从具有访问令牌的用户获取数据而无需登录

Question

There is this website I'm working on a little bit. I've added recently an API to it so I can get notifications. To get those notifications, I type this url

http://localhost/pham/Claroline/web/app_dev.php/icap_notification/api/notifications.json?access_token= "some access token"

For now it only works if the user is logged in. Would it be possible to make it work without the user being logged in ? I mean since I get the access token it shouldn't be a problem. Actually I need it to be done because I'm also developing a mobile application and basically I use this url in the app to display the notifications

Thank you all

Edit : here's the security.yml file

security:

providers:
    user_db:
        entity: { class: Claroline\CoreBundle\Entity\User }

encoders:
    Claroline\CoreBundle\Entity\User: sha512

firewalls:
    install:
        pattern: ^/install
        security: false

    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false

    oauth_token:
        pattern:    ^/oauth/v2/token
        security:   false

    oauth_authorize:
        pattern:    ^/oauth/v2/auth
        form_login:
            check_path: /oauth/v2/auth_login_check
            login_path: /oauth/v2/auth_login
            default_target_path: /oauth/v2/auth/form
        anonymous: true

    api:
        pattern:    ^/api
        claro_api: true
        #fos_oauth: true
        #stateless:  true
        security: true

    main:
        pattern: ^/
        simple_form:
            authenticator: claroline.core_bundle.library.security.external_authenticator
            check_path: /login_check
        form_login:
            success_handler: claroline.authentication_handler
            failure_handler: claroline.security.ajax_authentication_failure_handler
        anonymous: ~
        logout: true
        switch_user: { role: ROLE_ADMIN, parameter: _switch }
        remember_me:
            key:      "%secret%"
            lifetime: 31536000 # 365 days
            path:     /
            domain:   ~

access_decision_manager:
    allow_if_all_abstain: false

access_control:
    - { path: ^/oauth/v2/auth_login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api,                  role: IS_AUTHENTICATED_FULLY }
    - { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/connect, role: IS_AUTHENTICATED_ANONYMOUSLY }

Answer 1

Yes, it's possible. Symfony2 documentation describes that it's possible to have multiple "firewalls" for your application.

In your case you have a "normal" one for most of your site, and an "api access" one for your API. They can, naturally, be of different types and use different user providers (aka. different sets of "users").