Symfony: Multiple firewall contexts - User being forwarded to the wrong context

Question

I've got a login for the frontend (which is optional), and another login for the admin panel, which is mandatory.

When a user goes to fe_login, they can login to the frontend context. This is okay!

When they go to admin_login, they should be able to login to the admin context. This is not okay

The issue is that when I go to /admin, I get redirected to fe_login when I should be redirected to admin_login

Here's my security.yml:

security:
    encoders:
        App\FrontendBundle\Controller\UserController:
            algorithm: bcrypt
        App\AdminBundle\Controller\UserController:
            algorithm: bcrypt
        App\Entity\User:
            algorithm: bcrypt
    providers:
        administrators:
            entity: { class: AppEntity:User, property: username }

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        admin:
            pattern: ^/admin
            form_login:
                login_path: admin_login
                check_path: admin_auth
                csrf_provider: form.csrf_provider
            logout:
                path: admin_logout
                target: admin_login
        frontend:
            anonymous: ~
            form_login:
                login_path: fe_login
                check_path: fe_auth
                csrf_provider: form.csrf_provider
                always_use_default_target_path: true
                default_target_path: fe_landing
            logout:
                path: fe_logout
                target: fe_landing
        login:
            pattern: ^/admin/login
            anonymous: ~

        default:
            anonymous: ~
    access_control:
        - { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin, roles: [ROLE_ADMIN,ROLE_MANAGER,ROLE_DRIVER,ROLE_PARTNER] }

Any idea what I am doing wrong?

Answer 1

Here is my security.yml, but as I said it is for Symfony2.0, may be you will find a hint.

security:
    encoders:

### ...

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

providers:
    fos_userbundle:
        id: fos_user.user_manager
    admin_adminbundle:
        id: custom_admin_manager_id

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false

    admin:
        pattern: ^/admin/

        form_login:
            check_path:         /admin/check-login
            login_path:         /admin/login
            provider:           admin_adminbundle
            csrf_provider:      form.csrf_provider
            post_only:          true
            success_handler:    login_success_handler
            failure_handler:    admin_login_failure_handler
            username_parameter: login_username
            password_parameter: login_password
            remember_me:        false
        logout:
            path:               /admin/logout
            target:             /admin/login
        anonymous: true

    frontend:
        pattern: ^/

        form_login:
            check_path:         /frontend/check-login
            login_path:         /frontend/login
            provider:           fos_userbundle
            csrf_provider:      form.csrf_provider
            post_only:          true
            success_handler:    login_success_handler
            failure_handler:    login_failure_handler
            username_parameter: login_username
            password_parameter: login_password
        logout:
            path:               /frontend/logout
            success_handler:    logout_success_handler
        anonymous: true

access_control:
    - { path: ^/frontend/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }

Answer 2

I'm not quite sure about the reason, but you must now that security.yml must be a really clear file in order to avoid miss configuration (which would lead in security issues)

So, regarding your file:

• it misses the pattern key on the frontend section: I would add pattern: ^/
• the frontend login path could be specified as you did for the backend one
• the order of your rules make me think something is not correct

This is a version you should test:

security:
    encoders:
        App\FrontendBundle\Controller\UserController:
            algorithm: bcrypt
        App\AdminBundle\Controller\UserController:
            algorithm: bcrypt
        App\Entity\User:
            algorithm: bcrypt

    providers:
        administrators:
            entity: { class: AppEntity:User, property: username }

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        login_admin:
            pattern: ^/admin/login
            anonymous: ~
        admin:
            pattern: ^/admin
            form_login:
                login_path: admin_login
                check_path: admin_auth
                csrf_provider: form.csrf_provider
            logout:
                path: admin_logout
                target: admin_login
        login_frontend:
            pattern: ^/login # you should adapt this to your app
            anonymous: ~
        frontend:
            pattern: ^/
            anonymous: ~
            form_login:
                login_path: fe_login
                check_path: fe_auth
                csrf_provider: form.csrf_provider
                always_use_default_target_path: true
                default_target_path: fe_landing
            logout:
                path: fe_logout
                target: fe_landing

    access_control:
        - { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin, roles: [ROLE_ADMIN,ROLE_MANAGER,ROLE_DRIVER,ROLE_PARTNER] }