Symfony2 requires a controller as the entry file for bundle to restrict permissions.

Question

Do you use ControllerListener.php to monitor/

1. I want to know how to restrict the access rights of several bundles through the same controller. For example, if the user is not logged in, jump directly to the homepage or login page.
2. How to set access permissions for a bundle. is user-based

Answer 1

It’s too flexible and has too many methods. Let’s write down one aspect for now:

There is a third-party user function package: FOSUserBundle

If you write it yourself, before using the login form, you need to tell the framework how user information is saved. If you use Doctrine and a database, you have to write a User Entity and implement the SymfonyComponentSecurityCoreUserUserInterface interface.

(1) Create user class

namespace Acme\UserBundle\Entity;

use Symfony\Component\Security\Core\User\UserInterface;
use Doctrine\ORM\Mapping as ORM;

/**
 * @ORM\Entity
 */
class User implements UserInterface
{
    /**
     * @ORM\Column(type="string", length=255)
     */
    protected $username;

    // ...
}

(2) Use this user class

# app/config/security.yml
security:
    # ...
    providers:
        main:
            entity: { class: Acme\UserBundle\Entity\User, property: username }
    encoders:
        Acme\UserBundle\Entity\User: sha512 # 密码用哪种hash保存

(3) Add permission control

Security verification can be controlled at the URL level. If you let your bundle share a certain URL rule, you can use a rule to control it:

# app/config/security.yml
security:
    # ...
    access_control:
        - { path: ^/some_url, roles: ROLE_USER } # role是用户需要具备的角色，登录成功默认会有ROLE_USER

You can also use the JMSSecurityExtraBundle that comes with Symfony 2, which can be configured with annotations:

use JMS\SecurityExtraBundle\Annotation\Secure;

class MyController
{
    /**
     * @Secure(roles="ROLE_USER")
     */
    public function secureAction()
    {
        // ...
    }
}

Symfony 2 has many security component configuration items, you can refer to: http://symfony.com/doc/current/refere...

Form verification (form_login), which is the most common login box form, is one of the verification methods supported by Symfony 2 security components by default. Others include X.509, HTTP Basic, HTTP Digest, etc., and can also be verified through third parties The code package adds other verification methods. The configuration items of form validation are as follows, I have commented some commonly used items:

form_login:
    check_path: /login_check # 登录校验URL
    login_path: /login # 登录表单页
    use_forward: false
    always_use_default_target_path: false # 登录后是否总是跳向指定目标页
    default_target_path: / # 登录后的目标页
    target_path_parameter: _target_path # 在登录表单里指定目标页使用的input name
    use_referer: false
    failure_path: /foo
    failure_forward: false
    failure_handler: some.service.id # 自定义登录失败的处理
    success_handler: some.service.id # 自定义登录成功的处理
    username_parameter: _username # 登录表单里用户名的input name
    password_parameter: _password # 登录表单里用户名的input name
    csrf_parameter: _csrf_token
    intention: authenticate
    csrf_provider: my.csrf_provider.id
    post_only: true
    remember_me: false # 是否启用“记住我”功能

There are also built-in ACLs that provide more fine-grained control. But that’s another big chapter.

Answer 2

Thank you very much for your answer. The built-in ACL is indeed very powerful. Thank you