Symfony2 access control redirects to login

StackOverflow https://stackoverflow.com/questions/21930157

Question

In an application I am developing, I'm having a weird issue with the access control for the security component.

I use the FOSUserBundle (of course) for users and I copied the example access control rules from the bundle documentation to my security.yml The login screen (/login) works perfectly but the issue is, all other access control rules have absolutely no effect whatsoever. When a user goes to /register for example, he is redirected to /login, the same goes for /resetting.

This is my security.yml file:

jms_security_extra:
    secure_all_services: false
    expressions: true

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern:  ^/(\_(profiler|wdt)|css|images|js)/
            security: false

        api:
            pattern: ^/api
            anonymous: false
            form_login: false
            provider: fos_userbundle
            http_basic:
                realm: "REST Service Realm"

        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
            logout:       true
            anonymous:    ~
            switch_user:  { role: ROLE_SUPER_ADMIN, parameter: _impersonate }

    access_control:
        - { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/superadmin/, role: ROLE_SUPER_ADMIN }

I have tried to turn of security for paths containing /resetting and /register, but that clearly won't work since the security token still needs to be available for the FOSUserBundle controllers.

Any help would be much appreciated!

Was it helpful?

Solution 2

The problem was that another bundle was messing with each request checking if the user was logged in or not. If the user wasn't logged in, a redirect response was generated to the login page.

No idea why this was done, I think it comes from an era where the original authors had less experience with Symfony.

But so it proves again, always check the logs. Very thoroughly.

OTHER TIPS

It might be to do with the order of the access_control, try putting superadmin above the others. You also don't seem to have a secured_area section (like this example from Symfony2 access control redirects to login)

security:
    firewalls:
        secured_area:
            pattern:   ^/
            anonymous: ~
            form_login:
                login_path: login
                check_path: login_check
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top