Symfony - How to log a user on one sub domain (not all) dynamically

0
votes

I have a site with multiple subdomains. I would like to log users that have certain rights to one of the sub domain only when he's already authenticated on the 'main' site. Let's say that my main domain is www.domain.com, i have sub1.domain.com, sub2.domain.com, sub3.domain.com. When a user is authenticated on domain.com, i would like to be able to redirect him to sub2.domain.com without asking him to re-authenticate. But it should not be authenticate to sub1.domain.com or sub3.domain.com. I have read about setting the cookie_domain in the config.xml but in this case the user will be logged for all subdomains. Is that possible ? Thanks !

Edit for more info

I'm working with Symfony 2.7 and i have tried both solution in the security.yml : one main shared firewall and one per sub domain (See below). But i have not configured the session cookie_domain in config.yml to '.domain.com' as i don't want to log the user in all the subdomains.

firewalls:
    main:
        pattern: ^/
        host: %main_domain%
        form_login:
            provider: fos_userbundle
            csrf_provider: form.csrf_provider
        logout:
            path: /logout
            target: /login
        anonymous:    true
        context: main_context
    sub1:
        pattern: ^/
        host: %sub1_domain%
        form_login:
            provider: fos_userbundle
            csrf_provider: form.csrf_provider
        logout:
            path: /logout
            target: /login
        anonymous:    true
        context: main_context
    sub2:
        pattern: ^/
        host: %sub2_domain%
        ....
1
symfonyauthenticationsubdomain
You should specify which Symfony version you are using and if you've a firewall configured for each domain/subdomain in your security.yaml.gp_sflover

1 Answers

0
votes

It is possible in multiple ways. Since you log in in your main domain, you need some way to specify which user has access to which sub domain. Using different roles seems like a reasonable approach for this. So, for example a user who has access to subdomain1 will also have a role like ROLE_USER_SUB1.

With this set up, you can modify your security.yaml and use the access_control settings to restrict access to certain roles based on the domain, using additional matching options

security:
    access_control:
        ...
        - { path: ^/, roles: ROLE_USER_SUB1, host: sub1\..* }
        - { path: ^/, roles: ROLE_USER_SUB2, host: sub2\..* }

You might have to tweak this to your needs and you also have to be careful to have the correct ordering of the routes, as the first matching rule will be used.

Another possible solution is to use a simple event listener that is triggered on each request at the kernel.request (be careful to check the priority, as you probably need to put your listener after the firewall listener) or kernel.controller event and then use the access decision manager or Symfony\Component\Security\Core\Security to check whether the user is (a) logged in and (b) has the correct role set, see https://symfony.com/doc/current/security/securing_services.html