Symfony2 rest api安全配置（尝试了解）

Question

I', working on a rest api with Symfony2 (FOSRestBundle, FOSOauthBundle, JMSBundle) and I do not understand (and don't find) how I'm supposed to setup my angularjs app to access my api resources. I'm a bit confused about the security part and have a lot of question.

1- I prepared the oauth client. since angular code is exposed I'm pretty sure that I can't add my secret and client id inside the code for authentication so I'm stack. H

2- I'm having (No 'Access-Control-Allow-Origin') error when I try to access the resources. How can I simply allow my app to access the resources (CORS! nelmio/cors-bundle?) but then I'm getting confused about the role of oauth and CORS authorization of my app.

Any help will be appreciate. Thanks

Answer 1

1. You can expose. It's not fully authorization. It's only a client auth, not a user.

2. NelmioCorsBundle is a good choice. You need a config like this:

    nelmio_cors: defaults: allow_credentials: false allow_origin: [] allow_headers: [] allow_methods: [] expose_headers: [] max_age: 0 hosts: [] paths: '^/': allow_origin: ['*'] allow_headers: ['origin', 'x-requested-with', 'content-type', 'authorization'] allow_methods: ['POST', 'PUT', 'GET', 'DELETE', 'OPTIONS'] max_age: 0 

There is allow_origin , you should set it to my.frontend.domain.com . This will open your API for example for your AngularJS frontend. If you are building API as a service (open for everyone), than open to all origins "*".

CORS is not authorization. Treat it as firewall. Than you still need authorization (OAuth).