes in plain text throughout the internet), without logout stuff and other nice features. I hope it will help you. With kind regards
来源:https://stackoverflow.com/questions/10481651/symfony-2-hide-the-whole-website-with-a-http-authentication-dialog