Buy

Security Fundamentals

Symfony comes with a security component that’s really powerful. Honestly, it’s also really complex. It can connect with other authentication systems - like Facebook or LDAP - or load user information from anywhere, like a database or even across an API.

The bummer is that hooking all this up can be tough. But since you’ll know how each piece works, you’ll be able to do amazing things. There’s also some jedi magic I’ll show you later that makes custom authentication systems much easier.

Authentication, Authorization and the Death Star

Security is two parts: authentication and authorization. Authentication, checks the user’s credentials. Its job is not to restrict access, it just wants to know who you are.

Ok, so think of a building, or maybe even the Death Star. After the tractor beam forces you to land, you walk out and pass through a security checkpoint. Both Stormtroopers and rebels check-in here, prove who they are and receive an access card, or a token in Symfony-speak.

Proving who you are and getting a token: that’s authentication.

The token can be used to unlock doors in this fully armed and operational battle station. Everyone inside has a token, but some grant more access than others. The second part of security, authorization, is like the lock that’s on every door. It actually denies a user access to something. Authorization doesn’t care if you’re Obi-Wan or a Stormtooper, it only checks to see if the token you received has enough access to enter a specific room.

Security configuration: security.yml

Let’s talk authentication first, which can be more complex than authorization. The security configuration lives entirely in the app/config/security.yml file, which is imported from the main config.yml file:

# app/config.config.yml
imports:
    # ...
    - { resource: security.yml }

Security config lives in its own file because, well, it’s kind of big and ugly. But there’s no technical reason: you could move all of this into config.yml and it would work just the same.

Firewalls Configuration (security.yml)

Note

If your security.yml file is mostly empty, don’t worry! You installed Symfony in a slightly different way. Just download the code for this tutorial and replace your security.yml file with the one from the download.

Find the firewalls key: it’s the most important part in this file. A firewall represents the authentication layer, or security check-point for your app. Delete the login and dev firewall sections so that we have just one firewall:

# app/config/security.yml
# ...

firewalls:
    secured_area:
        pattern:    ^/demo/secured/
        form_login:
            check_path: _security_check
            login_path: _demo_login
        logout:
            path:   _demo_logout
            target: _demo
        #anonymous: ~
        #http_basic:
        #    realm: "Secured Demo Area"

Just like in a giant floating death machine, it make sense for everyone to pass through the same security system that looks up people in the same corrupt, imperial database. In fact, change the pattern key to be ^/:

# app/config/security.yml
# ...

firewalls:
    secured_area:
        pattern:    ^/
        # ...

Now, every request that goes to our app will use this one firewall for authentication. Let’s also change the login_path key to be /my-login-url:

# app/config/security.yml
# ...

firewalls:
    secured_area:
        pattern:    ^/
        form_login:
            check_path: _security_check
            login_path: /my-login-url
        # ...

Don’t worry about what this or any of the other keys mean yet: they’re just there to confuse you. I’ll explain it all in a second.

Anonymous Access (security.yml)

Now, uncomment the anonymous key:

# app/config/security.yml
# ...

security:
    # ...
    firewalls:
        secured_area:
            pattern:    ^/
            # ...
            anonymous: ~

This lets anonymous users into the site, similar to letting a tourist enter the Death Star. We may want to require login for certain pages, or even maybe nearly every page. But we’re not going to do that here. Remember, the firewall is all about finding out who you are, not denying access.

Head back to the browser, but don’t refresh! First, notice the little red icon on your web debug toolbar. When you hover over it, it says “You are not authenticated”.

Now refresh. Yay! It’s green and says “anon”. Clicking it shows us that we’re now “authenticated”. Yes, it’s a bit odd, but anonymous users are actually authenticated, since they passed through our firewall.

But don’t panic, it’s easy in code to check if the user has actually logged in or not. I’ll show you later. Of course, we haven’t actually done the work to make it possible to login yet, but we’ll get to those silly details in a second.

Leave a comment!

  • 2015-11-30 Raimen

    Thanks Ryan!

  • 2015-11-30 weaverryan

    Hey Raimen!

    1) Wow, I'm so glad you reported this! The missing code blocks are a bug on the symfony.com servers - I just reported it (it's a big bug, many code blocks are missing). This will be fixed very soon: you are not missing anything :).

    2) Actually, I don't think that either of the ways of installation (the other being the create-project method) give you a very descriptive security.yml file anymore. But that's by design: the files used to come with *a lot* of stuff you didn't need. To see a complete security.yml file, you can of course download the code from this screencast. But also, take a look at the symfony-demo: https://github.com/symfony/sym...

    Cheers!

  • 2015-11-30 Raimen

    Hi Ryan,

    two questions,

    1) Symfony documentation looks a bit confusing to me. Many of the configuration block seems to be missing in the documentation.

    For example, if you see these screenshots: http://imgur.com/YUK84Fa , which is taken from this page: https://symfony.com/doc/curren....

    Or this: http://imgur.com/DF6chdT, taken from https://symfony.com/doc/curren...

    another: http://imgur.com/aVPq9SP

    How the new symfony users would understand the security.yml will look like - is there any straight-forward way? Would be very kind if you can point this in the documentation, not this tutorial.

    2) You mentioned in this screencast, "If your security.yml file is mostly empty, don’t worry! You installed Symfony in a slightly different way." - what is the other way of installation to get a bit more descriptive security.yml?

    Thanks in advance Ryan.

  • 2015-09-13 Léo Li

    Ok, thank you.

  • 2015-09-11 weaverryan

    Hey Léo!

    You're right - in later versions of Symfony, the default security.yml looks smaller and simpler. But that's ok - it's just a starting point, and you can modify it however you want. At the end of this chapter, the security.yml file from the video looks like the code block below. This isn't fully functional yet - we go onto continue updating it in the next chapters. But if you want to use this as a starting point for what things should look like at the end of *this* chapter, this should work.

    Cheers!


    security:
    encoders:
    Symfony\Component\Security\Core\User\User: plaintext

    role_hierarchy:
    ROLE_ADMIN: ROLE_USER
    ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    providers:
    in_memory:
    memory:
    users:
    user: { password: userpass, roles: [ 'ROLE_USER' ] }
    admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }

    firewalls:
    secured_area:
    pattern: ^/
    form_login:
    check_path: _security_check
    login_path: /my-login-url
    logout:
    path: _demo_logout
    target: _demo
    anonymous: ~
    #http_basic:
    # realm: "Secured Demo Area"

    access_control:
    #- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
  • 2015-09-06 Léo Li

    Hi there, I got a problem. Since I use Symfony 2.7, I get totally different security.yml, and I don't know how to edit it to make it works like the one in this video, can someone help?

    It looks like this:


    # To get started with security, check out the documentation:
    # http://symfony.com/doc/current/book/security.html
    security:
    # http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
    providers:
    in_memory:
    memory: ~
    firewalls:
    # disables authentication for assets and the profiler, adapt it according to your needs
    dev:
    pattern: ^/(_(profiler|wdt)|css|images|js)/
    security: false

    main:
    anonymous: ~
    # activate different ways to authenticate
    # http_basic: ~

    # http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate
    # form_login: ~
    # http://symfony.com/doc/current/cookbook/security/form_login_setup.html