[英]Symfony 2 inconsistency in logout route: logout redirect to login?
I'd like to solve this inconsistency in my Symfony 2 application: when user is not authenticated path /app/logout
redirects to /app/login
. 我想在我的Symfony 2应用程序中解决此不一致问题:当用户未通过身份验证时,路径
/app/logout
重定向到/app/login
。 Instead, user not authenticated should view an error page (maybe 403). 相反,未经身份验证的用户应查看错误页面(也许是403)。
Here is the security configuration. 这是安全配置。 The
IS_AUTHENTICATED_FULLY
seems mandatory, as an user can do logout only if it's previously authenticated fully: IS_AUTHENTICATED_FULLY
似乎是强制性的,因为用户只有在事先经过完整身份验证的情况下才能注销:
access_control:
- { path: ^/app/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/app/logout, roles: IS_AUTHENTICATED_FULLY }
And the logout action of my AccessController
: 还有我的
AccessController
的注销操作:
/**
* @Extra\Route("logout")
* @Extra\Template
*/
public function logoutAction()
{
// Set the token to null and invalidate the session
$this->getSecurityContext()->setToken(null);
$this->getSession()->invalidate();
// Redirect url and seconds (window.location)
$seconds = 5;
$redirect = $this->getRouter()->generate('access_login');
return array('seconds' => $seconds, 'redirect' => $redirect);
}
One solution would be removing the route /app/logout
from access control and then throwing an exception if user it's not fully authenticated: 一种解决方案是从访问控制中删除路由
/app/logout
,然后在用户未完全通过身份验证时抛出异常:
if(false === $this->getSecurityContext()->isGranted('IS_AUTHENTICATED_FULLY'))
throw new AccessDeniedException();
But this way /app/logout
would be accessible even from not authenticated users! 但是,即使未经身份验证的用户也可以访问
/app/logout
! Anyone knows a better solution? 有人知道更好的解决方案吗?
Just remove the logout path from access_control
. 只需从
access_control
删除注销路径。 Nothing bad is going to happen if a not authenticated user goes to the logout page — it's safe. 如果未经身份验证的用户转到注销页面,则不会有任何不好的事情-这是安全的。 Don't overengineer this stuff.
不要过度设计这些东西。 ;)
;)
BTW, why aren't you using the Symfony's built-in logout controller? 顺便说一句,为什么不使用Symfony的内置注销控制器? You could create a logout handler to put your custom code in it instead of reinventing the wheel by handling all the logout stuff yourself.
您可以创建一个注销处理程序以将自定义代码放入其中,而不是通过自己处理所有注销内容来重新发明轮子。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.