I have a symfony2 application with a rest api and a sonataAdmin backend.
In the security.yml file I have the following:
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
SONATA:
- ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT
providers:
fos_userbundle:
id: fos_user.user_manager
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
logout:
path: /admin/logout
anonymous: true
oauth_token:
pattern: ^/oauth/v2/token$
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth$
security: false
# Add your favorite authentication process here
api:
pattern: ^/api(?!/user$)(?!/user/visit/)(?!/doc$) #con este patron todo api menos doc esta protegido
fos_oauth: true
stateless: true
anonymous: false # can be omitted as its default value
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
logout: true
anonymous: true
access_control:
# url de fosuserbundle que debe ser disponible para usuarios anonimos
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
#url de admin login necesita ser accesible sin credenciales
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: [ROLE_SUPER_ADMIN] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/doc/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
# url de api. Debe estar validado siempre.
- { path: ^/api, roles: [ IS_FULLY_AUTHENTICATED ] }
That is, among other routes, I have the following security configuration:
- routes
/admin(.*)protected under the firewalladmin - routes
^/api(?!/user$)(?!/user/visit/)(?!/doc$)(everything that hangs from/api, except/api/user,/api/user/visitand/api/docare protected underoauth2.
Now they have asked me that the documentation be /apiprotected but by the admin, so that if the user is not authenticated, they will be directed to /admin/login. If it is authenticated, the doc is shown.
I have changed the admin pattern to the following:
(admin(.*))|(\/api\/doc(.*))
and the api pattern looks like this:
^/api(?!/user$)(?!/user/visit/)
However, when accessing via browser to /api/doc, if I am not registered, the documentation appears. It looks like it doesn't launch security or there is something I'm not doing right.
Can anyone suggest me a solution?
One of the first things mentioned in the documentation is that:
In your
access_control, the regex^/*matches any path, so anything below this line is irrelevant:You should move it to the end .
Also, I guess for it
/api/docshould beROLE_SUPER_ADMIN( check what role it should be).Other things to keep in mind
^. A^matches the start of the route. If omitted, expressions like/admin(.*)can match paths like/blah/administracion-de-bienes(admin(.*))|(\/api\/doc(.*))should be^/(admin|api/doc)