1. 技术文章
  2. Anonymous token even if logged in in public pages

Anonymous token even if logged in in public pages

我怕爱的太早我们不能终老 提交于 2019-12-11 08:38:54

问题


I'm having some trouble setting my security.

I want a page to be accessible both by anonymous and by logged in members. I want it to show different content depending on the situation (in fact, i want to still be logged in as a member when i go on it).

The page I want to give public access is ^/profile.

I set my security.yml like that :

jms_security_extra:
secure_all_services: false
expressions: true

security:
    encoders:
    Symfony\Component\Security\Core\User\User: plaintext
    FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

   # Firewall pour les pages de connexion, inscription, et récupération de mot de passe
        login:
           pattern: ^/(login$|register|resetting) # Les adresses de ces pages sont login, register et resetting
            anonymous: true                        # On autorise bien évidemment les anonymes sur ces pages # Firewall principal pour le reste de notre site
        public:
           pattern:            ^/profile
           anonymous:          true
           homepage:
           pattern: ^/$
               anonymous: true
               main:
                  pattern: ^/                           # ^/ = tout ce qui commence par / = tout notre site
        form_login:                            # On définit notre méthode d'authentification
            provider: fos_userbundle           # On lie l'authentification au provider définit plus haut
            remember_me: true                  # On active la possibilité du "Se souvenir de moi" (désactivé par défaut) 
        remember_me:
            key: %secret%                      # On définit la clé pour le remember_me (%secret% est un parametre de parameters.yml)
        anonymous: false                       # On autorise les utilisateurs anonymes (non identifiés)
        logout: true                           # On autorise la déconnexion manuelle (désactivé par défaut)
        #anonymous: ~
        #http_basic:
        #    realm: "Secured Demo Area"          

   access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }

My problem is that when I'm logged in and I access this page, it's like i'm not logged in (i've got my log in button) because the firewall give me an anonymous token.

thanks for your help. Scaff


回答1:


Common pitfalls in authentication:

Multiple firewalls don't share security context
If you're using multiple firewalls and you authenticate against one firewall, you will not be authenticated against any other firewalls automatically. Different firewalls are like different security systems. To do this you have to explicitly specify the same Firewall Context for different firewalls. But usually for most applications, having one main firewall is enough.

So put all under one main firewall and use ACLs as in the FOSUSerBundle installation step 4.

jms_security_extra:
secure_all_services: false
expressions: true

security:
    encoders:
    Symfony\Component\Security\Core\User\User: plaintext
    FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                remember_me: true
            logout:       true
            anonymous:    true
            remember_me:
                key: %secret%          

   access_control:
    - { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/profile, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/, roles: ROLE_USER }



回答2:


IMO you are not quite correctly inserted the file, so I can not say for sure. But you probably have 2 firewall for one url. Its a main firewall

main: 
    pattern: ^/

and a public firewall

public:
    pattern: ^/profile

Try to specify only one firewall.

Quote from official documenation:

Multiple firewalls don't share security context If you're using multiple firewalls and you authenticate against one firewall, you will not be authenticated against any other firewalls automatically. Different firewalls are like different security systems. To do this you have to explicitly specify the same Firewall Context for different firewalls. But usually for most applications, having one main firewall is enough.



来源:https://stackoverflow.com/questions/16949904/anonymous-token-even-if-logged-in-in-public-pages

标签
symfony
fosuserbundle
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!