diff --git a/cookbook/security/custom_authentication_provider.rst b/cookbook/security/custom_authentication_provider.rst
index cc2a8be663f..70e24924850 100644
--- a/cookbook/security/custom_authentication_provider.rst
+++ b/cookbook/security/custom_authentication_provider.rst
@@ -354,13 +354,13 @@ to service ids that do not exist yet: ``wsse.security.authentication.provider``
# src/Acme/DemoBundle/Resources/config/services.yml
services:
- wsse.security.authentication.provider:
- class: Acme\DemoBundle\Security\Authentication\Provider\WsseProvider
- arguments: ['', %kernel.cache_dir%/security/nonces]
+ wsse.security.authentication.provider:
+ class: Acme\DemoBundle\Security\Authentication\Provider\WsseProvider
+ arguments: ['', %kernel.cache_dir%/security/nonces]
- wsse.security.authentication.listener:
- class: Acme\DemoBundle\Security\Firewall\WsseListener
- arguments: [@security.context, @security.authentication.manager]
+ wsse.security.authentication.listener:
+ class: Acme\DemoBundle\Security\Firewall\WsseListener
+ arguments: [@security.context, @security.authentication.manager]
.. code-block:: xml
@@ -370,19 +370,19 @@ to service ids that do not exist yet: ``wsse.security.authentication.provider``
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
-
-
-
- %kernel.cache_dir%/security/nonces
-
-
-
-
-
-
-
+
+
+
+ %kernel.cache_dir%/security/nonces
+
+
+
+
+
+
+
.. code-block:: php
@@ -392,17 +392,22 @@ to service ids that do not exist yet: ``wsse.security.authentication.provider``
use Symfony\Component\DependencyInjection\Reference;
$container->setDefinition('wsse.security.authentication.provider',
- new Definition(
- 'Acme\DemoBundle\Security\Authentication\Provider\WsseProvider',
- array('', '%kernel.cache_dir%/security/nonces')
- ));
+ new Definition(
+ 'Acme\DemoBundle\Security\Authentication\Provider\WsseProvider', array(
+ '',
+ '%kernel.cache_dir%/security/nonces',
+ )
+ )
+ );
$container->setDefinition('wsse.security.authentication.listener',
- new Definition(
- 'Acme\DemoBundle\Security\Firewall\WsseListener', array(
- new Reference('security.context'),
- new Reference('security.authentication.manager'))
- ));
+ new Definition(
+ 'Acme\DemoBundle\Security\Firewall\WsseListener', array(
+ new Reference('security.context'),
+ new Reference('security.authentication.manager'),
+ )
+ )
+ );
Now that your services are defined, tell your security context about your
factory. Factories must be included in an individual configuration file,
@@ -435,6 +440,20 @@ factory service, tagged as ``security.listener.factory``:
+ .. code-block:: php
+
+ // src/Acme/DemoBundle/Resources/config/security_factories.php
+ use Symfony\Component\DependencyInjection\Definition;
+ use Symfony\Component\DependencyInjection\Reference;
+
+ $definition = new Definition('Acme\DemoBundle\DependencyInjection\Security\Factory\WsseFactory', array(
+ '',
+ '%kernel.cache_dir%/security/nonces',
+ ));
+ $definition->addTag('security.listener.factory');
+
+ $container->setDefinition('security.authentication.factory.wsse', $definition);
+
Now, import the factory configuration via the the ``factories`` key in your
security configuration:
@@ -467,13 +486,36 @@ security configuration:
You are finished! You can now define parts of your app as under WSSE protection.
-.. code-block:: yaml
+.. configuration-block::
- security:
- firewalls:
- wsse_secured:
- pattern: /api/.*
- wsse: true
+ .. code-block:: yaml
+
+ security:
+ firewalls:
+ wsse_secured:
+ pattern: /api/.*
+ wsse: true
+
+ .. code-block:: xml
+
+
+
+
+
+ .. code-block:: php
+
+ $container->loadFromExtension('security', array(
+ 'firewalls' => array(
+ 'wsse_secured' => array(
+ 'pattern' => '/api/.*',
+ 'wsse' => true,
+ ),
+ ),
+ ));
+
Congratulations! You have written your very own custom security authentication
provider!
@@ -546,13 +588,38 @@ in order to put it to use.
The lifetime of each wsse request is now configurable, and can be
set to any desirable value per firewall.
-.. code-block:: yaml
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ security:
+ firewalls:
+ wsse_secured:
+ pattern: /api/.*
+ wsse: { lifetime: 30 }
+
+ .. code-block:: xml
+
+
+
+
+
+
- security:
- firewalls:
- wsse_secured:
- pattern: /api/.*
- wsse: { lifetime: 30 }
+ .. code-block:: php
+
+ $container->loadFromExtension('security', array(
+ 'firewalls' => array(
+ 'wsse_secured' => array(
+ 'pattern' => '/api/.*',
+ 'wsse' => array(
+ 'lifetime' => 30,
+ ),
+ ),
+ ),
+ ));
The rest is up to you! Any relevant configuration items can be defined
in the factory and consumed or passed to the other classes in the container.
diff --git a/cookbook/security/custom_provider.rst b/cookbook/security/custom_provider.rst
index fd1c7015105..9a268fa060d 100644
--- a/cookbook/security/custom_provider.rst
+++ b/cookbook/security/custom_provider.rst
@@ -206,26 +206,66 @@ Now you make the user provider available as a service:
Modify ``security.yml``
-----------------------
-In ``/app/config/security.yml`` everything comes together. Add the user provider
+Everything comes together in your security configuration. Add the user provider
to the list of providers in the "security" section. Choose a name for the user provider
(e.g. "webservice") and mention the id of the service you just defined.
-.. code-block:: yaml
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ // app/config/security.yml
+ security:
+ providers:
+ webservice:
+ id: webservice_user_provider
+
+ .. code-block:: xml
- security:
- providers:
- webservice:
- id: webservice_user_provider
+
+
+
+
+
+ .. code-block:: php
+
+ // app/config/security.php
+ $container->loadFromExtension('security', array(
+ 'providers' => array(
+ 'webservice' => array(
+ 'id' => 'webservice_user_provider',
+ ),
+ ),
+ ));
Symfony also needs to know how to encode passwords that are supplied by website
users, e.g. by filling in a login form. You can do this by adding a line to the
-"encoders" section in ``/app/config/security.yml``.
+"encoders" section in your security configuration:
+
+.. configuration-block::
+
+ .. code-block:: yaml
-.. code-block:: yaml
+ # app/config/security.yml
+ security:
+ encoders:
+ Acme\WebserviceUserBundle\Security\User\WebserviceUser: sha512
- security:
- encoders:
- Acme\WebserviceUserBundle\Security\User\WebserviceUser: sha512
+ .. code-block:: xml
+
+
+
+ sha512
+
+
+ .. code-block:: php
+
+ // app/config/security.php
+ $container->loadFromExtension('security', array(
+ 'encoders' => array(
+ 'Acme\WebserviceUserBundle\Security\User\WebserviceUser' => 'sha512',
+ ),
+ ));
The value here should correspond with however the passwords were originally
encoded when creating your users (however those users were created). When
@@ -252,15 +292,42 @@ options, the password may be encoded multiple times and encoded to base64.
Additionally, the hash, by default, is encoded multiple times and encoded
to base64. For specific details, see `MessageDigestPasswordEncoder`_.
- To prevent this, configure it in ``security.yml``:
-
- .. code-block:: yaml
-
- security:
- encoders:
- Acme\WebserviceUserBundle\Security\User\WebserviceUser:
- algorithm: sha512
- encode_as_base64: false
- iterations: 1
+ To prevent this, configure it in your configuration file:
+
+ .. configuration-block::
+
+ .. code-block:: yaml
+
+ # app/config/security.yml
+ security:
+ encoders:
+ Acme\WebserviceUserBundle\Security\User\WebserviceUser:
+ algorithm: sha512
+ encode_as_base64: false
+ iterations: 1
+
+ .. code-block:: xml
+
+
+
+
+
+
+ .. code-block:: php
+
+ // app/config/security.php
+ $container->loadFromExtension('security', array(
+ 'encoders' => array(
+ 'Acme\WebserviceUserBundle\Security\User\WebserviceUser' => array(
+ 'algorithm' => 'sha512',
+ 'encode_as_base64' => false,
+ 'iterations' => 1,
+ ),
+ ),
+ ));
.. _MessageDigestPasswordEncoder: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php
diff --git a/cookbook/security/entity_provider.rst b/cookbook/security/entity_provider.rst
index 7567cc47e3d..c6cd8b495f8 100644
--- a/cookbook/security/entity_provider.rst
+++ b/cookbook/security/entity_provider.rst
@@ -251,6 +251,65 @@ then be checked against your User entity records in the database:
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
+ .. code-block:: xml
+
+
+
+
+
+ ROLE_USER
+ ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // app/config/security.php
+ $container->loadFromExtension('security', array(
+ 'encoders' => array(
+ 'Acme\UserBundle\Entity\User' => array(
+ 'algorithm' => 'sha1',
+ 'encode_as_base64' => false,
+ 'iterations' => 1,
+ ),
+ ),
+ 'role_hierarchy' => array(
+ 'ROLE_ADMIN' => 'ROLE_USER',
+ 'ROLE_SUPER_ADMIN' => array('ROLE_USER', 'ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'),
+ ),
+ 'providers' => array(
+ 'administrator' => array(
+ 'entity' => array(
+ 'class' => 'AcmeUserBundle:User',
+ 'property' => 'username',
+ ),
+ ),
+ ),
+ 'firewalls' => array(
+ 'admin_area' => array(
+ 'pattern' => '^/admin',
+ 'http_basic' => null,
+ ),
+ ),
+ 'access_control' => array(
+ array('path' => '^/admin', 'role' => 'ROLE_ADMIN'),
+ ),
+ ));
+
The ``encoders`` section associates the ``sha1`` password encoder to the entity
class. This means that Symfony will expect the password that's stored in
the database to be encoded using this algorithm. For details on how to create
@@ -416,6 +475,34 @@ of the ``security.yml`` file.
administrators:
entity: { class: AcmeUserBundle:User }
# ...
+
+ .. code-block:: xml
+
+
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // app/config/security.php
+ $container->loadFromExtension('security', array(
+ ...,
+ 'providers' => array(
+ 'administrator' => array(
+ 'entity' => array(
+ 'class' => 'AcmeUserBundle:User',
+ ),
+ ),
+ ),
+ ...,
+ ));
By doing this, the security layer will use an instance of ``UserRepository`` and
call its ``loadUserByUsername()`` method to fetch a user from the database
diff --git a/cookbook/security/voters.rst b/cookbook/security/voters.rst
index 10242b37ca3..c77f5c9d9eb 100644
--- a/cookbook/security/voters.rst
+++ b/cookbook/security/voters.rst
@@ -179,8 +179,26 @@ application configuration file with the following code.
# app/config/security.yml
security:
access_decision_manager:
- # Strategy can be: affirmative, unanimous or consensus
+ # strategy can be: affirmative, unanimous or consensus
strategy: unanimous
+ .. code-block:: xml
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // app/config/security.xml
+ $container->loadFromExtension('security', array(
+ // strategy can be: affirmative, unanimous or consensus
+ 'access_decision_manager' => array(
+ 'strategy' => 'unanimous',
+ ),
+ ));
+
That's it! Now, when deciding whether or not a user should have access,
the new voter will deny access to any user in the list of blacklisted IPs.