[英]Redirect loop of death in Symfony2 security
I have an admin area with login that we are forcing to https://. 我有一个登录管理区域,我们强制要求https://。 Hitting the route /admin should redirect to the login page if the user isn't logged in, but I'm getting an endless redirect loop.
如果用户没有登录,点击路由/管理员应该重定向到登录页面,但我得到一个无休止的重定向循环。 Not sure what's wrong, here's security.yml:
不知道出了什么问题,这是security.yml:
firewalls:
admin_login:
pattern: ^/admin/secured/login$
security: false
admin_secured_area:
pattern: ^/admin
provider: entity_admin
form_login:
check_path: /admin/secured/login_check
login_path: /admin/secured/login
default_target_path: /admin
logout:
path: /admin/secured/logout
target: /
access_control:
- { path: ^/admin/secured/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
- { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }
Thanks for your help! 谢谢你的帮助!
No need for a "admin_login" section in firewalls. 防火墙中不需要“admin_login”部分。 But it looks like you forgot anonymous parameter..
但看起来你忘记了匿名参数..
firewalls:
admin_secured_area:
anonymous: ~
pattern: ^/admin
provider: entity_admin
form_login:
check_path: /admin/secured/login_check
login_path: /admin/secured/login
default_target_path: /admin
logout:
path: /admin/secured/logout
target: /
access_control:
- { path: ^/admin/secured/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
- { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }
As I said in my comment, do you set ROLE_ADMIN role for logged users ? 正如我在评论中所说,您是否为已登录用户设置了ROLE_ADMIN角色?
EDIT: Does your routing state HTTPS channel too for admin section ? 编辑:您的路由是否也为管理部分说明了HTTPS频道?
After quick look I would say that something like this below should be correct: 快速浏览后,我会说下面这样的内容应该是正确的:
firewalls:
admin_secured_area:
pattern: ^/admin
provider: entity_admin
form_login:
check_path: /admin/secured/login_check
login_path: /admin/secured/login
default_target_path: /admin
logout:
path: /admin/secured/logout
target: /
access_control:
- { path: ^/admin/secured/(login|login_check|logout)$, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
- { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }
Anyway, if this not help, I recommend to check the redirects with built-in profiler (tabs with route matches and logs), to turn it on the redirects change config_dev.yml
to: 无论如何,如果这没有帮助,我建议使用内置探查器(带路由匹配和日志的选项卡)检查重定向,将其重定向更改为
config_dev.yml
:
web_profiler:
toolbar: true
intercept_redirects: true
Hi so this is related to the way that Symfony2 $request->isSecure()
checks for SSL when the site is under a load balancer, there are some inconsistent header names in PHP. 嗨所以这与Symfony2
$request->isSecure()
在站点处于负载均衡器下时检查SSL的方式有关,PHP中存在一些不一致的头名称。 The config file needs the following: 配置文件需要以下内容:
trusted_proxies: [10.0.0.0/8]
It now works, but I don't know if there are security issues with this setting though. 它现在有效,但我不知道这个设置是否存在安全问题。
^/admin/secured/login_check
应该通过匿名身份验证,因为用户在最初调用该页面时不会有角色,因此循环。
Remove : 去掉 :
admin_login:
pattern: ^/admin/secured/login$
security: false
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.