我的Symfony项目中安装了一个普通的FOSUserBundle。 我打算做的是让我的管理部门进一步提高安全性,让公众不知道。我想做的是每当非管理员试图直接访问该部分时抛出404错误,因此没有人知道它在哪个地址,以防止在核心中进行黑客攻击。 我设置了一个ExceptionListener,它工作正常:
public function onKernelException(GetResponseForExceptionEvent $event)
{
$exception = $event->getException();
$templating = $this->container->get('templating');
$response = new Response($templating->render('ScatternoteBundle:Exception:error404.html.twig', array(
'exception' => $exception
)));
$event->setResponse($response);
}
来自我的error404.html.twig:
{% if 'No route found for' not in exception.message and exception.message != 'Impossible to access an attribute ("album") on a NULL variable ("") in "ScatternoteBundle:Song:song.html.twig" at line 3' and 'Access Denied' not in exception.message%}
<span style="font-size:8pt; color:grey;">Not a 404: {{ exception.message }}; Code: {{ exception.code }}</span>
<br><br>
{% endif %}
但是,只有当用户作为用户登录时,它才有效。如果我没有登录并尝试访问/ admin,我会被FOSUserBundle自动重定向到/ login。我已经做了很多研究,但是我找不到任何关于如何阻止这种情况发生的信息,或者这个事件实际上是在捆绑中处理的。 我非常感谢任何帮助。
编辑:我的security.yaml:
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
FOS\UserBundle\Model\UserInterface: sha512
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# the login page has to be accessible for everybody
demo_login:
pattern: ^/demo/secured/login$
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
# secures part of the application
demo_secured_area:
pattern: ^/demo/secured/
# it's important to notice that in this case _demo_security_check and _demo_login
# are route names and that they are specified in the AcmeDemoBundle
form_login:
check_path: _demo_security_check
login_path: _demo_login
logout:
path: _demo_logout
target: _demo
#anonymous: ~
#http_basic:
# realm: "Secured Demo Area"
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/cookbook/security/access_control.html
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: ROLE_ADMIN }
答案 0 :(得分:1)
登录页面具有公共访问权限,因此FOSUser将用户重定向到登录表单(为了访问安全区域)是正常的。此外,当用户访问安全区域时,抛出403异常(拒绝访问)(未找到404)。 我认为您应该在RegistrationController中覆盖FOSUser的注册操作:
if ($user->hasRole('ROLE_ADMIN')) {
$this->authenticateUser($user, $response);
} else {
throw new AccessDeniedException ('Oups !!! Access denied ' ) ;
}