Symfony 2 - hide the whole website with a HTTP Authentication dialog

Question

I am using Symfony 2 for building a website.

The work is in progress (therefore I don\'t want users or search engines to access it) but my client wants to see my pro

Answer 1

my solution in Symfony2, using the basic firewall of symfony (without FOSUserBundle):

# app/config/security.yml
security:

    firewalls:
        secured_area:
            pattern: ^/
            anonymous: ~
            form_login:
                login_path: login
                check_path: login_check

    access_control:
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin, roles: ROLE_ADMIN }
        - { path: ^/, roles: ROLE_USER }

    providers:
        in_memory:
            memory:
                users:
                    redattore: { password: 'somePasswordHere', roles: 'ROLE_USER' }
                    admin: { password: 'somePasswordHere', roles: 'ROLE_ADMIN' }

    encoders:
        Symfony\Component\Security\Core\User\User: plaintext

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

It works perfectly for me. It's a very basic configuration - without hashing passwords, without data base provider ("providers:" section), without https connection (everything goes in plain text throughout the internet), without logout stuff and other nice features. I hope it will help you. With kind regards

Answer 2

On my opinion, what you need is not to manage users with HTTP authentication but to restrict access to your site with HTTP authentication. Don't use Symfony2 security for that.

Leave your symfony2 app security as it will be in production mode and use apache .htaccess to restrict access to the site.

Documentation is here http://httpd.apache.org/docs/2.2/howto/auth.html. You just have to add some directives in web/.htaccess, and create a user/password file as explained in the doc...