From 2cbd3680003133be2e63fdb5c822d7ef9f0d9faf Mon Sep 17 00:00:00 2001 From: Wouter J Date: Sun, 14 Jun 2015 18:13:44 +0200 Subject: [PATCH] Quick review of Form login chapter --- cookbook/security/form_login_setup.rst | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/cookbook/security/form_login_setup.rst b/cookbook/security/form_login_setup.rst index 0b053920039..bb4d4fa6afe 100644 --- a/cookbook/security/form_login_setup.rst +++ b/cookbook/security/form_login_setup.rst @@ -39,8 +39,8 @@ First, enable form login under your firewall: @@ -82,7 +82,6 @@ bundle:: namespace AppBundle\Controller; use Symfony\Bundle\FrameworkBundle\Controller\Controller; - use Symfony\Component\HttpFoundation\Request; class SecurityController extends Controller { @@ -126,6 +125,7 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``): login_route: path: /login defaults: { _controller: AppBundle:Security:login } + login_check: path: /login_check # no controller is bound to this route @@ -159,6 +159,7 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``): $collection->add('login_route', new Route('/login', array( '_controller' => 'AppBundle:Security:login', ))); + $collection->add('login_check', new Route('/login_check', array())); // no controller is bound to this route // as it's handled by the Security system @@ -320,12 +321,13 @@ see :doc:`/cookbook/security/form_login`. .. _book-security-common-pitfalls: -Avoid common Pitfalls +Avoid Common Pitfalls --------------------- When setting up your login form, watch out for a few common pitfalls. -**1. Create the correct routes** +1. Create the Correct Routes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ First, be sure that you've defined the ``/login`` and ``/login_check`` routes correctly and that they correspond to the ``login_path`` and @@ -334,7 +336,8 @@ redirected to a 404 page instead of the login page, or that submitting the login form does nothing (you just see the login form over and over again). -**2. Be sure the login page isn't secure (redirect loop!)** +2. Be Sure the Login Page Isn't Secure (Redirect Loop!) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also, be sure that the login page is accessible by anonymous users. For example, the following configuration - which requires the ``ROLE_ADMIN`` role for @@ -450,7 +453,8 @@ for the login page: ), ), -**3. Be sure /login_check is behind a firewall** +3. Be Sure /login_check Is Behind a Firewall +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Next, make sure that your ``check_path`` URL (e.g. ``/login_check``) is behind the firewall you're using for your form login (in this example, the single @@ -458,7 +462,8 @@ firewall matches *all* URLs, including ``/login_check``). If ``/login_check`` doesn't match any firewall, you'll receive a ``Unable to find the controller for path "/login_check"`` exception. -**4. Multiple firewalls don't share security context** +4. Multiple Firewalls Don't Share Security Context +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you're using multiple firewalls and you authenticate against one firewall, you will *not* be authenticated against any other firewalls automatically. @@ -467,7 +472,8 @@ to explicitly specify the same :ref:`reference-security-firewall-context` for different firewalls. But usually for most applications, having one main firewall is enough. -**5. Routing error pages are not covered by firewalls** +5. Routing Error Pages Are not Covered by Firewalls +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As routing is done *before* security, 404 error pages are not covered by any firewall. This means you can't check for security or even access the