Symfony authentication not intercepting login request

2
votes

I'm reworking my Silex application to Symfony 4, as Silex will be deprecated in a couple of months. Everything works great, but I'm having a bit of a problem with Symfony's Security Bundle.

The problem is I'm trying to log into the application, but it always redirects me back to my application without any error displayed.

I guess it might be a misconfiguration, but I have been looking for any kind of problems for a while now and I can't seem to find any errors.

Here's my security.yaml

providers:
    in_memory:
        memory:
            users:
                admin:
                    password: foo
                    roles: ROLE_ADMIN
encoders:
    Symfony\Component\Security\Core\User\User: plaintext
firewalls:
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false
    login:
        context: 'secured'
        pattern: '^/login'
        anonymous: true
        provider: in_memory
    secured_area:
        context: 'secured'
        pattern: '^(/admin|/api)'
        provider: in_memory
        form_login:
            login_path: /login/
            check_path: /admin/check/
            default_target_path: /admin/
        logout:
            path: /admin/logout/
            target: /
            invalidate_session: true

access_control:
    - { path: '^(/admin|/api)', roles: ROLE_ADMIN }

LoginController

/**
 * @Route("/login/", name="login")
 */
public function login(Request $request, AuthorizationCheckerInterface $authChecker, AuthenticationUtils $authUtils): Response
{
    $isLoggedIn = $authChecker->isGranted('ROLE_ADMIN');
    if ($isLoggedIn) {
        return $this->redirectToRoute('admin');
    }
    return $this->render('login/index.html.twig', [
        'error'         => $authUtils->getLastAuthenticationError(),
        'last_username' => $authUtils->getLastUsername()
    ]);
}

I tried setting check_path option to /login/check/ and other similar routes, but then Symfony threw an exception that the route is not created (I guess it shouldn't be created).

2
phpsymfonysymfony4symfony-security
You should probably create a new S4 project and follow the example in the docs until you get a better idea of how everything fits together. Then customize. Pretty sure /login need to be anonymously accessible. - Cerad
@Cerad I pretty sure did that... and I'm not an expert but I guess login is anonymously accessible, as there's anonymous: true - Dawid Zbiński
Under your "login" firewall. But not under admin_api where your form_login lives. It's definitely not a normal setup which is why I suggest you get a standard configuration working then adjust. Even getting the standard setup working can be tricky. - Cerad
@Cerad thanks for suggestion. I do have everything reworked now, so I can't really start all over again, but at least I'll try to reset the security settings and create the default stuff first. Thanks. - Dawid Zbiński

2 Answers

0
votes

To start on troubleshooting this the first place I would go is the profiler. This may help by allowing you to find the profiler that shows the initial redirection.

I went through a similar problem a few weeks ago where my users would log in and would automatically PASS all Role checks. After diving deep into the Symfony Security code I found that I had configured a voter so that it would return true if the user was logged in. Therefore every time Symfony would check if the user had a role it would return true and say they did.

Take a look at the profiler see if you can figure out what is causing the redirection, also you may want to look in the dev log file to see if you can find any information in there.

0
votes

So, after trying to solve this issue for a half of day, I finally realized what did I do wrong. Unlike Silex, Symfony is not creating routes for login_check and logout by itself. I needed to register the routes somehow in order to run it smoothly.

You can either register the routes in routes.yaml or using annotations.