# security:
# # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
# providers:
# in_memory: { memory: ~ }
# firewalls:
# dev:
# pattern: ^/(_(profiler|wdt)|css|images|js)/
# security: false
# main:
# anonymous: true
# # activate different ways to authenticate
# # http_basic: true
# # https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate
# # form_login: true
# # https://symfony.com/doc/current/security/form_login_setup.html
# # Easy way to control access for large sections of your site
# # Note: Only the *first* access control that matches will be used
# access_control:
# # - { path: ^/admin, roles: ROLE_ADMIN }
# # - { path: ^/profile, roles: ROLE_USER }
security:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
in_memory: { memory: ~ }
entity_provider:
entity:
class: App\Entity\User
property: username
api_key_user_provider:
id: App\Security\ApiKeyUserProvider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
## API WITH JWT AUTH (login/password)
# login:
# pattern: ^/api/login
# stateless: true
# anonymous: true
# provider: api_key_user_provider
# form_login:
# check_path: /api/login_check
# success_handler: lexik_jwt_authentication.handler.authentication_success
# failure_handler: lexik_jwt_authentication.handler.authentication_failure
# require_previous_session: false
# api:
# pattern: ^/api/
# stateless: true
# anonymous: true
# provider: api_key_user_provider
# guard:
# authenticators:
# - lexik_jwt_authentication.jwt_token_authenticator
api:
pattern: ^/api
stateless: true
# can be set to false to disabled API doc available for anonymous user !
anonymous: true
guard:
authenticators:
- App\Security\ApiKeyAuthenticator
provider: api_key_user_provider
main:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
check_path: fos_user_security_check
csrf_token_generator: security.csrf.token_manager
success_handler: redirect.after.login
logout:
path: fos_user_security_logout
target: index
anonymous: true
guard:
authenticators:
- App\Security\EmailTokenAuthenticator
- App\Security\LoginAuthenticator
provider: fos_userbundle
entry_point: App\Security\LoginAuthenticator
remember_me:
secret: "%kernel.secret%"
lifetime: 31536000
path: /
domain: ~
user_provider: fos_userbundle
always_remember_me: true
context: mlc_context
switch_user:
provider: fos_userbundle
# access_denied_handler: App\Security\AccessDeniedHandler
encoders:
# FOS\UserBundle\Model\UserInterface: bcrypt
FOS\UserBundle\Model\UserInterface:
# Use native password encoder
# This value auto-selects the best possible hashing algorithm
# (i.e. Sodium when available).
algorithm: auto
role_hierarchy:
ROLE_API: ROLE_USER
ROLE_ADHERENT: ROLE_USER
ROLE_PRESTATAIRE: ROLE_USER
ROLE_ADMIN_SIEGE: [ROLE_USER, ROLE_ADMIN]
ROLE_REDACTEUR: [ROLE_USER, ROLE_ADMIN]
ROLE_TRESORIER: [ROLE_USER, ROLE_ADMIN]
ROLE_CONTROLEUR: [ROLE_USER, ROLE_ADMIN]
ROLE_GESTION_GROUPE: [ROLE_USER, ROLE_ADMIN]
ROLE_COMPTOIR: [ROLE_USER, ROLE_ADMIN]
ROLE_CONTACT: [ROLE_USER, ROLE_ADMIN]
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ROLE_API]
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
#
# @TODO : better access control !
#
# Admin login page needs to be accessed without credential
# - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
# - { path: ^/admin/, role: [ROLE_SUPER_ADMIN, ROLE_SONATA_ADMIN, ROLE_ADMIN_SIEGE, ROLE_REDACTEUR, ROLE_TRESORIER, ROLE_CONTROLEUR, ROLE_GESTION_GROUPE, ROLE_COMPTOIR, ROLE_CONTACT] }
- { path: ^/admin/, role: [ROLE_ADMIN] }
# Bottom line can be uncommented to disabled API doc available for anonymous user !
# - { path: '^/api', roles: ROLE_API }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }