Symfony 2 - hide the whole website with a HTTP Authentication dialog

Question

I am using Symfony 2 for building a website.

The work is in progress (therefore I don't want users or search engines to access it) but my client wants to see my progress. I was thinking an easy solution was to protect the whole website with HTTP authentication using the mechanism provided by the Symfony 2 security functionality.

I am using FOSUserBundle as the website will have users that need to register and login.

This is my security.yml, which works great:

security:
    providers:
        fos_userbundle:
            id: fos_user.user_manager

    encoders:
        "FOS\UserBundle\Model\UserInterface": sha512

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
            logout:       true
            anonymous:    true     

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }
        - { path: ^/account, role: IS_AUTHENTICATED_FULLY }

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

Therefore I was trying to add something else on top of it, to allow the website to be protected by HTTP Authentication.
I changed the file to:

security:
    providers:
        fos_userbundle:
            id: fos_user.user_manager
        whole_website_provider:
            users:
                ryan:  { password: ryanpass, roles: 'ROLE_USER' }           

    encoders:
        "FOS\UserBundle\Model\UserInterface": sha512

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
            logout:       true
            anonymous:    true
        whole_website:
            pattern: ^/
            anonymous: ~
            http_basic:
                realm: "Secured Demo Area"       

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }
        - { path: ^/account, role: IS_AUTHENTICATED_FULLY }
        - { path: ^/, role: ROLE_USER }

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

Basically I added the whole_website_provider provider, the whole_website firewall and an extra access_control.
But that didn't work: when I access the website, I get redirected to the login form, that's it.

Have you got any idea whether I can do it and how?

N.B.: I would prefer not to use any Apache feature for it.

Answer 1

On my opinion, what you need is not to manage users with HTTP authentication but to restrict access to your site with HTTP authentication. Don't use Symfony2 security for that.

Leave your symfony2 app security as it will be in production mode and use apache .htaccess to restrict access to the site.

Documentation is here http://httpd.apache.org/docs/2.2/howto/auth.html. You just have to add some directives in web/.htaccess, and create a user/password file as explained in the doc...