Symfony2 rest api security configuration (Trying to understand)
Question
I', working on a rest api with Symfony2 (FOSRestBundle, FOSOauthBundle, JMSBundle) and I do not understand (and don't find) how I'm supposed to setup my angularjs app to access my api resources. I'm a bit confused about the security part and have a lot of question.
1- I prepared the oauth client. since angular code is exposed I'm pretty sure that I can't add my secret and client id inside the code for authentication so I'm stack. H
2- I'm having (No 'Access-Control-Allow-Origin') error when I try to access the resources. How can I simply allow my app to access the resources (CORS! nelmio/cors-bundle?) but then I'm getting confused about the role of oauth and CORS authorization of my app.
Any help will be appreciate. Thanks
1 answers
solution1
1 ACCPTED 2015-04-30 12:14:36
You can expose. It's not fully authorization. It's only a client auth, not a user.
NelmioCorsBundle is a good choice. You need a config like this:
nelmio_cors: defaults: allow_credentials: false allow_origin: [] allow_headers: [] allow_methods: [] expose_headers: [] max_age: 0 hosts: [] paths: '^/': allow_origin: ['*'] allow_headers: ['origin', 'x-requested-with', 'content-type', 'authorization'] allow_methods: ['POST', 'PUT', 'GET', 'DELETE', 'OPTIONS'] max_age: 0
There is allow_origin , you should set it to my.frontend.domain.com . This will open your API for example for your AngularJS frontend. If you are building API as a service (open for everyone), than open to all origins "*".
CORS is not authorization. Treat it as firewall. Than you still need authorization (OAuth).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.