Chapters
-
Course Code
Subscribe to download the code!Compatible PHP versions: >=5.3.3
Subscribe to download the code!Compatible PHP versions: >=5.3.3
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
Security Fundamentals
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Security Fundamentals¶
Symfony comes with a security component that’s really powerful. Honestly, it’s also really complex. It can connect with other authentication systems - like Facebook or LDAP - or load user information from anywhere, like a database or even across an API.
The bummer is that hooking all this up can be tough. But since you’ll know how each piece works, you’ll be able to do amazing things. There’s also some jedi magic I’ll show you later that makes custom authentication systems much easier.
Authentication, Authorization and the Death Star¶
Security is two parts: authentication and authorization. Authentication, checks the user’s credentials. Its job is not to restrict access, it just wants to know who you are.
Ok, so think of a building, or maybe even the Death Star. After the tractor beam forces you to land, you walk out and pass through a security checkpoint. Both Stormtroopers and rebels check-in here, prove who they are and receive an access card, or a token in Symfony-speak.
Proving who you are and getting a token: that’s authentication.
The token can be used to unlock doors in this fully armed and operational battle station. Everyone inside has a token, but some grant more access than others. The second part of security, authorization, is like the lock that’s on every door. It actually denies a user access to something. Authorization doesn’t care if you’re Obi-Wan or a Stormtooper, it only checks to see if the token you received has enough access to enter a specific room.
Security configuration: security.yml¶
Let’s talk authentication first, which can be more complex than authorization. The security configuration lives entirely in the app/config/security.yml file, which is imported from the main config.yml file:
# app/config.config.yml
imports:
# ...
- { resource: security.yml }
Security config lives in its own file because, well, it’s kind of big and ugly. But there’s no technical reason: you could move all of this into config.yml and it would work just the same.
Firewalls Configuration (security.yml)¶
Note
If your security.yml file is mostly empty, don’t worry! You installed Symfony in a slightly different way. Just download the code for this tutorial and replace your security.yml file with the one from the download.
Find the firewalls key: it’s the most important part in this file. A firewall represents the authentication layer, or security check-point for your app. Delete the login and dev firewall sections so that we have just one firewall:
# app/config/security.yml
# ...
firewalls:
secured_area:
pattern: ^/demo/secured/
form_login:
check_path: _security_check
login_path: _demo_login
logout:
path: _demo_logout
target: _demo
#anonymous: ~
#http_basic:
# realm: "Secured Demo Area"
Just like in a giant floating death machine, it make sense for everyone to pass through the same security system that looks up people in the same corrupt, imperial database. In fact, change the pattern key to be ^/:
# app/config/security.yml
# ...
firewalls:
secured_area:
pattern: ^/
# ...
Now, every request that goes to our app will use this one firewall for authentication. Let’s also change the login_path key to be /my-login-url:
# app/config/security.yml
# ...
firewalls:
secured_area:
pattern: ^/
form_login:
check_path: _security_check
login_path: /my-login-url
# ...
Don’t worry about what this or any of the other keys mean yet: they’re just there to confuse you. I’ll explain it all in a second.
Anonymous Access (security.yml)¶
Now, uncomment the anonymous key:
# app/config/security.yml
# ...
security:
# ...
firewalls:
secured_area:
pattern: ^/
# ...
anonymous: ~
This lets anonymous users into the site, similar to letting a tourist enter the Death Star. We may want to require login for certain pages, or even maybe nearly every page. But we’re not going to do that here. Remember, the firewall is all about finding out who you are, not denying access.
Head back to the browser, but don’t refresh! First, notice the little red icon on your web debug toolbar. When you hover over it, it says “You are not authenticated”.
Now refresh. Yay! It’s green and says “anon”. Clicking it shows us that we’re now “authenticated”. Yes, it’s a bit odd, but anonymous users are actually authenticated, since they passed through our firewall.
But don’t panic, it’s easy in code to check if the user has actually logged in or not. I’ll show you later. Of course, we haven’t actually done the work to make it possible to login yet, but we’ll get to those silly details in a second.
8 Comments
Hey Raimen!
1) Wow, I'm so glad you reported this! The missing code blocks are a bug on the symfony.com servers - I just reported it (it's a big bug, many code blocks are missing). This will be fixed very soon: you are not missing anything :).
2) Actually, I don't think that either of the ways of installation (the other being the create-project method) give you a very descriptive security.yml file anymore. But that's by design: the files used to come with *a lot* of stuff you didn't need. To see a complete security.yml file, you can of course download the code from this screencast. But also, take a look at the symfony-demo: https://github.com/symfony/...
Cheers!
Thanks Ryan!
How can I run this course's code? With the command I use for starting the server I get this:
$ php app/console server:start
PHP Warning: require_once(D:\media\downloads\knpuniversity\symfony2-ep3\start\a
pp/bootstrap.php.cache): failed to open stream: No such file or directory in D:\
media\downloads\knpuniversity\symfony2-ep3\start\app\console on line 10
Warning: require_once(D:\media\downloads\knpuniversity\symfony2-ep3\start\app/bo
otstrap.php.cache): failed to open stream: No such file or directory in D:\media
\downloads\knpuniversity\symfony2-ep3\start\app\console on line 10
PHP Fatal error: require_once(): Failed opening required 'D:\media\downloads\kn
puniversity\symfony2-ep3\start\app/bootstrap.php.cache' (include_path='C:\xampp\
php\PEAR') in D:\media\downloads\knpuniversity\symfony2-ep3\start\app\console on
line 10
Fatal error: require_once(): Failed opening required 'D:\media\downloads\knpuniv
ersity\symfony2-ep3\start\app/bootstrap.php.cache' (include_path='C:\xampp\php\P
EAR') in D:\media\downloads\knpuniversity\symfony2-ep3\start\app\console on line
10
Yo Jelle S.!
Make sure you run composer install
first. This is now an older tutorial - our newer tutorials all have accurate README.md files with all the setup details, but this one is missing some of those details. You'll also need to run a few database setup commands, which should be:
app/console doctrine:database:create
app/console doctrine:schema:update --force
app/console doctrine:fixtures:load
Cheers!
Hi there, I got a problem. Since I use Symfony 2.7, I get totally different security.yml, and I don't know how to edit it to make it works like the one in this video, can someone help?
It looks like this:
# To get started with security, check out the documentation:
# http://symfony.com/doc/current/book/security.html
security:
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
in_memory:
memory: ~
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
# activate different ways to authenticate
# http_basic: ~
# http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate
# form_login: ~
# http://symfony.com/doc/current/cookbook/security/form_login_setup.html
Hey Léo!
You're right - in later versions of Symfony, the default security.yml looks smaller and simpler. But that's ok - it's just a starting point, and you can modify it however you want. At the end of this chapter, the security.yml file from the video looks like the code block below. This isn't fully functional yet - we go onto continue updating it in the next chapters. But if you want to use this as a starting point for what things should look like at the end of this chapter, this should work.
Cheers!
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
in_memory:
memory:
users:
user: { password: userpass, roles: [ 'ROLE_USER' ] }
admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
firewalls:
secured_area:
pattern: ^/
form_login:
check_path: _security_check
login_path: /my-login-url
logout:
path: _demo_logout
target: _demo
anonymous: ~
#http_basic:
# realm: "Secured Demo Area"
access_control:
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
Ok, thank you.
"Houston: no signs of life"
Start the conversation!
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": ">=5.3.3",
"symfony/symfony": "~2.4", // v2.4.2
"doctrine/orm": "~2.2,>=2.2.3", // v2.4.2
"doctrine/doctrine-bundle": "~1.2", // v1.2.0
"twig/extensions": "~1.0", // v1.0.1
"symfony/assetic-bundle": "~2.3", // v2.3.0
"symfony/swiftmailer-bundle": "~2.3", // v2.3.5
"symfony/monolog-bundle": "~2.4", // v2.5.0
"sensio/distribution-bundle": "~2.3", // v2.3.4
"sensio/framework-extra-bundle": "~3.0", // v3.0.0
"sensio/generator-bundle": "~2.3", // v2.3.4
"incenteev/composer-parameter-handler": "~2.0", // v2.1.0
"doctrine/doctrine-fixtures-bundle": "~2.2.0", // v2.2.0
"ircmaxell/password-compat": "~1.0.3", // 1.0.3
"phpunit/phpunit": "~4.1" // 4.1.0
}
}
Hi Ryan,
two questions,
1) Symfony documentation looks a bit confusing to me. Many of the configuration block seems to be missing in the documentation.
For example, if you see these screenshots: http://imgur.com/YUK84Fa , which is taken from this page: https://symfony.com/doc/cur....
Or this: http://imgur.com/DF6chdT, taken from https://symfony.com/doc/cur...
another: http://imgur.com/aVPq9SP
How the new symfony users would understand the security.yml will look like - is there any straight-forward way? Would be very kind if you can point this in the documentation, not this tutorial.
2) You mentioned in this screencast, "If your security.yml file is mostly empty, don’t worry! You installed Symfony in a slightly different way." - what is the other way of installation to get a bit more descriptive security.yml?
Thanks in advance Ryan.