custom authentication provider with anonymous user

1
votes

I have a question I didn't really find an answer for.

I have to maintain a Symfony application which uses a custom authentication and user provider. The provider works as aspected and the user can login correctly.

However, I need to make a few routes accessible for anonymous users. They should also be accessible when the user is not fully authenticated. So I tried to adjust the access_control configuration in the security.yml to make these URLs accessible:

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false

    main:
        pattern: ~
        anonymous: ~
        internal_api:
            provider:        fos_userbundle
            check_path:      /api/user/login

        logout:
            path:   /api/user/logout

access_control:
    - { path: ^/api/init, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/resources, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/, roles: ROLE_USER }

Unfortunately this does not work. The users still can't access these routes, as long as they are not fully authenticated.

So my question is: What is necessary to provide the role IS_AUTHENTICATED_ANONYMOUSLY via a custom authentication provider? Can it be done or do I just have to adjust my security.yml settings?

Best regards

1
symfonysymfony-2.7
What is the internal_api option in your main firewall ? - chalasr
Have you checked the order of your route matching? - Twifty

1 Answers

1
votes

Because the routes you want make accessible by anonymous are behind your main firewall and protected by your path: ^/ access_control, you have to create a specific firewall for them.

Add this in the firewalls of your security.yml :

api_resources:
    pattern: ^/api/resources
    anonymous: ~

api_init: 
    pattern: ^/api/init
    anonymous: ~

And it should works.