Symfony2 authentication method in the same firewall

4
votes

I'm new to Symfony2. I read documentation and saw some config for login form http://symfony.com/doc/current/cookbook/security/form_login_setup.html

# app/config/security.yml
security:
    # ...

    firewalls:
        default:
            anonymous: ~
            http_basic: ~
            form_login:
                login_path: /login
                check_path: /login_check

I dont understand why there are 2 security methods http_basic and form_login in the same firewall? Which method security system will use? http_basic or form_login or both? Is it redundant? Some questions above seem stupid but It seems symfony2 security component documentation so poor.

1
phpsymfonysymfony-security

1 Answers

3
votes

In old Symfony documentation there was a small tip:

When the user is not authenticated and if there is more than one authentication mechanisms, Symfony2 automatically defines a default entry point (in the example above, the login form; but if the user send an Authorization HTTP header with wrong credentials, Symfony2 will use the HTTP basic entry point).

But in next versions when documentation were reorganized it was reduced and I don't know why.

So I opened a new issue in symfony-docs repository on GitHub with the proposal to restore the tip.

The quote from @WouterJ's answer:

The code seems to no longer work as described in the quoted paragraph. It seems to always use form login, except when there is no Authentication header sent and the HTTP basic credentials are correct.

So you were right — it's not trivial at all. Just follow the issue if you want to know the conclusion.