This course is still being released! Check back later for more chapters.
Symfony Security: The Basics
Learn Symfony Security basics: users, login, registration, firewalls, access control, roles, and voters — and how Symfony decides who can do what.
About this course
Security doesn’t have to feel scary. In this course, you’ll learn how to add real authentication and authorization to a Symfony app — step by step, from zero to a fully protected system.
We’ll start by installing and understanding the Security component, then create users, build login and registration forms, and add handy features like “remember me.” From there, you’ll work with roles, firewalls, access control, and how Symfony decides who can do what.
We’ll wrap up by demystifying voters — including one that checks permissions based on a specific object (a “subject”) and another that gives super-admins special powers — so you understand the core building blocks behind Symfony’s authorization system.
By the end, you won’t just know which buttons to press — you’ll understand the fundamentals of how Symfony Security works, so you can confidently protect your apps.
Next courses in the Symfony: The Fundamentals section of the Symfony Track!
16 Comments
Hey Eugeny,
Yes, you're right, rate limit is a good topic! And we're going to cover it in the upcoming advanced security course :)
Cheers!
for example: if i have tow User Entity like: Employee and Member。when the identifier all is email. then if the employee and member has same email abc@abc.com. and the provider is chain provider. the lexik/jwt-authentication-bundle will always return the first provider.
Hey @Yangzhi!
Yes, that is expected with a chain provider. If two providers can return a user for the same identifier, Symfony will use the first matching provider. You need a globally unique identifier across all providers, or include something else in the JWT/user loading process to distinguish the user type, such as employee vs member. Another option is to avoid a chain provider here and use separate firewalls/auth flows/providers if Employee and Member are truly different user types.
--Kevin
yes,this is why need the tutorial,because i have no idea how to make different firewalls and request the same api (all request /api/xxxx)
So this is likely going to be out of the scope of this course... here's some more ideas for your problem:
If all requests use the same URL pattern, like /api/xxxx, then multiple firewalls usually won't help because Symfony chooses a single firewall to handle each request.
In this case, I would avoid a chain provider where Employee and Member can share the same identifier. The JWT needs enough information to know which user type it represents. For example, the token could include whether the user is an employee or a member, and the user provider would use both values: the type + the email.
So instead of loading only by email, you would load by something like:
type = employee, email = abc@abc.comtype = member, email = abc@abc.com
Another option is to make the identifier globally unique across both user types, or use separate API prefixes like /api/employee/... and /api/member/... if you really want separate firewalls.
But if everything is under the same /api firewall, then the solution is usually a custom user provider and/or JWT payload that can distinguish the user type.
--Kevin
yes,my solution is not use jwt,i create token column for each one and use member or employee prefix。just like yours。look like it`s the right way.thanks
Sooo, I really don't want to nag, but I'm probably doing just that...
Are you still planning on doing this course or are you now waiting until your courses on Symfony 8 are up to speed and then do a Security tutorial for Symfony 8?
Hey @odds!
First chapter is coming out Monday! We're kind of blending the Symfony 7 track right into 8. Unless specified, and we choose to use a Symfony 8-specific feature, these will all work just the same on 7.
Cheers!
Kevin
I wonder if Symfony's security system can compete with OAuth 2 Flow and if you could open the new tutorial to this topic. Tried to integrate league/OAuth2-Bundle, but it's hard to understand, which Auth-steps can be performed by symfony security and which better with OAuth2-Bundle. (Given that whole Authenticatiom remains on the one Symfony-project without external Auth-Providers).
Hey Sebastian,
Thank you for your interest in SymfonyCasts tutorials! Yes, OAuth2 flow is a cool topic to cover. We will definitely cover it, but in further courses. This Security Basics course will not have it, unfortunately.
Meanwhile, could you clarify if you're looking for building a standalone OAuth server for your needs? Because the bundle you're referencing is probably league/oauth2-server-bundle ? If so, we have a standalone course on this topic: https://symfonycasts.com/screencast/oauth .
But in most cases users usually just want an integration with already existent OAuth providers like Facebook, GitHub, SymfonyConnect, etc. where you don't need to spin up and configure your own OAuth2 server for these purposes. If you just want to add social logins on your website - you should take a look at league/oauth2-client instead. Or we would recommend to look at ours knpuniversity/oauth2-client-bundle . And it's implementation should be much easier than creating your own server for OAuth login.
I hope that helps!
Cheers!
Hey Victor, thank you very much. Now I have to check the differences between client- and server-bundle, I was not aware that there are two bundles.
For this new course, I am interested how to config and implement parallel access-methods with Symfony Security (Client-Apps on Smartphone, good old Browser-Login, public Api).
Cheers!
Hey Sebastian,
You're welcome, unless you need your own custom OAuth provider - you should take a look at the simpler OAuth client bundle that will just help you with integration on existing social networks :)
But what you mentioned is not a simple OAuth-client case, there you will need an authentication/resource server. Unfortunately we won't cover this complex case in this Security basics course, but I think our https://symfonycasts.com/screencast/oauth course may help you with planning. I would recommend you watch that :)
I hope that helps!
Cheers!
This is one of my favorites. Can’t wait to see it.
On the other hand, It would be amazing to have some guidance about SSO.
Hey John,
Thank you for your interest in SymfonyCasts tutorials! We plan it to be a short course, but SSO is a good thing to talk about, that's why we will plan to do several mini courses after this basic one related to security, and SSO would be good to be mentioned there for sure.
Thank you for your patience and understanding!
Cheers!
We also need to add a chapter that explains how to protect registration and login forms and sending confirm emails using a Rate Limiter.