Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Redirect loop of death in Symfony2 security

Tags:

php

symfony

I have an admin area with login that we are forcing to https://. Hitting the route /admin should redirect to the login page if the user isn't logged in, but I'm getting an endless redirect loop. Not sure what's wrong, here's security.yml:

firewalls: 
        admin_login:
            pattern:  ^/admin/secured/login$
            security: false

        admin_secured_area:
            pattern: ^/admin
            provider: entity_admin
            form_login:
                check_path: /admin/secured/login_check
                login_path: /admin/secured/login
                default_target_path: /admin
            logout:
                path:   /admin/secured/logout
                target: /

    access_control:
        - { path: ^/admin/secured/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
        - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }

Thanks for your help!

like image 957
Acyra Avatar asked Aug 23 '13 16:08

Acyra


2 Answers

No need for a "admin_login" section in firewalls. But it looks like you forgot anonymous parameter..

firewalls:     
        admin_secured_area:
            anonymous: ~
            pattern: ^/admin
            provider: entity_admin
            form_login:
                check_path: /admin/secured/login_check
                login_path: /admin/secured/login
                default_target_path: /admin
            logout:
                path:   /admin/secured/logout
                target: /

    access_control:
        - { path: ^/admin/secured/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
        - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }

As I said in my comment, do you set ROLE_ADMIN role for logged users ?

EDIT: Does your routing state HTTPS channel too for admin section ?

like image 184
AlterPHP Avatar answered Dec 03 '22 22:12

AlterPHP


After quick look I would say that something like this below should be correct:

firewalls: 
    admin_secured_area:
        pattern:  ^/admin
        provider: entity_admin
        form_login:
            check_path: /admin/secured/login_check
            login_path: /admin/secured/login
            default_target_path: /admin
        logout:
            path:   /admin/secured/logout
            target: /

access_control:
    - { path: ^/admin/secured/(login|login_check|logout)$, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
    - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }

Anyway, if this not help, I recommend to check the redirects with built-in profiler (tabs with route matches and logs), to turn it on the redirects change config_dev.yml to:

web_profiler:
    toolbar: true
    intercept_redirects: true
like image 45
stloyd Avatar answered Dec 03 '22 22:12

stloyd