1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# security:
# # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
# providers:
# in_memory: { memory: ~ }
# firewalls:
# dev:
# pattern: ^/(_(profiler|wdt)|css|images|js)/
# security: false
# main:
# anonymous: true
# # activate different ways to authenticate
# # http_basic: true
# # https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate
# # form_login: true
# # https://symfony.com/doc/current/security/form_login_setup.html
# # Easy way to control access for large sections of your site
# # Note: Only the *first* access control that matches will be used
# access_control:
# # - { path: ^/admin, roles: ROLE_ADMIN }
# # - { path: ^/profile, roles: ROLE_USER }
security:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
in_memory: { memory: ~ }
entity_provider:
entity:
class: App\Entity\User
property: username
api_key_user_provider:
id: App\Security\ApiKeyUserProvider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
## API WITH JWT AUTH (login/password)
# login:
# pattern: ^/api/login
# stateless: true
# anonymous: true
# provider: api_key_user_provider
# form_login:
# check_path: /api/login_check
# success_handler: lexik_jwt_authentication.handler.authentication_success
# failure_handler: lexik_jwt_authentication.handler.authentication_failure
# require_previous_session: false
# api:
# pattern: ^/api/
# stateless: true
# anonymous: true
# provider: api_key_user_provider
# guard:
# authenticators:
# - lexik_jwt_authentication.jwt_token_authenticator
api:
pattern: ^/api
stateless: true
# can be set to false to disabled API doc available for anonymous user !
anonymous: true
guard:
authenticators:
- App\Security\ApiKeyAuthenticator
provider: api_key_user_provider
main:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
check_path: fos_user_security_check
csrf_token_generator: security.csrf.token_manager
success_handler: redirect.after.login
logout:
path: fos_user_security_logout
target: index
anonymous: true
guard:
authenticators:
- App\Security\EmailTokenAuthenticator
- App\Security\LoginAuthenticator
provider: fos_userbundle
entry_point: App\Security\LoginAuthenticator
remember_me:
secret: "%kernel.secret%"
lifetime: 31536000
path: /
domain: ~
user_provider: fos_userbundle
always_remember_me: true
context: mlc_context
switch_user:
provider: fos_userbundle
# access_denied_handler: App\Security\AccessDeniedHandler
encoders:
# FOS\UserBundle\Model\UserInterface: bcrypt
FOS\UserBundle\Model\UserInterface:
# Use native password encoder
# This value auto-selects the best possible hashing algorithm
# (i.e. Sodium when available).
algorithm: auto
role_hierarchy:
ROLE_API: ROLE_USER
ROLE_ADHERENT: ROLE_USER
ROLE_PRESTATAIRE: ROLE_USER
ROLE_ADMIN_SIEGE: [ROLE_USER, ROLE_ADMIN]
ROLE_REDACTEUR: [ROLE_USER, ROLE_ADMIN]
ROLE_TRESORIER: [ROLE_USER, ROLE_ADMIN]
ROLE_CONTROLEUR: [ROLE_USER, ROLE_ADMIN]
ROLE_GESTION_GROUPE: [ROLE_USER, ROLE_ADMIN]
ROLE_COMPTOIR: [ROLE_USER, ROLE_ADMIN]
ROLE_CONTACT: [ROLE_USER, ROLE_ADMIN]
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ROLE_API]
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
#
# @TODO : better access control !
#
# Admin login page needs to be accessed without credential
# - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
# - { path: ^/admin/, role: [ROLE_SUPER_ADMIN, ROLE_SONATA_ADMIN, ROLE_ADMIN_SIEGE, ROLE_REDACTEUR, ROLE_TRESORIER, ROLE_CONTROLEUR, ROLE_GESTION_GROUPE, ROLE_COMPTOIR, ROLE_CONTACT] }
- { path: ^/admin/, role: [ROLE_ADMIN] }
# Bottom line can be uncommented to disabled API doc available for anonymous user !
# - { path: '^/api', roles: ROLE_API }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }