Symfony2使用api密鑰訪問控制問題對用戶進行身份驗證
[英]Symfony2 authenticate users with api key access control issue
問題描述
嗨,我正在為自己開發一個項目。 我想做的是驗證除用戶注冊外對api的所有調用。 我按照此鏈接中的說明創建了用戶身份驗證和用戶提供程序: http : //symfony.com/doc/current/cookbook/security/api_key_authentication.html
一切正常,我后端的所有URL均已通過身份驗證,並由UserTokenAuthenticator和UserTokenProvider處理。 但是它可以驗證每個呼叫。 我不想驗證此網址
/v1.0/users with POST method
因此,我在security.yml文件中設置了訪問控制,如下所示:
access_control:
user_register:
path: ^/v1.0/users
roles: IS_AUTHENTICATED_ANONYMOUSLY
methods: [POST]
但是,每當我嘗試對此URL進行post調用時,它都會嘗試進行身份驗證(因為bec調用沒有將token作為參數),並且失敗了。 如何僅阻止對此路由進行身份驗證? 這是我的全部代碼:
security.yml:
security:
encoders:
entity_user:
class: KBell\AppBundle\Entity\User
algorithm: sha1
iterations: 1
encode_as_base64: false
entity_device:
class: KBell\AppBundle\Entity\Device
algorithm: sha1
iterations: 1
encode_as_base64: false
role_hierarchy:
ROLE_DEVICE: ROLE_DEVICE
ROLE_USER : ROLE_USER
providers:
entity_device:
entity:
class: KBell\AppBundle\Entity\Device
property: name
entity_user:
entity:
class: KBell\AppBundle\Entity\User
property: email
user_token_provider:
id: user_token_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api_user_secured_area:
pattern: ^/v1.0/users
stateless: true
simple_preauth:
authenticator: user_token_authenticator
provider: user_token_provider
access_control:
user_register:
path: ^/v1.0/users
roles: IS_AUTHENTICATED_ANONYMOUSLY
methods: [POST]
這是UserTokenAuthenticator:
<?php
class UserTokenAuthenticator implements SimplePreAuthenticatorInterface, AuthenticationFailureHandlerInterface
{
public function createToken(Request $request, $providerKey)
{
$accessToken = $request->query->get('access_token');
if (!$accessToken) {
throw new BadCredentialsException('Access Token is missing');
}
return new PreAuthenticatedToken(
'anon.',
$accessToken,
$providerKey
);
}
public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
{
$accessToken = $token->getCredentials();
$user = $userProvider->getUserForAccessToken($accessToken);
if (!$user) {
throw new AuthenticationException(
sprintf('Access Token "%s" does not exist.', $accessToken)
);
}
return new PreAuthenticatedToken(
$user,
$accessToken,
$providerKey,
$user->getRoles()
);
}
public function supportsToken(TokenInterface $token, $providerKey)
{
return $token instanceof PreAuthenticatedToken && $token->getProviderKey() === $providerKey;
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
return ApiUtil::getJsonErrorResponse("User authentication is failed: ".$exception->getMessage(), Response::HTTP_UNAUTHORIZED, "AuthenticationException");
}
}
這是UserTokenProvider.php:
class UserTokenProvider implements UserProviderInterface
{
private $userManager;
public function __construct(UserManager $userManager)
{
$this->userManager = $userManager;
}
public function getUserForAccessToken($accessToken)
{
$user = $this->userManager->findUserByAccessToken($accessToken);
return $user;
}
public function loadUserByUsername($username)
{
}
public function refreshUser(UserInterface $user)
{
throw new UnsupportedUserException();
}
public function supportsClass($class)
{
return 'Symfony\Component\Security\Core\User\User' === $class;
}
}
我為此花了很多時間。 任何幫助將不勝感激! 謝謝!
1 個解決方案
解決方案1
0 2015-09-11 06:25:59
我認為您可以嘗試像這樣配置防火牆設置:
firewalls:
secured_user_area:
pattern: /v(\d+\.?\d*)/(?!users)
stateless: true
provider: user_token_provider
....
這里的?!users (或什至是多個?!users|URL2|URL3 URL)聲明從防火牆中排除了這些URL。
Symfony2訪問控制不起作用
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.